What is a Good, Free Setup for "Average Users"

@OP

Interesting.

I guess you can't restrict their windows accounts, am I right? If that's the case, first make sure that the systems are totally clean from infections, totally updated and totally functional for their owners' purposes and uses (that includes installing all Microsoft and drivers updates, fully enabling Microsoft Update, installing the apps used by them and configuring these apps to automatically update/upgrade themselves to new versions without user input whenever possible, enabling Windows Firewall and configuring it to be as automatic as possible, configuring the Action Center to stop showing notifications like the "you should backup" one, etc)

After that you should install and configure avast Free! with silent/gaming mode permanently enabled + totally password protected + security settings elevated + hidden tray icon. That should be sufficient to make it impossible for the novices to disable it or circumvent its protection.

You can also configure their routers and network connections to use Norton DNS and then flush their system's DNS cache.

You can also try PeerBlock Portable available here. Extract it to folder that the novices won't see, cancel the initial setup wizard, enable the P2P, Spyware and Advertising lists. On PeerBlock's Settings "first panel" figure out how to configure it to stop showing notifications, on PeerBlock' Settings "second panel" enable the options Start with Windows, Always start hidden, Always hide tray icon and Minimize to tray on close. Also enable every "Updates'" options except Use proxy and set the Auto-close update window after 1 second. Save and forget about its existence, lol.

Did you notice that I'm only recommending "invisible" and "almost invisible" solutions? From personal experience at the time I had to be the admin of a home computer, if you build the system's security thinking that the novices will correctly deal with anything "noticeable" - like a new browser - you should expect problems and confusions. Make sure that the "invisible" security line is good before adding noticeable solutions.

 

See my sig.

 

I use this to fix computers: AVG Free + WinFirewall, Chrome because of updated flash (or Firefox), disable IE, set DNS server other than ISP.
As for AVG setup: Do not install Linkscanner, then disable email scanner and set to clean/delete files automatic without user interaction.

 

Returnil System Safe free: Virtualize every boot, tell them to save file in other drive.
Advantages: No pop-up.
Disadvantage: Not good against some rootkits which may skip from F-Prot AVs detection list. But RSS is compatible with other AV. So, it can be run alongside Avast/Panda etc.

 

On Semi-Automatic mode, as alternative to Sandboxie on Windows 7

1. Install Bufferzone with Avast file + behavioral + script shield shield

a) Only sandbox IE9 as main point of entry, skip the rest, (only makes it complex). Don't need webshield of Avast, because IE's smartscreen is pretty strong (and more default is less incompatibility)

b) All 'new' unsigned programs run inside sandbox (BZ detects new executables on harddisk itself) in semi-auto mode> Because BZ also executables downloaded with e-mail, you don't need e-mail shield of Avast. BZ also sandboxes scripts run by trusted programs, add Avast script shield for safety net.

c) It is up to Avast to catch any left signed malware (they often had scopes in which they reported signed malware, so file shield should do well for the left overs)

d) enter internet banking in the Privacy Zone to protect against keyloggers
(an advantage over Sandboxie)

e) stop untrusted programs in sandbox going outbound with firewall (only allow Internet Explorer). So untrusted will be denied outbound, therefore Avast network shield is not installed (less overlap, less incompatibility)

 

Great Screenie Views Kees1958

It's been many a long time since i examined this one.

Thanks!

 

Sandboxie has a better track record of providing iron strong security and is faster (meaning less delay when a sandboxed program start).

Bufferzone is a sort of cross over of GesWall and Sandboxie (providing system wide new executables protection and specific program virtualisation).

BufferZone's lesser track record is well compensated by the fact that IE tabs still run in LOW RIGHTS (protected mode), while sandboxie forces them into Medium Rights (I have never grasped why sandboxie lowered protection before making it stronger again, even in XP age it took some time before one could set an extra LUA protection, on the other hand Tzuk was the first to offer application sandboxing on x64 )

 

Yep, I like it. I normally use Chromium as browser.

I have BZ installed only to use it for banking, even removed port 80, only allowing HTTPS in the windows firewall outbound rules. Because I use IE9 only for banking, I am not frustated by the longer startups of IE .

 

Yeah, i been off-air so to speak for way too long, so now that full service is again active! (finally), the first priority here is to pin down at least 2 solid browsers. Opera & Firefox used to be mainstays, but i have found IRON & CHROME very promising before.

Glad to finally be back FULL-TIME after such a log time away trip to Mars Lottsa catchin' up to do 4 sure.

Regards..

 

Where have you been so long? Easter, the honery tester for XPOFF who had covered all hooks at least twice

 

welcome back EASTER

 

Many & the more of more most sincere thanks to you both and of course many all you other good members & friends for those very WARM sentiments.

Throughout my entire (long) absence i longed painfully to eventually/sometime rejoin again with glee this extra-super community of the very best & intelligent members the world internet will ever experience in order to continue to share and help with you, forward the absolute importance that PC security/programs along with useful dialog produces in order to keep this invention we enjoy safe, sound, and as secure as possible.

Glad to be back home!

EASTER

 

avast shields now have more incommon and work together to give better detection. its best to install the full suite of the free, etc

 

Well in the context of using Bufferzone they are not needed, I added an explaination in my previous post

a) Only sandbox IE9 as main point of entry, skip the rest, (only makes it complex). Don't need webshield of Avast, because IE's smartscreen is pretty strong (and more default is less incompatibility)

b) All 'new' unsigned programs run inside sandbox (BZ detects new executables on harddisk itself) in semi-auto mode> Because BZ also executables downloaded with e-mail, you don't need e-mail shield of Avast.

e) stop untrusted programs in sandbox going outbound with firewall (only allow Internet Explorer). So untrusted will be denied outbound, therefore Avast network shield is not installed (less overlap, less incompatibility)

 

Trying out EMET. I try to add the flash dll NPSWF32.dll but I keep getting a message that this is not a valid executable. Is there some way to add flash to EMET? I have the flash .exe's added but they look like just the installer/uninstallers. What else do I add to protect the flash plug ins and player?

 

If they don't need to install anything, Limited User Account + Software Restriction Policy would do. While you control the superuser account.

 

If you're using a browser other than Firefox, you only need to add the browser's main executable to EMET. It will be the browser's processes that will be handling the plugins.

If you're using Firefox, you'll also need to plugin-container.exe to EMET. This is the Firefox's process handling the plugins.

 

Thanks for the info, done now. I saw that EAF may need disabled for java. I have done that as per Hungry's info. Are there other common apps, well known that should have some protection disabled?

 

Silverlight is broken by EAF I believe.

 

ok thanks, I uninstalled that

 

What's EAF?

 

export address table filtering