What would be a good "No Antivirus" Windows set up?

Discussion in 'other anti-malware software' started by avboy, Mar 15, 2021.

  1. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    211
    For a user with average knowledge, working compulsorily on Windows 10, what would be a good setup with no antivirus installed? If it is without commercial anti-malware software, it would be good too.

    Different machines for:

    Scenario 1. Download files, videos, photos (from known sites like Insta, Youtube, etc)

    Scenario 2. Financial transactions like banking, investing etc.

    Reasons - Antivirus companies collecting huge amount of data and companies being sold left and right to PE firms, Chinese companies etc.

    This may be a difficult proposition on Windows with average user knowledge, but I have read posts here in many unrelated about possibilities.

    Thanks in advance.
     
  2. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    There's only one - a stand alone setup. That is, where the computer is not connected to any network that has Internet access.
    Well, for the major names, this is tin-foil hat stuff.

    I run with Windows 10 own Microsoft Defender on all our systems here and I am not worried about any data Microsoft collection because I know they are NOT trying to get my passwords, bank accounts, real name, real address, contacts, or any other personal data.
     
  3. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    211
    Thanks for your reply. So do you use Windows Defender only? Since you mentioned all your systems, what is the complete picture? Is the network protected by Hardware firewall, site blocking rules, group policies, download restrictions, anti execute and so on? Or is it an open network? I am curious as the scenarios are very different for Windows Defender only setup.

    PS - Microsoft is not my worry.
     
  4. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    No they aren't. The choice of your primary anti-malware solution does not change the scenario one bit.

    First, it is important to understand Windows 10 is not Windows XP or even Windows 7. So there is no need to treat it that way.

    Second, Microsoft Defender (formally Windows Defender), is a very capable antimalware solution - contrary to what some may think and what others may want us to think.

    I have a rather standard Netgear Nighthawk router which offers standard firewall protection for my network. Then I use Windows Firewall in its default settings on each computer. This is the setup I recommend for all my clients too. Why? Because its already in there, it is simple to use, and most importantly, it works.

    However, I don't really care if my clients choose Norton, Avast or another proper solution - AS LONG AS they use it and keep it (and Windows) current.

    That said, I also recommend users have a secondary scanner on hand, regardless their primary solution of choice, and periodically scan with that to make sure the user (ALWAYS the weakest link in security) or the primary scanner didn't let something slip by. And I generally recommend Malwarebytes for that. I've been using that setup since Windows 8 came out in 2012, and since I migrated to Windows 10 in 2015 and Malwarebytes has yet to find anything Defender let by, except a couple "wanted" PUPs.

    So in that respect, it is not Microsoft Defender "only" for security - but Malwarebytes never finding anything malicious does suggest Microsoft Defender only would be fine.

    I also stress to myself, my clients, my friends and my family (and anyone else who will listen) the critical importance of not being "click-happy" on unsolicited links, downloads, attachments, and popups.

    And for the record, there are currently 5 computers here with two frequently used by teenaged grandkids and other guests who definitely are not as disciplined or "security aware" as I am.
     
  5. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,556
    simply use hard configurator
     
  6. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Nah! Not necessary.

    It is important to also remember there are over 1 Billion Windows 10 systems out there and most of those users simply stick with all the default settings. And guess what? The vast majority have no problems with malware, with Windows Update, with hardware configurations, or anything else. Their computers just work - just like their toaster, or coffee pot.
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    10,209
    Location:
    Among the gum trees
    Have a quality image backup routine.
     
  8. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    I don't know about 'good' but can tell you what I do with less than average knowledge. I sandbox all Internet facing applications with Sandboxie, restrict what files and folders sandboxed apps can see and prevent execution of anything other than the necessary in each sandbox.

    I then use Hard Configurator as a convenient way if implementing SRP and hardening firewall rules.

    I don't think it's better than a traditional AV set up. Just one that suits me. Largely because scanning what I know to be safe files wastes resources and coming from an era where that was important I can't quite shake it no matter what resources I now have at my disposal.

    You might find MS Defender isn't that easy to keep turned off nowadays if you don't replace it with another AV anyway. It is also a steady and acceptable choice to be fair particularly if you tweak it somewhat.

    It will send data to MS but if you don't trust them you really should rethink your reliance on them. They'll get your data many other ways. Even the 'privacy' tools available largely just allow you quick access to MS approved limitations for Pro and Enterprise versions of Windows. What else MS collect through the multiple enforced calls home is anyone's guess.

    Even if you find a way of blocking that off your browser is likely telling Google, MS or a.n. other all about you anyway. Nothing is free. You trade your data for the privilege of using free apps. To be fair on Mozilla they usually give you esoteric ways of blocking stuff and with all browsers you can use 'private' search engines or tune privacy but it is not always simple.

    You can also look for things to prevent tracking but most browsers are chromium based and that really is what Google wants it to be, and use of their APIs is being tightened further all the time, and Edge just replaces Google with MS. As for Mozilla they need to generate income to compete. Otherwise they become irrelevant so they push search engines etc that pay, though you can change them etc.

    To be honest if you use Instagram and YouTube you've lost you're privacy battle anyway. MS and the other AV data hoarders are ***** cats compared to those tigers in the privacy game so just pick an AV that doesn't annoy you. There all pretty good nowadays.....and of ciurse back-up regularly.

    Long way of saying if you don't want an AV because of tracking , that ship has sailed
     
  9. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    8,627
    If you keep your system up to date, don't open random files and use Microsoft Defender or one of the other big name antiviruses, that is all you need to do to keep your computer very well secured. Antiviruses do harvest data, but they don't do it to steal it. They upload unknown files they think could be suspicious, so they can analyse them and then add signatures for them if they are found to be malicious.
     
  10. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    211
    Thank you all for enlightening replies. Yes there is a difference between collection of data and monetizing or misusing it. I don't know about the AV industry but do know how Privat Equity operates. They look to monetize every ounce possible. And yesterday I read that a big Security company has sold its enterprise division to a PE firm. I worry whether the data wont be monetized. After Avast data incident I find it really tough to vouch for anyone big or small.
     
  11. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    1,134
    Yeah, that's all that I'm using, with a vpn, and no problems.
     
    Last edited: Mar 16, 2021
  12. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Agreed. But that's regardless your security solution.
    I think it wise to be concerned, but it is simply bad for your health to worry about something you have no control over.

    What I like about Microsoft's solution (besides the fact it is effective at protecting us), is Microsoft is not attempting to collect our very personal data. Now of course, they could change their Privacy Policy, but frankly, I don't see that happening. They know that would bring the wrath of every Windows user, every blogger, every IT journalist, and especially all the MS haters out there down upon their heads.

    Now what happens too often is companies are sold and the new owners have a privacy policy that favors them and not us consumers. :( But again, I don't see that happening here since I just don't see a new (and bigger) company buying out Microsoft.

    Also, Microsoft Defender does not nag users into upgrading to some paid "premium" version or subscription service that then requires us to provide them with our billing information.

    So Microsoft, at least when it comes to Window and Microsoft Defender, does not know, and is not trying to gather our real names, real addresses, or our billing information and other very personal information. In fact, they actively try to protect that data.

    This is why Google, Facebook and others are a much greater threat than Microsoft.

    And our ISPs are worse because they know everything we do on the Internet, plus they already know our true names, physical location and billing information.

    And worst of all is our cell phone carriers. It's truly scary - at least to me - what they know. Not only do they know everything we do on their networks, they know who we talked to, emailed, and texted. Plus they know our true names, address, and billing information. But they also know where we have been, where we are standing to within a few feet - including the aisle of the store we are standing in :eek: and they know the direction we are headed and how fast we are traveling.

    If we connect to the Internet with our Windows computer via Ethernet, the closest Microsoft knows of our physical location is our PoP (point of presence) - the physical point where our ISPs connect us to the Internet backbone. In my case, that is 8 miles across town!

    As far as Hard Configurator, it should be noted it is NOT designed to be used as your only security. By default, it whitelists Microsoft Defender - thus keeping it active, a good thing. H_C mainly also locks down other settings which some may feel provides extra security and thus makes them feel more secure. That's for another discussion. I will just use this analogy to illustrate my point; we don't need to drive around in an Abrams Tank to be safe. We just need to use a recent model vehicle, keep it current and updated, and most importantly, we must drive defensively.

    Now if you must leave your computer where others have access to it, and those other people have little to no security awareness or discipline, then maybe some extra armor is needed.

    And yes, as Krusty noted, have and use a robust backup plan - one that includes at least one "off-site" copy. Remember, malware is not the only thing that can take out your data. A bad guy could break into your home and steal your computer. Or Mother Nature could throw a bolt of lightning directly at your home. Or a flood, hurricane or fire could destroy your home.
     
  13. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    211
    @Bill_Bright, thanks a lot for your lucid reply. My sentiments exactly and more so about the level of tracking by cell carriers. But as you say cant worry about what we cant control. I am not so worried about Microsoft (being on a MS platform that is). That is why I am trying to shift to a MS only solution as much as possible and keep it "in-house" so to say.

    After reading all your posts, I am looking at Hard Configurator, MS Defender, Hosts file and Macrium Reflect. Will have to research WIndows Firewall more before shifting to it and may be block and allow domains with NVT's domain blocker. Thanks!
     
  14. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Not sure what you mean by "shifting to it". Unless you already disabled it and and installed something else, you are already using it. And that's fine. Firewall technologies have not changed in a couple decades. All 3rd party FWs get you is extra features. None protect a blocked port any better than any other.

    I used to use a custom HOSTS file years ago. I found they are not worth the hassle. In fact, that's pretty much how I got to my current configuration. I decided to practice what I preach to my less technical and security savvy clients, family and friends and use what I recommend they use. That personal policy started way back in 2014 when I migrated away from XP and moved to Windows 7 on all my machines. I decided to put Microsoft Security Essentials (the W7 version of Microsoft Defender) and Malwarebytes Free on all my systems, then leave the defaults alone. And it has worked.
     
  15. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    211
    Yes I will shift when I can control which app to give permission to and which domain to allow to. Currently ESET firewall allows this very easily. However since my aim is to move out third party software I am looking at the above options. I am also evaluating NVT website blocker
    https://www.novirusthanks.org/products/website-blocker/
     
  16. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    211
    @Elwe Singollo, are you using old sandboxie or the new sandboxie plus? Can Edge browser be sandboxed properly?
    Your point on Mozilla is good, but then you have to depend on extensions, all of which are not open source.
     
  17. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Is there some reason you think you can't do that with Windows Firewall?
     
  18. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    5,868
    You can't run the full potential of Windows 10 without any antivirus - Windows won't let you.
    Firewall is mandatory, Antivirus is mandatory - both for Apps (MS Store, is vital), Firewall also for installing fonts.

    Sandboxie do NOT replace any other good security concept, its just the icing. And no - Edge and Chrome do not run proper in Sandboxie. And yes - Edge is tracking you very hard, even it is turned off in Windows.
    reading this or that do not replace own experience. You have to dig your nose very deep into the dirty, crush your Windows so many times to get the respect for Windows and its internal functionality and connections. It does not make sense to alter Windows functionality without having seen about before.

    I use Pro, don't like it much, use LTSC because its the closest version next to Windows 8 without running any app - i don't like apps because it binds me to the MS Store, a very small world. But I have installed a reduced Pro because of LTSC for some reason (using ntlite Pro) - and this is only the beginning - and the conclusion of all of my experience with Windows I never had got if I only have asked so many times. Its like NIKE - "just dot it".
     
  19. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,770
    Location:
    New Mexico, USA
    For me, Win 10 Pro, Hard Configurator, Config Defender on High, and Firewall Hardening. And most important, a current backup plus most recent work saved to external drive.
     
  20. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    211
    @Bill_Bright I know how to control apps but not domains by their names.

    Thanks @Brummelchen for your reply.
    What exactly did you mean by this, particularly the last part?
     
  21. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    No its not. Come on. We need to stop with the tinfoil hat, the sky is falling stuff.

    Edge certainly is not near as bad a Chrome. Plus, Edge gives you much more control over that compared to other browsers. Heck, Google is even getting sued big time - again - over Chrome tracking you when using Incognito mode. Google fails to quash Incognito mode user tracking, privacy lawsuit | ZDNet

    As for blocking domain names, you are already using a host file and for sure you can block IP addresses.
     
    Last edited: Mar 16, 2021
  22. pb1

    pb1 Registered Member

    Joined:
    Apr 4, 2014
    Posts:
    1,268
    Location:
    sweden
    Shadow defender or similar, and regular backups
     
  23. Elwe Singollo

    Elwe Singollo Registered Member

    Joined:
    Oct 30, 2015
    Posts:
    114
    I'm using David Xantos Classic version that is essentially Plus with the old GUI from what I understand. The full functionality Plus version is buggy for me.

    The legacy Edge can't be Sandboxed using SBIE but runs in App Container anyway. The Chromium based Edge can. Whether it should be has been a matter of debate here for many years although focused on Chrome rather than Edge it is the same argument about chromium sandbox vs SBIE. Embarrassed to say I was too involved in many under an old user name. This one is typical. Although old the arguments are tge same.

    https://www.wilderssecurity.com/threads/chrome-sandboxed.377440/

    Yeah I get the FF extensions thing but I only use 2 and both are open source. Fingerprinting, canvas tracking, webRTC and a few other privacy holes can be closed via about:config or the options section though aren't enabled by default. I like the inbuilt tracking protection, containers and cookie isolation as well but each ro their own.
     
  24. avboy

    avboy Registered Member

    Joined:
    Feb 11, 2008
    Posts:
    211
    Thanks. Which two open source FF extensions do you use, if you do not mind mentioning them?
     
  25. Bill_Bright

    Bill_Bright Registered Member

    Joined:
    Jun 29, 2007
    Posts:
    4,041
    Location:
    Nebraska, USA
    Legacy Edge is no more so if anyone is still using it, they, frankly, are foolish and use it at their own peril.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.