SECURITY: Complete blackice's 2021 Security Configuration

Last updated
Feb 17, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 10
OS License Type
Home
Login security
    • Passwordless (PIN, Biometric, Face)
Primary sign-in
Microsoft account
Primary account rights
Administrator permissions
Other accounts rights
N/A - Single user account
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
Personal router w/ firewall & filtering
Real-time protection
Microsoft Defender
NoVirusThanks OSArmor
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Configure Defender - High
OS Armor - a few additional items ticked in the settings
Malware research
No - malware samples are not downloaded
Periodic scanners
Malwarebytes, EEK, ESET online scanner, HitmanPro
DNS
NextDNS
VPN
IVPN
Password manager
1Password
Browsers, Search and Addons
Chrome -
Ad blocking from ControlD DNS DoH
1Password
Malwarebytes Browser Guard

Edge Chromium -
Ad blocking from ControlD DNS DoH
1Password

Firefox -
Ad blocking from ControlD DNS DoH
1Password
Malwarebytes Browser Guard
PC maintenance
HWiNFO
Process Explorer
Everything
Bandizip
Personal Files & Photos backup
File History
Personal backup routine
Automatic (scheduled)
Device recovery & backup
Macrium Reflect
Device backup routine
Automatic (scheduled)
PC activity
  1. Browsing the web. 
  2. Shopping. 
  3. Banking. 
  4. PC and cloud gaming. 
  5. Streaming. 
Computer specs
Ryzen 7 5800X
ASUS TUF Gaming X570-Pro Wifi
32GB G.Skill Trident Neo 3600 cl16
RTX 3070 DUAL OC
500GB WD SN550 NVME
1TB WD SN550 NVME
500GB WD Blue SSD
1TB WD Blue HDD
Personal changelog
DNS: Cloudflare->Quad9
2/17/21 - AVG Internet Security
2/20/21 - Removed Brave, updated PC Maintenance section
3/3/21 - Removed AVG
Added Microsoft Defender
3/22/21 - Keeping NextDNS so added it
Added Bitdefender Internet Security
4/15/21 - Removed Bitdefender IS
Added Microsoft Defender
4/19/21 - Added Malwarebyte Premium just kidding it’s broken, Defender still.
4/29/21 - Changed DNS to ControlD (by WIndscribe)
Removed adblockers in browsers, Added HitmanPro
5/10/21 - Back to NextDNS
Feedback Response

General feedback

blackice

Level 32
Verified
Apr 1, 2019
2,139
Very nice Security Configuration, although I am not a big fan of Malwarebytes. (y)
I don't blame you. It's an experiment. My internet habits are bland and I got bored. It was already installed for second opinion (though I had to reinstall a couple times), and I had a license key. Honestly I like your favorite Bitdefender, but should just go with Microsoft Defender in terms of practicality. I've had the least issues with MS Defender and ESET. But so far so good once I got Malwarebytes to register.
 

blackice

Level 32
Verified
Apr 1, 2019
2,139
You can all rest easy. Malwarebytes was not registered after my last reboot, rebooted for unrelated reason. Back to Microsoft Defender or Bitdefender for now. Such a bummer I really liked it, but that’s some pretty bad unreliability. Seriously there’s always some problem with these silly apps.
 
Last edited:

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,377
You can all rest easy. Malwarebytes was not registered after my last reboot, for unrelated reason. Back to Microsoft Defender or Bitdefender for now. Such a bummer I really liked it, but that’s some pretty bad unreliability. Seriously there’s always some problem with these silly apps.
Some seems to be having problems with this Windows Security registration. ESET had this issue for some users for a few months. Kaspersky has an issue now but that's a bit different. If you uninstall Kaspersky, it doesn't remove itself from Windows Security registration. The main uninstaller and their uninstallation tool (which is worse than the default uninstaller) both don't remove it, so after uninstallation even Windows Defender doesn't start as the AV. Good for me, I know how to manually fix that. Some AV vendors really need to fix their Windows Security integration. Maybe Windows change things from time to time and this cause problems for them.
Edit: I'm on 21H1. So don't know if that has something to do with this.
 

blackice

Level 32
Verified
Apr 1, 2019
2,139
Some seems to be having problems with this Windows Security registration. ESET had this issue for some users for a few months. Kaspersky has an issue now but that's a bit different. If you uninstall Kaspersky, it doesn't remove itself from Windows Security registration. The main uninstaller and their uninstallation tool (which is worse than the default uninstaller) both don't remove it, so after uninstallation even Windows Defender doesn't start as the AV. Good for me, I know how to manually fix that. Some AV vendors really need to fix their Windows Security integration. Maybe Windows change things from time to time and this cause problems for them.
Edit: I'm on 21H1. So don't know if that has something to do with this.
I'm still on 20H2, so maybe there is something there.
 

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,377
It is well-known that Kaspersky does not support Windows beta versions...
It's not beta. Windows 21H1 has been available for a while but has not been officially pushed to consumers yet. Also, the AV runs fine, only it doesn't remove the Windows Security integration at uninstallation. The problem didn't exist before Kaspersky 21.3.
 

blackice

Level 32
Verified
Apr 1, 2019
2,139
Removed adblocking in browsers as ControlD DNS (from Windscribe) seems to be very effective. I don't care about FLoC because I don’t use Chrome for much other than Google services and banking.

Added HitmanPro as second opinion scanner.
 
Last edited:

blackice

Level 32
Verified
Apr 1, 2019
2,139
Are you using the paid version?
What about ads on Youtube?
ControlD is on the 30 day trial of the paid service. Already useful as the ad blocking DNS blocks some things I need custom rules or bypasses to unlock.

Currently I am on a free trial of youtube Premium for 3 months...so that's a good question. But, I'm also torn on that, I want channels I view to get paid. I really have mixed feelings on ad blockers since basically it is breaking the web. They really screwed things up with malvertising getting out of hand and ugly ads. I don't want to pay a subscription for every site, but I want them to get paid for their content. Anyway, if it's like NextDNS it will just not work for in video ads. But I might be okay with that.
 

blackice

Level 32
Verified
Apr 1, 2019
2,139
Looks like someone wanted to see if they could kick it with Bitdefender.
Antimalware RAM use.png
 

blackice

Level 32
Verified
Apr 1, 2019
2,139
Back to NextDNS. It's faster than ControlD where I'm at. Specifically the malware filtering. I was excited about ControlD's new enhanced malware filtering, but their malware filtering DNS now takes 2X or more time to resolve anything and sometimes sees random latency spikes. For the moment NextDNS is more mature and robust for what I use it for. Also, lacks Windscribe's lowbrow marketing.

Edit: the downside to NextDNS being that I have to use a DDNS to keep my IP updated for using the standard DNS address on our router.
 
Last edited:

JoyousBudweiser

Level 11
Verified
Aug 22, 2013
516
Edit: the downside to NextDNS being that I have to use a DDNS to keep my IP updated for using the standard DNS address on our router.
Its safer to use DOH than the traditional dns setup. You can use YogaDns application to convert your nextdns to system wide doh. Its very easy to setup and you can have multiple configurations and change it on the fly.
 

blackice

Level 32
Verified
Apr 1, 2019
2,139
Its safer to use DOH than the traditional dns setup. You can use YogaDns application to convert your nextdns to system wide doh. Its very easy to setup and you can have multiple configurations and change it on the fly.
Yes, but not for several other devices on the network. Most devices still use traditional DNS addresses. I would say it’s rather more private than safer.
 

JoyousBudweiser

Level 11
Verified
Aug 22, 2013
516
Yes, but not for several other devices on the network. Most devices still use traditional DNS addresses. I would say it’s rather more private than safer.
I beg to differ slightly on that, consider this senario, A fileless malware hardcoded with "phone home" feature using google doh to download its payload will not register anything in port 53 traffic but everything will go through the encrypted port 443, which the traditional Nextdns setting will not prevent as it does not see it even if you enable " block bypass methods" under "Parental control" setting. But if you are using DoH of nextdns and if you have enabled " block bypass methods" the call to google doh will not go through and the malware will not get activated. So I feel it also has some safety feature when it comes to Doh coupled with nextdns.
Untitled-1.jpg
 

SecurityNightmares

Level 36
Verified
Jan 9, 2020
2,551
I beg to differ slightly on that, consider this senario, A fileless malware hardcoded with "phone home" feature using google doh to download its payload will not register anything in port 53 traffic but everything will go through the encrypted port 443, which the traditional Nextdns setting will not prevent as it does not see it even if you enable " block bypass methods" under "Parental control" setting. But if you are using DoH of nextdns and if you have enabled " block bypass methods" the call to google doh will not go through and the malware will not get activated. So I feel it also has some safety feature when it comes to Doh coupled with nextdns.
View attachment 257953
While that's true in theory, remember that malware can just use direct IP connections without using any DNS.

Nowadays malware also know about encrypted DNS and some kind of enforcement so keep that in mind too :emoji_beer:
 

blackice

Level 32
Verified
Apr 1, 2019
2,139
I’ll wait until Windows update to natively support encrypted DNS in stable release. It’s outside my scope of risk to worry about every single scenario. Also my router filters by IP, so if the IP malware is connecting to is being recognized it would be blocked when the connection is made. I am not a high risk user and I am currently the only Windows user at home.
 
Last edited:
Top