If you've been on Wilders for a while you may have noticed I have a very strong opinion on Windows 10 and it's privacy issues. Well, had. Let me explain. I'm very concerned with privacy, and a lot of buzzes went off by the time Windows 10 was launched. Keylogger, NSA, evil Microsoft, and etc. All of that "information" got me really worried to the point where I literally hated Windows 10 without even using it or confirming what has been said about. Interestingly enough, I was tempted to try Windows 10 after noticing you can shut it's mouth a bit. A few tweaks here, a tool there, and done: it seems Windows 10 is really my next OS. ### Privacy ### Starting with the privacy issues, I'll talk about the famous "keylogger" that most people seem to be worried about. For starters, this myth came about when Windows 10 was a preview, and it's widely known that Windows Preview users hand over their key strokes to Microsoft. This isn't malware or spyware per say, because users are faced with an agreement before installing the system, and they're totally free to not accept that agreement and install another OS instead. But these days, the "keylogger" is easily turned off with the flip of a switch. Some people, including me, may argue that these switches don't do much in terms of privacy; and when it comes to Microsoft we know it's possible that we're still sending our key strokes to them. I'm not saying we are, though, I'm actually more confident that we can trust Microsoft of this issue, more than I've ever been. I'm not comfortable to use my GPG on Windows, though; for that I'll continue to use Linux. Right after installing the system, I was faced with two choices: let Microsoft decide what to do with my privacy, or tweak the settings myself. I turned every switch off, but that's not enough. If you open "Settings" and go to the privacy section you'll see that there are a lot more things to disable (or not, if you don't want), things like Micophone being captured by "apps" (I hate this new term), or your contacts also being visible to certain apps. Again, I disabled every switch there. Not feeling comfortable enough, I installed a program called "SpyBot Anti-Beacon", which can: Disable connections to Microsoft hosts that handle telemetry; Disable tons of services and settings related to telemetry; Disable advertising, wi-fi sense, etc; In this case, I enabled every option available, because they improve user privacy. https://i.imgur.com/JSwWRvt.png https://i.imgur.com/DZRNRX0.png https://i.imgur.com/22FfvsY.png https://i.imgur.com/MtOziTS.png ### Hardware ### Windows XP/Vista/7/8. All of these couldn't detect my sound card. My MOBO is from 2009, so I would assume that newer operating systems would automatically detect it's components and install the correct drivers. Them not detecting my sound card wasn't an issue because I have the driver/software CD for my MOBO, which is only compatible with Windows verions up to Windows 7 (I never used Windows 8 ). When Windows 10 came out I did try it on my physical machine. A big disappointment came out: again, the most used OS in the world couldn't detect my sound card. I remember installing the drivers in compatibility mode, which is even endorsed by Microsoft. Today, on this test-install, I was faced with the same thing: No sound card detection. HOWEVER, for my surprise, when I was about to print-screen the issue, my screen started to flicker and the sound icon changed from that terrifying Red to it's original form and color, just to tell me that everything was fine. I didn't know what was going on, and for my biggest surprise Windows had installed the correct drivers. It also installed the drivers for my GPU (it's not the latest, but at least it works fine). Windows installed everything, which is a plus comming from Microsoft. It did not, however, configured my sound card properly, I couldn't hear anyhing. Simply changing from "Headphones" to "Speakers" solved it = https://i.imgur.com/6xTj60d.png https://i.imgur.com/GuiWdIF.png Going to the bugs part of the hardware, I noticed that whenever I turn my computer on I'll have a problem with my keyboard. The first time this happened the letter "s" got stuck ("softwarely" speaking). The second time I rebooted my keyboard stopped working, and again I had to remove it from the USB port and plug it back in. NOTE: That only happened on the first 2 boots. ### Security ### I'm not familiar with Windows 10 security. I see many people talking about UAC being able to block only unsigned software and etc, but I didn't find that option yet. So, instead, I configure it to block every change to the OS. The first program I installed was Malwarebytes. Since this is just a test install, I didn't want to activate it (had issues with too much activations in the past), so I enabled the free trial. Everything went smoothly. Next was COMODO Internet Security. As with Windows 7, it worked beautifully. I configured both Windows' and COMODO's connection settings to "Public", as I always do. COMODO was also configured to my liking without problems. On Windows 7, however, COMODO used to disable Windows Firewall. This time it didn't happen, so I'll assume I'm either wrong about Windows 7 or that Windows 10 + COMODO behave this way. https://i.imgur.com/29e7mlq.png Next was Avira, used for primary Virus scanner. Again, no problems at all. NOTE: I opened "Run" and ran "regedit", with no UAC prompt whatsoever. NOTE2: After rebooting for the 4th time, Avira screamed about a Host file change (or similar). I assume it's related to SpyBot because it's configured to immunize the system on each reboot. Also, after opening SpyBot and clicking on Immunize, the entire program got unresponsive. NOTE3: After disabling "Protect Host OS from changes" on Avira's configuration, I was able to use SpyBot just fine. I'll put it into the exceptions to see if it helps. NOTE3-a: Didn't help. ### Encryption ### I've always used TrueCrypt on Windows. It's my go-to encryption program for the platform, it's been completely audited, and so on. But since it doesn't work with Windows 10, I'll have to use an alternative. I already used DiskCryptor on Windows 7 a few times, but right now I'm looking at VeraCrypt and will install it now. For my surprise, VeraCrypt is very similar to TrueCrypt when it comes to visuals. What I'm really glad to see is that it has many features that TC didn't have, like SHA-256 for system encryption, a meter of how much entropy was generated by the mouse, and so on. What I do dislike is the fact that we still need a Rescue Disk. It's 2016, we shouldn't need a freaking CD/DVD for this, and we should be able to select "RECORD LATER", with a big warning saying why that's a bad idea (but still being able to not use the CD). Since I don't have a spare CD/DVD, I decided to abort VeraCrypt's test. I assume everything will work just fine. EDIT: Upon rebooting I noticed VeraCrypt's icon didn't show up. The system was lagish. EDIT2: After another reboot, the problem above didn't happen. ### EMET ### Downloaded and installed EMET 5.5 normally. After installation, EMET was configured to "Use Recommended Settings",but after that I wasn't able to access EMET's GUI. After rebooting, I still can't open EMET's GUI. ### The Problems ### Obviously, not being able to decide when to download and install updates is a problem. However, I don't worry about it ATM, I'm sure I'll find a simple way to disable this. https://i.imgur.com/BSh5hNl.png FlashPlayer was a big concern, but it's only used by Edge. ### OVERALL ### My overall experience has been good. Windows 10 fast, looks way better than 7, and has more features than what my previous 7 (Home Basic) had. What I really did enjoy was the fact that I'm able to activate Windows 10 with my 7 KEY. So I went from a very basic Windows 7 desktop to a more complete Windows. It's nice that Microsoft doesn't have 1000 different versions anymore. Almost everything is running fine. Steam, OBS, Catalyst, security programs, etc. That's basically it for this short review. I'm sticking with Windows 10 for now.
Please add in your review: * Which Win 10 Version with exactly build number * Which EMET version (build number) * Avira version - settings? * Which win 10 settings (default?) -> gpedit.msc / secpol changes? * Which VeraCrypt version? * Which SpyBot and Comodo Version with which settings? * Explain why you use SpyBot Anti-Beacon if you can do the same with gpedit.msc and then hosts is not necessary because there is not any single connection then .... If yes, please provide .pcap I want to see.^^ * Please do a test and report back, disable all security products like Avira/Comodo and then re-test EMET/VeraCrypt because I can't confirm such a strange behavior. I guess it's on your site only? Thanks for review. Nothing new (for me) but anyway.
Windows 10 Home - 1511 EMET 5.5 (.NET 4.6) Avira/COMODO/VeraCrypt - the latest version Time. I don't have it. And it's easy. I don't know what that is. Sorry. What strange behavior, exactly?
The behavior your was talking about. Maybe I will post my results over here, I forgot that you only quickly tested Windows and this is only for advance analyzes. Sr. Never heard that before ... Maybe Avira causing this. Isn't CIS (Firewall + AV + Auto Sandbox) not enough for a small test Btw is this present for you on Home version? On Enterprise I don't even see that toggle or Ads, maybe this is only if Store is installed? Need confirmation on this, thanks!
I agree with your assessment, I too was overcome with the amount of network requests windows 10 was making due to its many apps and telemetry. In turn I was frustrated at not being in complete control of Windows 10 like I was with Windows 7 let alone XP. Initially after the upgrade from W7 I had a few issues. The boot menu still showed that W7 was installed and not W10, the boot menu was legacy and had no way of changing to the default modern boot menu, despite all the tricks. Eventually after running Easy BCD recovery essentials pro, I was able to correct these discrepancies. I was never too fussed about the security aspect, all my W7 programs transferred without fault to W10. Bask to the privacy aspect. Initially I sourced many batch scripts and GPO/REG settings to minimise the outbound communications and potential sources of privacy leaks that was documented by many others online. This all worked well until the upgrades came. All my deleted metro apps got reinstalled, and even a few reg/gpo settings have been reverted. I was quite satisfied, Wireshark showed extremely minimal outbound requests. Job done, to a degree. There were still a few personal issues I had with W10. The feedback, contact and a few native metro apps and onedrive could not be removed. This pi##ed me off. I want complete control of W10. Or a sense of it, and unfortunately while I enjoyed my configuration I did not feel satisfied. I have never used spybot so I cant comment on the effectiveness, but I have been using win10privacy http://www.winprivacy.de/english-home/ coupled with PSExec.exe from sysinternals, I remove all apps in W10, removable and non removable. It tweaks the OS like you couldnt believe. It is the most complete solution I have found to date. After applying the tweaks and letting wireshark sit for a few hours, very few network requests were made, less than the tweaks I applied manually. RAM usage significantly dropped as well. I highly recommend you have a look at it. Now in all honesty, considering I have finished my studies I have no need for Windows10. All the Engineering software that I once needed are now used on my work computer where no personal info is kept and nothing personal is done on it. So even if there was chance of some telemetry being sent that bypasses the network, its only work stuff anyway. For home I rarely need these applications let alone W10 and my security setup on W10 is self sufficient, ie no need for constant updates, maintenance and monitoring. For now im happy with Linux and W10 dual boot, with default being linux. Although im finding less and less dependency on W10 for personal use, now after its tamed im quite satisfied with it. regards.
As I said HOSTS can be bypassed via dnsapi.dll and this isn't blockable with a firewall, so that's why I'm asking for pcap, if someone provide one I can analyze it. I not use Home/Pro so I'm thankfully for samples, if someone want to share or PM me .. my box is open. Nope, this is the most awesome solution you can get and with source sadly from what I understand it will no longer be updated, I already asked if I can use this and mod it but author not answered me (yet).
That is not very awesome if its not supported any more. Besides, seems to do many cosmetic tweaks which I have no interest in. w10privacy seems to have everything security and privacy wise covered. These tools only tweak what is actually tweakable in the OS. They are all pretty much the same. Some are more complex and complete in what they designed for. regards.
It's not clear if it's supported any longer or not because without response it's difficult to say (so I only re-spelled the same what other people wrote in that thread.... as said I already tried to contact the developer of this to get permission to mod it and then everything would be 'a life' again that's for sure). Well that script add a lot of more than W10Privacy. This is the only solution which tweak stuff I not saw in any other tools, you even can remove Cortana (not only disable it) and other stuff. Well, it's matter of taste if someone really need that, if you install Enterprise then most if this is not needed because e.g. no Store and such. Sadly I also asked in other forums for package capture files but no one provided one, so all of these spying/telemetry thing is for me not confirmable. Especially if it's unclear if this isn't already 'patched' in latest Pro 'tester' versions. I don't think this is the same, especially it was the first app that's for sure it's open source (more or less because you can directly see what it does) and has a lot of features you never find in any other tool. So just give it a try, but of course everyone have other needs ...
Thank you thats interesting, ill have a look into at some stage and I hope you get a hold of it. . W10privacy makes use of PSExec to remove hard coded applications as well. Either way Win10 toggle tweaker seems like a very powerful tool, shame it is not developed. The more tools we have like this the better.
erm - WHY Spystupid and ******** in general? i've never seen such crappy software as these two. too much cons from your side to stick with it. the rest tl;dr i have read too much BS from people with a native view. if some cant work with a pure system its not worth to think about. to glad that some intelligent people created stuff like beacon or shutup and similar - you wont waste any thought about win10 without, he? concerning your sound, to cheap blaming MS, blame the manufacturer. if you cant install a descent driver windows 10 will drive you in blue screens. the latest updates also cause many trouble. thats not possible, also with LTSB there remains a ~ dozen of apps, whether active or not (gpo). for me win10 is still beta, i never had seen so many issues fixed since win8 (not 8.1). i think also that june/july is coming closer and people are afraid not to have used the free upgrade. @CHEFKOCH - thats a major problem for LTSB user - os is still 10240 and that will change end of 2016, only stability and security fixes. i consider to install pro or enterprise w/o LTSB to determine if some bugs were fixed, but at least i read that there are some buggy still present which windows programs i need to run more often. the LTSB has no flaws that far. pros and cons. nevertheless i wont use win10 for daily work.
It's possible @Brummelchen. Please test the mentioned script it loads an additional script which then removes Cortana entirely. The only process which is running is then SearchUI but this can also be 'stopped' by using e.g. Start++ which then can prevent this from starting each time on a reboot (I prefer Everything as search and the old start menu from 7). I guess the original code was stolen from msfn forum and then modded by an MDL member, but I not checked it myself I only saw on script executing that the credit is different. The only con about such script is that it needs to be updated because MS possible change the path again after xyz update which sucks.... And this is why I want the script because I want to add detection for this by simply working with a syntax which search for specific files (because the names never changes itself). But *sigh* the developer not answers on emails. The OS is not beta it's 'as a service', just report and it gets hopefully fixed, but difficult to report something if MS only accept Pro-User reports. Agreed LTSB not getting feature updates but so what, I not care because I not understand any of 'these' features, maybe because I never use any of them, I mostly see here and there some glitch fixes and such but not 'real' features. Redstone is also in the pipe, and I will update asap (if there is an LTSB N Version). I don't know about which bugs you refer to, maybe the network bugs/changes? Don't know, for me the OS works well but I not work much within the OS itself because I mostly start Visual Studio and that's it. Agreed again, for daily usage Ubuntu is more than enough because I not game. Theoretically I could use VS / Android Studio on Ubuntu and say goodbye to Win but somehow I never had much troubles with Win and the only thing which holds me back is the fact Linux cripples my 500 Dollar graphic card, but I blame nVidia for this to not release prober drivers/sources to fix this, but on the other side I agree why they not want to do this because several reasons ....
If you are running the Pro Version, you can do this with the group policy editor. It is in the Windows/Components/Windows Update/Configure Windows Update key. It will let you chose when to download and install updates but it won't allow any control over individual updates. Even with it enabled, selecting "Check for Updates" in the control applet will not only check but download and install them. You have to let the system do this automatically for the update control setting to work. The telemetry service can be disabled in the services control applet and the setting will survive reboot. I don't know why all the fuss about it since it is so easily disabled.
It remains opt-out instead of opt-in. And that makes it a problem/dangerous because a lot of users don't care to "secure" or "harden" their machine. They just want to use it as it comes. This includes the behaviour of updates and programmes in general as well. Of course, with you or lots of members here I am preaching to the choir.
There is another huge issue I have with Win 10. (As I type I am in my Win 10 image). Have an anti exec, like ERP set to alert, after an update and look at all the stuff running in the background, that really is questionable as to how much I need it. I have been black listing this stuff and so far no ill effect. Barf
Avira is not causing this. I just installed Windows after wiping my drive, and opened regedit again. It didn't ask me for my passphrase, but I noticed that I can't make any modifications or even see the registry KEYS. It says I don't have enough permissions. So in this regard everything is fine. About COMODO's AV: No, it's not enough. Their AV is not good, that's why I use Avira as my first scanner. Yes. I kept that enabled. Thanks, I definitely will. I wasn't even going to respond to this. First, I like COMODO. Second, it's not Spybot Search and Destroy, it's an anti-beacon program. That's your opinion. Added to the Ignore list. I'm actually using the Home version. I think that an easier way of being in control of updates is to spoof my card/connection so that Windows thinks I use a metered connection. I'm not sure that's possible though. What I really don't like about the automatic updates is that they can interfere with my ping when I'm gaming. Yeah, but at least Microsoft lets users control this right after install. In this aspect, I give more Kudos to Microsoft than to Canonical, given that a ton of 12.04/14.04/15.10 users don't know their local searches are being sent to god knows who. Would you recommend a free anti-exec for Windows 10?
This page has how to set the options in the registry. The Automatic Update Configuration options have been around for a while and still work in Windows 10 https://technet.microsoft.com/en-us/library/dd939844(v=ws.10).aspx The key that controls this is Code: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\AUOptions Setting it to 2 will do what you want. The group policy editor is just a convenience. Most of what it does is set registry settings.
Thank you, but are you sure it works with Windows 10? Because: Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2008 R2 with SP1, Windows Server Update Services, Windows Small Business Server 2011 Standard And I see a lot of people saying the updates will be re-activated again if we disable them on Windows 10. Can you confirm this?
Yes. NoVirusthanks Exe Radar Pro. Look for his posts in the thread, and get the latest beta he posts. It's a freebie now.
Yes, I've done this on all my Windows 10 installations. There will be nags and reminders if you put it off long but it won't download and install them automatically. The updates aren't disabled by this setting just the automatic download and installation of them. If you disable the two services that handle Windows updates, BITS and Windows Update in the services.msc applet, they will be renabled on the next reboot. Windows update can be completely disabled in Windows 10 by setting the ACLs on the service's associated .dll files, qmgr.dll and wuaueng.dll, to deny. Then the OS can't start the services. I've tested all of this. I have Windows update disabled on one of my Windows 10 installations. Just to see if I could and make sure it works and to see what happens. So far nothing. When I check the Windows update applet, it says Windows is up to date and the last updates were applied December 29th, 2015. Clicking on the check for updates button just causes the dots to flash but nothing else happens. I can remove the deny setting on the ACLs anytime I feel like applying updates. Well, one thing I can say is that the Windows update service uses a lot of CPU cycles and bandwidth. The bandwidth is obvious because it is downloading in the background using the BITS service. When checking for updates, there is a lot of CPU intensive database checking going on in the background and sometimes this causes a noticeable slow down of the OS. With Windows update disabled, performance is a bit snappier.
Since you figured out how to install a firewall on Linux. I would suggest you have a look at Smart Object Blocker from the same author. NVT ERP only looks at EXE's, SOB looks at DLLs and Drivers also. Since you know how to configure a FireWall on Linux, my guess is that you won't be scared away from SOB not having a GUI (it uses highly granular configuration files in stead). NVT SOB is sort of the next generation of NVT ERP: http://www.novirusthanks.org/products/smart-object-blocker/ Regards Kees
OK then. I've set that registry key. Hopefully Windows Update will still work, but not automatically. Hi Kees, Unfortunately I don't have time to configure a new Firewall. I installed COMODO Internet Security and did a few modifications to it's Firewall, but that's it I was supposed to get back to work tomorrow but I started tonight because I'm one week late. But I really appreciate the suggestion. I will check it out in the future.
