What is your security setup these days?

Smart App Control is controlled by MS, third party is controlled by the user. So it is just like with Defender, it is for undemanding users.

 

W.10 Home x64 22H2
Local Account - Standard user - Limited permissions
UAC maximum - Always notify
Quad9 DNS
Onedrive,Cortana,Advertising ID,Web Search - disabled
Usage of location data for Cortana disabled
Telemetry OFF
Removed some Windows optional features.

Microsoft Defender Firewall hardened with H_C.
Microsoft Defender hardened with Configure Defender (Customized level) - Cloud Block Level

• Ransomware protection - disabled
• No run in a sandbox
• Core Isolation: Memory integrity - disabled
• Some softwares hardened with maximum AE protection
• All Windows Exploit Protection options - enabled

MS Edge --no-pings --time-zone-for-testing --enable-features="GpuAppContainer,IsolateSandboxedIframes,EnableCsrssLockdown,EncryptedClientHello"

• Enabled Security Mitigations - Strict
• Detection Protection - Strict
• Always HTTPS
• Next DNS DOH - (oisd + Easy Privacy)
• Share browsing data with other Windows features - disabled
• 4 Insecure Cipher Suites - 0x002f,0x0035,0xc013,0x009c - disabled
• TLS_RSA_WITH_AES_256_GCM_SHA384 - enabled
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - enabled
• IL AppContainer - enabled
• Audio Service -sandboxed
• Network Service - sandboxed
• Clipboard permissions - blocked

Edge://flags:

Enabled:

• Block scripts loaded via document.write
• Enables the BrowsingDataLifetimeManager service to run
• Experimental QUIC protocol
• Use DNS https alpn
• Support for HTTPS records in DNS - DNS-over-HTTPS only
• Enable Back/Forward Cache
• Project Robin experiment
• Automatic HTTPS
• Strict-Origin-Isolation
• Show block option in autoplay settings
• Experimental Tracking Prevention Features
• Block insecure private network requests
• Enable Digital Signature for PDF
• Partitioned cookies
• Microsoft Edge tracking prevention

Disabled:

• Show feature and workflow recommendations
• Allow tab-to-search using Microsoft Search with Bing
• Allow Microsoft Search with Bing for any default search engine
• Allow preloading of pages by other applications
• Enable First-Party Sets
• Consider SameParty cookies to be first-party

Extensions:

• UBO - Hard Mode with TLD's
• JShelter
• Don't add custom search engines

• ( on/off) - AdGuard MV3 - Hard Mode with TLD's + UBO Lite - only AdGuard URL Tracking Protection List

Mozilla Firefox - Arkenfox.user.js

• Tracking protection: Strict (enables Total Cookie Protection)
• HTTPS-only-mode enabled
• Clearing browsing data on exit
• AutoPlay for audio and video disabled
• DDG Search Engine
• Hardware acceleration enabled
• AdGuard DNS DOH (oisd)

Extensions:

• UBO - Hard Mode with TLD's

 

For home users and small businesses, its meant to replace AppLocker and SRP which when configured incorrectly, can lock up your PC.

This is a simple, worry free solution with pre configured rules in place - a set and forget it approach to security like NVT’s OSArmor.

For power users though it may not be enough because there’s no path offered to exclude false positives.

Microsoft has created a comprehensive security solution to malware and ransomware threats, which has now reached its apogee in Windows 11 22H2 with SAC.

 

W.10 Home x64 22H2
Local Account - Standard user - Limited permissions
UAC maximum - Always notify
Cloudflare DNS
Onedrive,Cortana,Advertising ID,Web Search - disabled
Usage of location data for Cortana disabled
Telemetry OFF
Removed some Windows optional features.

Microsoft Defender Firewall hardened with H_C.
Microsoft Defender hardened with Configure Defender (Customized level) - Cloud Block Level

• Ransomware protection - disabled
• No run in a sandbox
• Core Isolation: Memory integrity - disabled
• Some softwares hardened with maximum AE protection
• All Windows Exploit Protection options - enabled

MS Edge --no-pings --time-zone-for-testing --enable-features="GpuAppContainer,IsolateSandboxedIframes,EnableCsrssLockdown,EncryptedClientHello"

• Enabled Security Mitigations - Strict
• Detection Protection - Strict
• Always HTTPS
• Next DNS DOH - (oisd + Easy Privacy)
• Share browsing data with other Windows features - disabled
• 4 Insecure Cipher Suites - 0x002f,0x0035,0xc013,0x009c - disabled
• TLS_RSA_WITH_AES_256_GCM_SHA384 - enabled
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - enabled
• IL AppContainer - enabled
• Audio Service -sandboxed
• Network Service - sandboxed
• Clipboard permissions - blocked

Edge://flags:

Enabled:

• Block scripts loaded via document.write
• Enables the BrowsingDataLifetimeManager service to run
• Experimental QUIC protocol
• Use DNS https alpn
• Support for HTTPS records in DNS - DNS-over-HTTPS only
• Enable Back/Forward Cache
• Project Robin experiment
• Automatic HTTPS
• Strict-Origin-Isolation
• Show block option in autoplay settings
• Experimental Tracking Prevention Features
• Block insecure private network requests
• Enable Digital Signature for PDF
• Partitioned cookies
• Microsoft Edge tracking prevention

Disabled:

• Show feature and workflow recommendations
• Allow tab-to-search using Microsoft Search with Bing
• Allow Microsoft Search with Bing for any default search engine
• Allow preloading of pages by other applications
• Enable First-Party Sets
• Consider SameParty cookies to be first-party

Extensions:

Microsoft Edge Store:

• UBO - Hard Mode with TLD's

Chrome Web Store:

• JShelter
• Don't add custom search engines
• ( on/off) - AdGuard MV3 - Hard Mode with TLD's + UBO Lite - only AdGuard URL Tracking Protection List

Mozilla Firefox - Arkenfox.user.js

• Tracking protection: Strict (enables Total Cookie Protection)
• HTTPS-only-mode enabled
• Clearing browsing data on exit
• AutoPlay for audio and video disabled
• DDG Search Engine
• Hardware acceleration enabled
• NEXT DNS (oisd + Easy Privacy)

Extensions:

• UBO - Hard Mode with TLD's

 

Good little combo there @Sampei Nihira

 

Nord, Bitdefender Total, & MBAM, uBlock, FF default & https always

I also have a machine: Nord, Windows defender + MBAM

 

@Sampei Nihira
Add Betterfox user.js from yokoffing under yr firefox profile
https://github.com/yokoffing/Betterfox
it seems great..
Minimalism, Efficiency, Security

 

Thank you.
Arkenfox is stopped in November.
I have bookmarked the link.
As soon as I have some free time today I will check if some rules are already used by me.

P.S.
I entered some FastFox.js settings.
I did not enter those proposed in Smoothfox.js.
Many others were already entered.

 

Windows defender antivirus and windows firewall.
Malwarebytes anti-malware on demand scanner.

Thats it.

 

OS: Windows 11 22H2
Backup: Macrium Reflect
Updates: SUMo
Anti-virus: Eset Nod32 Antivirus
On demand scanners: Emsisoft Emergency Kit, Norton Power Eraser
Passwords: KeePass
Other Tools: CCleaner, ShutUp10, AppBuster

 

In Thunderbird I have enabled a custom DNS (DOH) - AdGuard Private DNS.
I want to check how it works.

 

What could be the benefit, running AdGuard DNS?

 

• The first advantage is that related to the privacy/security offered by a private DNS over HTTPS:

https://en.wikipedia.org/wiki/DNS_over_HTTPS

• The second benefit is that offered by AdGuard's request log:

Example in the past I have blocked often,but in the browser with UBO, "googleapis.com".

See where it says "bloccare" ( means to block in the English language) also in Thunderbird I have this possibility.
I have to study this opportunity.

P.S. With AdGuard private DNS you can write your own rules to block websites (but in the case of emails,you should get the blocking of emails in the email client that for example are sent from some domains):



P.S.1

If I enter the rule for "googleapis" the authentication of IMAP (Gmail) is blocked.

 

K7 Total Security, VoodooShield, Spyshelter Premium. Boring, wot? Works for me.

 

@Sampei Nihira :
Thanks for explaining.
But I still don't understand the benefit of a filtering DNS in Thunderbird.

I'm running mullvad adblock DNS in my router.
adblock.doh.mullvad.net has address 194.242.2.3
adblock.doh.mullvad.net has IPv6 address 2a07:e340::3

 

I did a switcheroo:
From: K7 Total Security w/Firewall (FW) that cannot be disabled by user (the reason I switched)
To: G-Data Internet Security w/FW that CAN be disabled, or not installed, as user desires
Ancilliary real-time: VoodooShield (whitelist/anti-exe) & Spyshelter Premium (anti-keylogger & HIPS)

 

@bellgamin
Any conflicts/slow down between G-Data Internet Security?
VoodooShield (whitelist/anti-exe) & Spyshelter Premium (anti-keylogger & HIPS).
And do you have a password manager with your setup ?
Just wondering ?

@moredhelfinland,
What is your current setup ?
And do you like about it most?

Always the best,

 

I checked load with 9 apps running, plus 10 other processes, plus browser at work with 17 tabs open. My aging laptop's Sysgauge showed Intel i5 CPU at 4.6% usage. MemReduct showed 51% used of 8GB RAM. My computer laptop stayed zippy at that heavy load. G-data has a large footprint but it executes light & smooth.

 

@bellgamin
Appreciate the details and info! What about, VoodooShield (whitelist/anti-exe) & Spyshelter Premium (anti-keylogger & HIPS?

 

VoodooShield (VS) plus a good AV (including a firewall component) plus regular imaging are a VERY strong security team. Spyshelter (SS) adds little if anything because its HIPS is limited to 66 default rules & has no learning capability. I will probably uninstall it when my present license expires.

Both VS & SS are super light on resources.

 

@bellgamin
Thank you!! Thumb up with details...

 

W.10 Home x64 22H2
Local Account - Standard user - Limited permissions
UAC maximum - Always notify
Cloudflare DNS
Onedrive,Cortana,Advertising ID,Web Search - disabled
Usage of location data for Cortana disabled
Telemetry OFF
Removed some Windows optional features.

Microsoft Defender Firewall hardened with H_C.
Microsoft Defender hardened with Configure Defender (Customized level) - Cloud Block Level

• Ransomware protection - disabled
• No run in a sandbox
• Core Isolation: Memory integrity - disabled
• Some softwares hardened with maximum AE protection
• All Windows Exploit Protection options - enabled

MS Edge --no-pings --time-zone-for-testing --enable-features="GpuAppContainer,IsolateSandboxedIframes,EnableCsrssLockdown,EncryptedClientHello"

• Enabled Security Mitigations - Strict
• Detection Protection - Strict
• Always HTTPS
• Next DNS DOH - (oisd + Easy Privacy)
• Share browsing data with other Windows features - disabled
• 4 Insecure Cipher Suites - 0x002f,0x0035,0xc013,0x009c - disabled
• TLS_RSA_WITH_AES_256_GCM_SHA384 - enabled
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - enabled
• IL AppContainer - enabled
• Audio Service -sandboxed
• Network Service - sandboxed
• Clipboard permissions - blocked

Edge://flags:

Enabled:

• Block scripts loaded via document.write
• Enables the BrowsingDataLifetimeManager service to run
• Experimental QUIC protocol
• Use DNS https alpn
• Support for HTTPS records in DNS - DNS-over-HTTPS only
• Enable Back/Forward Cache
• Project Robin experiment
• Automatic HTTPS
• Strict-Origin-Isolation
• Show block option in autoplay settings
• Experimental Tracking Prevention Features
• Block insecure private network requests
• Enable Digital Signature for PDF
• Partitioned cookies
• Microsoft Edge tracking prevention
• Experimental third-party storage partitioning - Third party cookies blocker enabled

Disabled:

• Show feature and workflow recommendations
• Allow tab-to-search using Microsoft Search with Bing
• Allow Microsoft Search with Bing for any default search engine
• Allow preloading of pages by other applications
• Enable First-Party Sets
• Consider SameParty cookies to be first-party

Extensions:

Microsoft Edge Store:

• UBO - Hard Mode with TLD's

Chrome Web Store:

• JShelter
• Don't add custom search engines
• ( on/off) - AdGuard MV3 - Hard Mode with TLD's + UBO Lite - only AdGuard URL Tracking Protection List

 

1. Linux Lite
2. Firewall on
3. Firejail Firefox with uBlock Origin in Medium mode and Quad9 in Network settings. Enabled Security Mitigations like Edge and block eval through uBlock

 

Emsisoft AM ( won a free years subscription)
Voodoo Shield
UBO

All I need.