Advanced Plus Security Brambedkar59's Security Config 2024

Last updated
Nov 5, 2024
How it's used?
For home and private use
Operating system
Windows 11
Other operating system
2 older laptops running Win 10 (one with F-secure and other Kaspersky Free)
On-device encryption
N/A
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
    • Basic account password (insecure)
Security updates
Check for updates and Notify
Update channels
Allow stable updates only
User Access Control
Notify me only when programs try to make changes to my computer
Smart App Control
Off
Network firewall
Enabled
Real-time security
Kaspersky Free
Malwarebytes WFC
Firewall security
Other - Internet Security (3rd-party)
About custom security
Idle scan disabled
Periodic malware scanners
Norton Power Eraser
EEK
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
Common extension/Search in all browsers: Bitwarden, Bing Search
Edge (Default): uBlock Origin (MV2), Shazam (enabled only on usage), Bypass Paywalls Clean ( (enabled only on usage))
Firefox (Secondary): uBlock Origin
Secure DNS
NextDNS
Desktop VPN
AVG Secure VPN
Password manager
Bitwarden
Maintenance tools
Biweekly run: Windows Built-in, CCleaner, WiseCare 365 (Rarely used), Driver Store Explorer [RAPR] (for deleting old drivers not needed)
For finding program updates: UCheck & RuckZuck
HiBit Uninstaller
File and Photo backup
Google Drive, OneDrive
Subscriptions
    • None
System recovery
Hasleo Backup Suite
Risk factors
    • Browsing to popular websites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Sharing and receiving files and torrents
    • Gaming
    • Gaming with third-party mods
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
11400H (UV via ThrottleStop), 3050Ti (UV via G-Helper), 16 GB, 0.5TB + 1 TB NVMe, 1 TB & 4 TB HDD (for image backup and downloads)
Notable changes
Kaspersky Free to AVG IS
AVG IS to Kaspersky Free
What I'm looking for?

Looking for medium feedback.

Notes by Staff Team
  1. This setup configuration may put you and your device at risk!
    We do not recommend that other members use this setup. We cannot be held responsible for problems that may occur to your device by using this security setup.

brambedkar59

Level 32
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,159
I noticed that Auslogics Registry Cleaner finds unused drivers, which make me wonder if this is something important to do as a maintenance or not:

View attachment 286536
These are all very small drivers (for HID & others), not even taking up that much space. I do delete older drivers (especially GPU drivers), when I upgrade several drivers which are huge in size. You won't gain much space in your case, leave it alone for now.

I can't emphasis enough on how risky it is to mess with Windows driver store, so make a system image backup first if you decide to make any changes.
 

brambedkar59

Level 32
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,159
Finally fixed the UAC lag. It was the goddamn Nvidia drivers. Anything newer than 552.44 and it becomes laggy. Thanks to the good Samaritan who sent a PM on reddit and suggested this.


Windows 24H2 updated to build 26100.2605
 

lokamoka820

Level 25
Verified
Mar 1, 2024
1,426
Finally fixed the UAC lag. It was the goddamn Nvidia drivers. Anything newer than 552.44 and it becomes laggy. Thanks to the good Samaritan who sent a PM on reddit and suggested this.


Windows 24H2 updated to build 26100.2605

I follow this recommendation from NVIDIA website when it comes to their driver updates:
Although GeForce Game Ready Drivers and NVIDIA Studio Drivers can be installed on supported notebook GPUs, the original equipment manufacturer (OEM) provides certified drivers for your specific notebook on their website. NVIDIA recommends that you check with your notebook OEM for recommended software updates for your notebook.
 

brambedkar59

Level 32
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,159
I follow this recommendation from NVIDIA website when it comes to their driver updates:
I don't update drivers unless they are from ASUS except in case of graphics drivers. Also, in my case those drivers are from 2022 and it's almost 2025. I would face issues in games from older drivers and then there are security vulnerabilities when using those old drivers. So, unless I have issues, I stay with updated graphics drivers.
 
Last edited:

brambedkar59

Level 32
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,159
That is possible. Next time I reinstall Kaspersky I will try reenabling defender first to see what happens.
@SeriousHoax I tried this and Defender service is still running in the background, even with these GPedit options set.
1736622432888.png
1736622492791.png
 
Last edited:

brambedkar59

Level 32
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,159
Is this with Kaspersky installed?

You might consider a repair install via Windows Update, if you don't mind the trouble. I've done it once before, and it didn't take very long.
I have already done a repair install after 24H2.

Update: I just noticed something weird. Windows keep resetting GP "Turn off MS Defender Antivirus" after every reboot. It resets to "Not Configured." That's the real issue.
 
Last edited:
  • Like
Reactions: oldschool

bazang

Level 9
Jul 3, 2024
438
Update: I just noticed something weird. Windows keep resetting GP "Turn off MS Defender Antivirus" after every reboot. It resets to "Not Configured." That's the real issue.
First things first. Are you even using Windows 11 PRO? Because GPOs on Windows Home are not supported by Microsoft.

That setting will only work if your system is enterprise or government managed with a volume Microsoft license.

There are many GPOs that do not work if not managed. Microsoft does this on purpose. For one Microsoft does not want consumers to be able to disable any protections, particularly Microsoft Defender. Microsoft does not go on record publicly about the decisions it makes with regards to Defender nor Group Policy.

Perform internet search "Why does Group Policy not work?" and read through a bunch of them.

Windows is a generic operating system that is meant for:

1. Enterprises and Government (Home use is just an afterthought)
2. Managed / Domain-joined and fully managed by an enterprise level admin using AD/AAD, InTune, SCCM, etc (Unmanaged home use is just an afterthought)

To further complicate matters there are many instances of GPOs not working at the enterprise/government level. You can spend months researching GPOs on Windows and in the end you will likely be no further than you are today. Just leave it be and move on because your system is not managed. This is how the world of Microsoft works. Always has. Always will.
 
  • Like
Reactions: Jack

brambedkar59

Level 32
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,159
First things first. Are you even using Windows 11 PRO? Because GPOs on Windows Home are not supported by Microsoft.

That setting will only work if your system is enterprise or government managed with a volume Microsoft license.

There are many GPOs that do not work if not managed. Microsoft does this on purpose. For one Microsoft does not want consumers to be able to disable any protections, particularly Microsoft Defender. Microsoft does not go on record publicly about the decisions it makes with regards to Defender nor Group Policy.

Perform internet search "Why does Group Policy not work?" and read through a bunch of them.

Windows is a generic operating system that is meant for:

1. Enterprises and Government (Home use is just an afterthought)
2. Managed / Domain-joined and fully managed by an enterprise level admin using AD/AAD, InTune, SCCM, etc (Unmanaged home use is just an afterthought)

To further complicate matters there are many instances of GPOs not working at the enterprise/government level. You can spend months researching GPOs on Windows and in the end you will likely be no further than you are today. Just leave it be and move on because your system is not managed. This is how the world of Microsoft works. Always has. Always will.
It's a pro version. This Group Policy used to work flawlessly in Win 10 pro.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,895
@SeriousHoax I tried this and Defender service is still running in the background, even with these GPedit options set.
View attachment 287084View attachment 287085
Some days/a couple of months ago I saw someone who posted a comment/status here on MT where Emsisoft support team told him that the MD related processes in Windows 11 are only stopped for AVs that have firewall. So, MD processes won't shutdown for products without firewall like Emsisoft, Kaspersky Free, etc. but will shut down for ESET IS, Bitdefender paid versions, etc.
I don't know how MD processes have any connection to the Firewall because they never did in the past.
 

brambedkar59

Level 32
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,159
Some days/a couple of months ago I saw someone who posted a comment/status here on MT where Emsisoft support team told him that the MD related processes in Windows 11 are only stopped for AVs that have firewall. So, MD processes won't shutdown for products without firewall like Emsisoft, Kaspersky Free, etc. but will shut down for ESET IS, Bitdefender paid versions, etc.
I don't know how MD processes have any connection to the Firewall because they never did in the past.
It's a mess. MS can't be bothered to make proper documentations. Like Why Group policies have no effect on Defender service?
Even the Total security version of Kaspersky seems to have this issue. Thread is from 2023.
 

bazang

Level 9
Jul 3, 2024
438
It's a pro version. This Group Policy used to work flawlessly in Win 10 pro.
"Used to" means how long ago did it work for you?

Microsoft disabled an unmanaged system's ability to block the start of Windows Defender using Group Policy back in 2020.

You have two possibilities:

1. Use WDAC to block the Windows Defender service and other processes; or
2. Take ownership of the Windows Defender folders and the contents therein, and then rename the processes you wish to prevent startup by appending the underscore symbol _ (e.g. MsMpEng.exe_ or MsMpEng._).
 
  • Like
Reactions: brambedkar59

TairikuOkami

Level 38
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,712
Like Why Group policies have no effect on Defender service?
MS has been making rapid changes for the past few years, they change their views based on the weather or whatever. Some call it features, some nuisances.
Initially this GPO was designed to disable Defender, recently it has been changed to stop it, when 3rd party AV is running and kick back in, when AV is disabled.
When Defender is disabled and it's services are not running, it will not kick in till restart, so this was done to prevent malware running wild, ignoring user's wishes.
 

brambedkar59

Level 32
Thread author
Verified
Top Poster
Well-known
Apr 16, 2017
2,159
"Used to" means how long ago did it work for you?

Microsoft disabled an unmanaged system's ability to block the start of Windows Defender using Group Policy back in 2020.

You have two possibilities:

1. Use WDAC to block the Windows Defender service and other processes; or
2. Take ownership of the Windows Defender folders and the contents therein, and then rename the processes you wish to prevent startup by appending the underscore symbol _ (e.g. MsMpEng.exe_ or MsMpEng._).
Ok, I didn't know about that change. I have already disabled defender service with DControl. The reason why I talked about this again was because of post #160 by SeriousHoax. So, I tried that method but it didn't work and I posted the results.

MS has been making rapid changes for the past few years, they change their views based on the weather or whatever. Some call it features, some nuisances.
Initially this GPO was designed to disable Defender, recently it has been changed to stop it, when 3rd party AV is running and kick back in, when AV is disabled.
When Defender is disabled and it's services are not running, it will not kick in till restart, so this was done to prevent malware running wild, ignoring user's wishes.
It's a nuisance.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,895
It's a mess. MS can't be bothered to make proper documentations. Like Why Group policies have no effect on Defender service?
Even the Total security version of Kaspersky seems to have this issue. Thread is from 2023.
Indeed, a mess. MD services running even with third-party AVs installed has been a thing since Windows 11 for both free and paid. They remained running in an inactive state consuming barely any resources and only performed a signature update at least once every day. But I think at the start of 2024 or near the end of 2023 it changed to only having them enabled if the third-party AV don't have a firewall.
I only installed ESET Smart Security and Bitdefender TS on my system since the change, so I had MD processes turned off. What the Emsisoft support staff said matches my experience with paid AVs and your with free AVs so it seems that's how things are at the moment. MS should add changes like this to their MD update changelog or somewhere in their MD documentation.
 
  • Like
Reactions: brambedkar59

bazang

Level 9
Jul 3, 2024
438
MS has been making rapid changes for the past few years, they change their views based on the weather or whatever. Some call it features, some nuisances.
Initially this GPO was designed to disable Defender, recently it has been changed to stop it, when 3rd party AV is running and kick back in, when AV is disabled.
When Defender is disabled and it's services are not running, it will not kick in till restart, so this was done to prevent malware running wild, ignoring user's wishes.
All users agree to Microsoft's Windows EULA. Hidden in that document somewhere it states that the user agrees to accept Microsoft's security decisions and policies regarding the OS as it pertains to what users can and cannot do on the OS.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top