Question Best solution for PC-prebuilts at bigger scale?

AXYZE

Level 1
Thread author
Feb 9, 2020
12
Hey. I don't know if this category is okay for this thread, if not then please move it.

I’m behind pre-built PC brand and we’re about to refresh our line of computers.

Instead of going with trial Norton/Avast etc like a lot of others are doing (for money obv) we are trying to make our pc’s fast, secure and without any annoyances.
After experiments we settled on Microsoft Defender + ASR Rules + Cloud security on high + Windows Firewall with blocked obvious lolbins (not all of them, as we found some old obscure software that uses these EXEs in legit way). Also disabled old samba protocol. It created the best balance, no conflicts, no calls from customers. No infections too, which was happening before before we implemented these things (infected people called us before, but not after these changes).

We experimented a lot and for example - High+ cloud security level decreased performance esp. when installing programs, Network Protection caused a lot of conflicts (for example iperf3 didnt show proper results). Script blocking ASR rule also "doesn't work", as many people play Minecraft on unofficial Java launchers and many of them are using obfuscated scripts that are 100% legit...

We sold thousands of PC’s and found that our current config doesn't create any problems for our customers, but I would love to improve it even further.
I’m posting here because I’m interested in your opinion – what more we could do while maintaining „fast & secure and without annoyances” principles?
What are your experiences with malware-blocking DNS like Cloudflare 1.1.1.2? Does it ever kick in? People are installing their own browsers like Opera GX so I'm thinking that instead of extension like TrafficLight maybe could do similar thing at DNS-level? Which DNS has the best phishing blocking? In my tests I found out that Norton is blocking Facebook ad-##### like super ultra iPhone giveaways the quickest, but we can't rely on extensions and don't want to include trial AV... I'm testing 1.1.1.2 for some time (half a year?) and NEVER saw it kickin in so idk... What about Quad9 and others? Share your experiences!

Without annoyances” is very important, some people even try to disable UAC because its already too much for them, so for example we cant make default user w/o admin rights.
We are transparent and informing users about changes compared to "default Windows" btw if someone here is worried that we are making some "unofficial" changes.
We are selling 99% of our PC's to polish customers (mainly gamers), 1% is other countries in Europe (Germany, UK etc.) so our experiences can be different as every country sees other threats, be aware of that if your experience for anything mentioned is different (for example 1.1.1.2 can work for you, but doesn't here).
 

AXYZE

Level 1
Thread author
Feb 9, 2020
12
Anyone?

I'll automate testing in next week, even if you have some random ideas just paste them here. I'll test if they will work out :)
 
  • Like
Reactions: Correlate

shmu26

Level 85
Verified
Honorary Member
Top poster
Content Creator
Well-known
Jul 3, 2015
8,175
Hey. I don't know if this category is okay for this thread, if not then please move it.

I’m behind pre-built PC brand and we’re about to refresh our line of computers.

Instead of going with trial Norton/Avast etc like a lot of others are doing (for money obv) we are trying to make our pc’s fast, secure and without any annoyances.
After experiments we settled on Microsoft Defender + ASR Rules + Cloud security on high + Windows Firewall with blocked obvious lolbins (not all of them, as we found some old obscure software that uses these EXEs in legit way). Also disabled old samba protocol. It created the best balance, no conflicts, no calls from customers. No infections too, which was happening before before we implemented these things (infected people called us before, but not after these changes).

We experimented a lot and for example - High+ cloud security level decreased performance esp. when installing programs, Network Protection caused a lot of conflicts (for example iperf3 didnt show proper results). Script blocking ASR rule also "doesn't work", as many people play Minecraft on unofficial Java launchers and many of them are using obfuscated scripts that are 100% legit...

We sold thousands of PC’s and found that our current config doesn't create any problems for our customers, but I would love to improve it even further.
I’m posting here because I’m interested in your opinion – what more we could do while maintaining „fast & secure and without annoyances” principles?
What are your experiences with malware-blocking DNS like Cloudflare 1.1.1.2? Does it ever kick in? People are installing their own browsers like Opera GX so I'm thinking that instead of extension like TrafficLight maybe could do similar thing at DNS-level? Which DNS has the best phishing blocking? In my tests I found out that Norton is blocking Facebook ad- like super ultra iPhone giveaways the quickest, but we can't rely on extensions and don't want to include trial AV... I'm testing 1.1.1.2 for some time (half a year?) and NEVER saw it kickin in so idk... What about Quad9 and others? Share your experiences!

Without annoyances” is very important, some people even try to disable UAC because its already too much for them, so for example we cant make default user w/o admin rights.
We are transparent and informing users about changes compared to "default Windows" btw if someone here is worried that we are making some "unofficial" changes.
We are selling 99% of our PC's to polish customers (mainly gamers), 1% is other countries in Europe (Germany, UK etc.) so our experiences can be different as every country sees other threats, be aware of that if your experience for anything mentioned is different (for example 1.1.1.2 can work for you, but doesn't here).
Which ASR rules are you enabling? The ones that are enabled by default in ConfigureDefender?
If so, you can probably enable also the rule for blocking WMI attacks because in ConfigureDefender it is disabled only because of a certain type of laptops -- Lenovo, if I remember right. @Andy Ful can give you accurate info about that. So if you are not using that type of laptop, you should be able to enable it.
 

AXYZE

Level 1
Thread author
Feb 9, 2020
12
Which ASR rules are you enabling? The ones that are enabled by default in ConfigureDefender?
If so, you can probably enable also the rule for blocking WMI attacks because in ConfigureDefender it is disabled only because of a certain type of laptops -- Lenovo, if I remember right. @Andy Ful can give you accurate info about that. So if you are not using that type of laptop, you should be able to enable it.
Im enabling it via Powershell. I made custom script myself, but I didnt test WMI ASR rule so I didnt add it. Just these Office/PDF rules. If @Andy Ful could give me more info about WMI that would be great ♥️
 

shmu26

Level 85
Verified
Honorary Member
Top poster
Content Creator
Well-known
Jul 3, 2015
8,175
Im enabling it via Powershell. I made custom script myself, but I didnt test WMI ASR rule so I didnt add it. Just these Office/PDF rules. If @Andy Ful could give me more info about WMI that would be great ♥️
Download Hard_Configurator by Andy Ful (he is active on this forum) and check out the various native Windows settings that it exposes.




It has modules for configuring Defender as well as Windows Firewall. The SRP section (left side of the main window) has a wealth of options, although I suspect that the "recommended" settings will be too restrictive for your purposes.

By the way, I enabled the WMI rule on my machines. I have been using it for a couple years without issue.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,164
AXYZE,
Please post here what rules do you use or simply post the content of your script. You can also run ConfigureDefender (do not change anything) and post the screenshots.
The WMI ASR rule can probably interfere with some firmware. If I correctly remember the issue was silent and made Windows restart longer. This can be tested before selling the computer.

Edit.
If you apply non-default config (advanced Defender settings, Blocking SMB, etc.) you should also make a script or application that can restore Windows default settings. Among 1000 customers there will be always some users who will need it. You can also use ConfigureDefender as many people do.
 
Last edited:

AXYZE

Level 1
Thread author
Feb 9, 2020
12
AXYZE,
Please post here what rules do you use or simply post the content of your script. You can also run ConfigureDefender (do not change anything) and post the screenshots.
The WMI ASR rule can probably interfere with some firmware. If I correctly remember the issue was silent and made Windows restart longer. This can be tested before selling the computer.

Edit.
If you apply non-default config (advanced Defender settings, Blocking SMB, etc.) you should also make a script or application that can restore Windows default settings. Among 1000 customers there will be always some users who will need it. You can also use ConfigureDefender as many people do.

Thank you for replying Andy!

I applied 4 rules:
Block Office applications from creating executable content
Block Office applications from injecting code into other processes
Use advanced protection against ransomware
Block Adobe Reader from creating child processes

Turned on PUA protection.

Other than that I blocked mshta, regsrv32 etc. with Windows Firewall as recommended by my friend working in Azure/Microsoft, althrough he is not in anything related in cybersec so maybe I could block more things. I found out this Microsoft recommended block rules (Windows) - Windows security and I'll test if this doesn't create any problems.

I didn't touch anything else from whats available in ConfigureDefender, because either I found some compatibility errors (network protection, script detection, other Office ASR rules - some company had legit macros that were blocked by it), performance problems (high+ cloud protection), I didn't know about them (for example I didnt know about WMI one) or create too much hassle for people (block executables unless they meet criteria). I'm not sure about "untrusted and unsigned processes that run from USB" - is infecting by USB even a thing? I asked couple of friends and nobody saw it in years, its always from web. Maybe someone who has statistics/works in AV company could tell me if this still happens?

BAFS, automatic file submission turned on.
Cloud Check Limit 10s (longer ones can give impression that our PCs are slow, already had this problem when I made env with heavily throttled internet which can happen for those who use all of their LTE data, AFAIK you are Polish so you know how "unlimited" LTE works here)

Also, we are currently preinstalling 7zip which still doesn't add MOTW - does that makes any difference in Windows 11/SmartScreen today? Should we switch to something else instead?


Now I'm thinking how I can implement your idea " you should also make a script or application that can restore Windows default settings" with good user experience and to not create any confusion. Script that just sits on desktop is not great idea, maybe this script should be available on computer's support page to which link would be printed on box. And there I would put FAQ with information what we changed, how to revert that and how to apply it again. I need to think a lot about this stuff, because non-techy people need to understand everything perfectly and in the same time I cant take too much time from them. Its harder than it sounds tbh
Your piece of software is great, but when computer is for 10yr kid or 60yr old complete non-techy person it can create too much confusion, they could block too much and then complain etc. and costs of managing that can be too large, especially because we have free D2D warranty and free call support for 2 years.
Our competition just preinstall Norton 30days, gets money from revshare and calls it a day, they already have advantage as they earn from it so I need to be very careful to not make anything that will require us to do additional work, because people didn't understand what specific thing in ConfigureDefender meant. :(
 
Last edited:
  • Like
Reactions: cryogent

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top poster
Developer
Well-known
Dec 23, 2014
7,164
Thank you for replying Andy!

I applied 4 rules:
Block Office applications from creating executable content
Block Office applications from injecting code into other processes
Use advanced protection against ransomware
Block Adobe Reader from creating child processes

Turned on PUA protection.

According to Microsoft, the "Cloud protection level" settings can significantly improve anti-ransomware protection.

The most valuable protection of MS Office is the ASR rule:
Block all Office applications from creating child processes
It can prevent most attacks via weaponized documents.

Other important rules are related to scripts:
Block execution of potentially obfuscated scripts
Block JavaScript or VBScript from launching downloaded executable content

Of course, all ASR rules are valuable, but others will probably require adding some exclusions. You can look here:

The rule; "Use advanced protection against ransomware" can also produce more false positives.

Other than that I blocked mshta, regsrv32 etc. with Windows Firewall as recommended by my friend working in Azure/Microsoft, althrough he is not in anything related in cybersec so maybe I could block more things. I found out this Microsoft recommended block rules (Windows) - Windows security and I'll test if this doesn't create any problems.

You can look at the FirewallHardening (Recommended H_C) rules. The most effective is blocking scripting Interpreters and some popular LOLBins used to download payloads.

I didn't touch anything else from whats available in ConfigureDefender, because either I found some compatibility errors (network protection, script detection, other Office ASR rules - some company had legit macros that were blocked by it), performance problems (high+ cloud protection), I didn't know about them (for example I didnt know about WMI one) or create too much hassle for people (block executables unless they meet criteria). I'm not sure about "untrusted and unsigned processes that run from USB" - is infecting by USB even a thing? I asked couple of friends and nobody saw it in years, its always from web. Maybe someone who has statistics/works in AV company could tell me if this still happens?

Could you post some additional info about what compatibility errors did you encounter and what rules were involved? Did the Administrator use exclusions for ASR rules? One can exclude files and folders in ASR - but, any exclusion is applied to all ASR rules that allow exclusions

The rule "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" is a kind of file reputation rule, so it will produce more false positives when installing/updating applications.

The rule "Block untrusted and unsigned processes that run from USB" is a similar reputation-based rule, but the age criterium is skipped. It will block most of the unsigned applications originating from the USB drive.

Also, we are currently preinstalling 7zip which still doesn't add MOTW - does that makes any difference in Windows 11/SmartScreen today? Should we switch to something else instead?

The lack of MOTW invalidates the BAFS. From the known packers, the Windows built-in ZIP, Bandizip, and Explzh can preserve the MOTW.
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top poster
Content Creator
Well-known
Jul 3, 2015
8,175
Also, we are currently preinstalling 7zip which still doesn't add MOTW - does that makes any difference in Windows 11/SmartScreen today? Should we switch to something else instead?
Use Bandizip. pirated software very often comes in RAR format, and with 7zip you are losing an important level of protection.