AV-Comparatives August-November 2015 Microsoft Security Essentials on Windows 7 protected rate 94.5%.
And it erodes with each passing version, and the trade off it just not worth it. Even the security advantages are exaggerated and can be obtained on older versions with the right tweaking, know how and software.
no issues at all, i hardened it enough to mitigate almost 90% of the threats. on my signature; a combo of anti-executables and Virtualization to close the 10% left
Not when the user respects Smartscreen warnings. I think it is very unlikely that ransomware would be on the whitelist. New unsigned software is most likely to be labelled as unknown by Smartscreen.
I can't envision a scenario where I am downloading and running ransomware, or any type of malicious software really (anecdote: I haven't encountered anything of the kind in over 13 years). Stick to trusted software publishers and sources and you should be fine. Am I just overestimating the computer/internet savviness of the average Windows user?
I realize that users here are least likely to need of any security software, they (and maybe myself) do as a hobby.
If you were to buy a new and secure Windows 10 computer (as secure as Windows 10 can be) how would the hardware specs look like?
Nuh, ransomware is just like any other malware, it needs either an user interaction, admin rights or scripting in order to infect. AV vendros usually do not post detail reports, how it infects PC, so people would think, it is something with unlimited powers. Windows_Security made a nice sum up, disable WSH, powershell, autorun, use sandboxed Chrome and 10 gets unpenetrable.
The SmartScreen reputation feature is based on whitelisting. So yes, it will "detect" it, as in, it won't recognize it and make you go through hoops to try to execute it. If you want to reason that a user would ignore those warnings and continue to execute the malware/ransomware you're free to do so, I'd disagree and would think the average user would cancel. So in that regard Windows 10 is more secure than Windows 7, but this feature came first with Windows 8 onwards. This is disregarding the new anti exploitation features brought with Windows 10, as I'm not sure if we're wanting to discuss those.
I am the OP, let's discuss the new anti exploitation and all other security features of Windows 10 as per thread title, thanks! Edit: Also what hardware fully supports Windows 10 security features, would be interesting for people buying new Windows 10 computers.
@Windows_Security Could you explain these a little ? Risk Mitigation Protect system DLL's [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] "ProtectionMode"=dword:00000001 "SafeProcessSearchMode"=dword:00000001 Block untrusted fonts [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions] "MitigationOptions_FontBocking"="1000000000000" Disable file encryption [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS] "EfsConfiguration"=dword:000001 Block unsigned process elevation [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "ValidateAdminCodeSignatures"=dword:00000001 Disable file encryption will block ransomware ?
Someone uses Cis Defense+ with 10 ? I tried 10 last summer, but Defense+ had conflict with it: if I enable Defense+ it blocked the license and 10 seemed alone license. I tried all possible authorizations in Defense+, but it was a bug. Hope now it's solved.
Block Untrusted Fonts: http://www.ghacks.net/2016/02/05/block-programs-from-loading-untrusted-fonts-in-windows-10/ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ for example, you need to configure an exception for Thunderbird.
Very interesting list. Thank you for sharing. I'm testing SRP for Windows 10 Pro. I have some questions. Before I ask them, a brief overview of my test configuration: * UAC: I have a local admin account for installing and updating software, but I run day-to-day as a standard user. * AV: I'm currently running Webroot. * Browser Protection: I run force Chrome to open in Sandboxie. I also force PDFs to open in Chrome, and thus in Sandboxie. * Email Protection: For Outlook, I block (via GPO) ~120 file extensions beyond Outlook's native file extension blocks (~85). Additional blocked file types include .zip, .rar,...basically, every archive and any file extension that I could find that might contain code. I do allow PDFs, xlsx, pptx, docx, and picture files (e.g. .jpg, .png,...). I also block OLE objects in Outlook (via GPO). All OST and PST files are contained in SRP-protected folders * SRP: My SRP has rules similar to https://community.spiceworks.com/ho...ction-policy-to-prevent-cryptolocker-and-more (DLLs are not protected). In addition, I also block the NSA-recommended additional folders. In appdata, I have exceptions for OneDrive (the whole folder) and for one Chrome executable * Firewall: I block outbound Regsvr32 (two files) * USB: Autorun is off (via GPO), and we do not use USB drives that are not new or are not ours * Firewall: Running a well-configured Sophos Home UTM (default deny, a handful of firewall rules and ~25 Web Protection exceptions for various programs like Revo Uninstaller, MBAM updates,..., some country blocking,...) This looks pretty bulletproof to me, but I am seeking a 2nd opinion. I think almost nothing will hit my hard drive from Outlook, and I'm not click-happy. I've been reading about ways to bypass SRP, and found your post. My questions: 1. Where did you get your registry edits to disable Powershell? I found them only on one other site: virus-protect.org. It seems like they are not widely discussed 2. Will those two Powershell registry edits cause trouble with Windows Updates or major programs like Chrome, Office 2016, Veracrypt, Sandboxie,....? 3. Given my configuration, which of the other registry or GPO edits (I'm looking for no additional software) that you listed would you suggest to protect against "fileless" malware, Powershell exploits, and/or other advanced exploits? (e.g. fonts?, DLL protection,...) I'd like to add only what is necessary 4. Any other suggestions? Thank you
Powerscript registry tweak had not given me trouble on Windows 7, 8.1 and 10 (all 32 bits versions). I would add DLL files also. You wont notice any performance drop. I would not run Chrome sandboxed, but would enable AppContainer and Sys32 lockdown and put Chrome download folder in force folder mode of Sandboxie.
what are all the security improvements in windows 10 vs 8.1? I know of the font blacklist system and the improvements to UAC whitelisted apps (which should be backported to 7 and 8.1 but they not). The latter has no relevance to me since I run UAC on the most paranoid setting. To me having the vendor handling all my updates automated is unacceptable, I also dont like that they reinstall the OS everytime is a new threshold build (more if insider) which in turn loses settings, can lose apps, and breaks compatibility. This is why I moved to 8.1 from 7 instead of 10. Moving to 8.1 has still given me appcontainers and secureboot. JLD do you mind sharing your outlook extension list for blocking, thank you Regarding SRP, I use certificate rules, cannot really feel performance impact. I do not use DLL blocking because it seems buggy, e.g. I cannot get blizzard battle.net launcher to work with DLL enforcement without doing widespread path whitelisting. Chrome netflix also broke with DLL enforcement. Shame as DLL blocking in applocker works fine. Also I use the WSH shell entries and nothing has broken on my system. I also use the DLL sessionmanager entries, likewise with nothing broken. Both the WSH and DLL stuff is mentioned in a australian government security policy pdf document I downloaded, but cannot remember where from.
