Advanced Plus Security Ebocious's Yoga 6 Security Config

Last updated
Dec 22, 2023
How it's used?
For work or educational use
Operating system
Windows 11
On-device encryption
BitLocker Device Encryption for Windows
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
    • Basic account password (insecure)
Security updates
Check for updates and Notify
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
Off
Network firewall
Enabled
About WiFi router
Arris BGW210, leased from ISP
Real-time security
Comodo Firewall, Windows Defender, AppCheck Anti-Ransomware Free
Firewall security
Other - Internet Security (3rd-party)
About custom security
Cruelsister config, silent mode
Periodic malware scanners
HMP, HJT
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
Chrome with uBO, BD TrafficLight, Netcraft, Bitwarden. Also have Opera and Firefox with all the same extensions. I also have Puffin Secure Browser, but rarely use it.
Secure DNS
Google Public DNS (seems faster than Cloudflare on a lot of sites)
Desktop VPN
Surfshark
Password manager
Bitwarden
Maintenance tools
SFC after every update
File and Photo backup
Google Drive, external drives
System recovery
AOMEI Backupper on Sergei Strelec WinPE 11
Risk factors
    • Browsing to popular websites
    • Browsing to unknown / untrusted / shady sites
    • Working from home
    • Making audio/video calls
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Requesting and accepting remote access
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Lenovo Yoga 6 13ALC7
AMD Ryzen 7 5700U @ 1.80 GHz
16 GB DDR4 3200MHz (13.8 GB usable)
Integrated Radeon Graphics
512 GB NVMe SSD
Notable changes
Limited user account, DEP on all programs, remote access disabled
What I'm looking for?

Looking for maximum feedback.

ebocious

Level 5
Thread author
Verified
Well-known
Oct 25, 2018
232
I noticed early on that SAC was disabled. I reinstalled Windows once, only to end up disabling it again almost immediately because something didn't work. Can't remember for certain what it was, but I think it may have been CFW.

I use Cruelsister's configuration, though I leave it in silent mode because I don't consider myself an expert who can interpret every alert. Cruelsister herself said CFW will err on the side of caution in that case. The Downloads folder is virtualized, but I have a separate non-virtualized folder that I created in case I need to install something, and can drag files from the Downloads folder to that one in the Quick Access pane. Most installers would likely work anyway, since Comodo (Xcitium) would know about them and have them whitelisted. The last thing I installed was Zoom, because I'm using the computer for a new job with a financial planning company. The non-virtualized folder still gets scanned by WD.

I have AppCheck Anti-Ransomware Free, which automatically backs up data files to a secure vault in case of a ransomware infection. I also used to have WVSX, until I found out that it is no longer actively maintained. I wouldn't mind having some kind of companion sentinel app with AI or ML. I don't have any desire for a 3rd-party AV because I scan everything at VirusTotal, and signature-based engines are unlikely to catch a zero-day anyway. I've installed H_C in the past, but don't like having to reboot. I've considered OSA, but wonder whether that's a good choice, or if there are better alternatives. I don't download software from untrusted sources.

I occasionally get email attachments from the company I'm studying to work for. I save them in Downloads, and have VirusTotal Uploader for right-click convenience.

Right now, all data files are on the C partition with everything else, simply because I've been too lazy to re-partition the drive. System last backed up 12/23/2023, image was about 105 GB. I keep the last two backups on my external 500 GB Samsung SSD, and the last three backups on a 4 TB WD Passport, all with MD5 checksums. My most important files are backed up to external drives, flash drives, and Google Drive. I read that Google lost a bunch of people's files recently, but haven't noticed anything missing from my account, or any sudden decrease in storage occupancy.

LastPass has a 30-digit master password with capitals, miniscules, numbers, and symbols. It mostly comprises a line from a song that my grandma used to sing to me, but she changed one of the words to be funny. The password is unique to LP, and the words are not searchable verbatim online. My account also has 2FA with LastPass Authenticator. I use Google Authenticator on any other account that allows 2FA apps. Most of my passwords are randomly-generated by LP, and 25 digits long with all character types if supported by the website.

I install updates every Patch Tuesday (usually in the evening), and run SFC immediately afterwards. My Chrome and Firefox browsers are portable, and I use the PortableApps platform to update them. I actually have Chrome locally installed for Chrome Remote Desktop, but use Chrome Portable or Opera for most of my daily activities. Firefox Portable is there, in case any site might require it. Most of the time, they require Chrome if anything.

When I bought the computer, I unhid the local administrator, added a password, and hid it again. I have a dedicated administrator account with a separate Microsoft profile, which owns the Bitlocker recovery key. Both it and my standard account for everyday use have 50-digit online passwords with 2FA, though the local desktop PINs are shorter (I never even type them, because the computer has a fingerprint reader). I also have a BIOS password.

I run HMP periodically, and also HJT. I ran both again just before creating this thread. WD also runs its regular scans automatically.
 

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,429
It sounds like you have taken several security measures to protect your computer and data. Here are some thoughts and suggestions based on the information you provided:

1. Regarding Windows Security Center (SAC) being disabled, it's important to have it enabled as it provides a centralized view of your security status. If you encountered issues after enabling it, it might be worth investigating the specific problem and finding a solution rather than disabling it altogether.

2. Using Cruelsister's configuration in silent mode is a good approach if you're not comfortable interpreting every alert. However, it's still important to periodically review the alerts and understand the actions taken by the security software.

3. It's great that you have a separate non-virtualized folder for installing software. This allows you to have more control over what gets executed on your system. Just make sure to scan any files or installers before running them, even if they come from trusted sources.

4. AppCheck Anti-Ransomware Free is a good choice for protecting against ransomware. Having automatic backups of your data files is a smart move. Consider regularly testing the restoration process to ensure the backups are working properly.

5. While WVSX is no longer actively maintained, there are other security tools available that provide behavior-based protection. You mentioned considering OSA (Online Security Application). It can be a good choice, but it's always recommended to research and test any security software before implementing it.

6. Scanning files with VirusTotal is a good practice, as it leverages multiple antivirus engines. However, keep in mind that it's not a substitute for having real-time protection on your system. Zero-day threats can still pose a risk, so having a robust security setup is important.

7. It's understandable that you haven't repartitioned your drive yet, but it's worth considering separating your data files from the system partition. This can help protect your data in case of system issues or malware infections.

8. Your backup strategy seems solid, with multiple copies stored on different devices. Just make sure to periodically check the integrity of your backups and ensure they are up to date.

9. Your password management practices are commendable. Using a unique, complex master password and enabling two-factor authentication (2FA) provide an extra layer of security. Keep up the good work!

10. Regularly installing updates and running SFC (System File Checker) after updates is a good practice. It helps ensure that your system is up to date and that critical system files are intact.

11. Using portable browsers is a good way to keep your browsing activities separate and isolated. Just make sure to keep them updated to the latest versions to benefit from security patches and improvements.

12. Enabling a password for the local administrator account and having a separate dedicated administrator account is a good security practice. It's also great that you have a BIOS password set, as it adds an extra layer of protection against unauthorized access.

13. Running periodic scans with HitmanPro (HMP) and HijackThis (HJT) is a good way to check for malware and potential system issues. However, consider complementing them with real-time antivirus/anti-malware protection for continuous monitoring.

Overall, your security measures are comprehensive, and you have implemented several best practices. Keep staying vigilant, regularly update your security software, and stay informed about the latest threats and security recommendations.
 
  • Like
Reactions: ebocious

harlan4096

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,661
Hum... having CF with CS's settings + AppCheck Anti-Ransomware Free + WD, I find it overkill...

Also, why not use Windows Hello PIN or Biometrics, as you explained in Your post? You config says "Basic account password (insecure)" 🤔
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,583
Extensions: uBO, BD TrafficLight, Malwarebytes Browser Guard, LastPass
I would ditch Malwarebytes Browser Guard because it uses the most resources and with Google Safe Browsing, uBO and BD TrafficLight you are very well protected.
There is already much posted about LastPass on MT, you could consider an alternative.
 

ebocious

Level 5
Thread author
Verified
Well-known
Oct 25, 2018
232
Hum... having CF with CS's settings + AppCheck Anti-Ransomware Free + WD, I find it overkill...

Also, why not use Windows Hello PIN or Biometrics, as you explained in Your post? You config says "Basic account password (insecure)" 🤔
WD is enabled by default, unless I install the full CIS to use Comodo’s AV engine, which I assume is worse than WD. AppCheck is really light, and I like having that vault just in case someone ever manages to get past everything else.

I wasn’t sure about the insecure password entry myself. I always use the fingerprint scanner, but have to have passwords to enable it. I gave the worst-case scenario answer just in case. Should I change that answer?
 

ebocious

Level 5
Thread author
Verified
Well-known
Oct 25, 2018
232
I would ditch Malwarebytes Browser Guard because it uses the most resources and with Google Safe Browsing, uBO and BD TrafficLight you are very well protected.
There is already much posted about LastPass on MT, you could consider an alternative.
I’m aware of the LastPass breach. I’m actually planning to download the free version of Dashlane to my phone and start migrating everything over before I switch, but haven’t gotten around to it yet.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,583
I’m aware of the LastPass breach. I’m actually planning to download the free version of Dashlane to my phone and start migrating everything over before I switch, but haven’t gotten around to it yet.
My advice woud be Bitwarden as free option, because Dashlane has severely limited their free version:
 

ebocious

Level 5
Thread author
Verified
Well-known
Oct 25, 2018
232
My advice woud be Bitwarden as free option, because Dashlane has severely limited their free version:
Does it limit the number of passwords in the free version? I’ll have to check again. I know it only lets you use one device. My plan was to use the free version while I was in the process of migrating everything, then switch to premium so I could sync it to everything else.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,583

ErzCrz

Level 21
Verified
Top Poster
Well-known
Aug 19, 2019
1,019
Nice setup.

For password manage I use KeePassXC which is an offshoot from original KeePass and completely free. I find it very effective, easy to use and has built in TOTP for your 2 factor authentication. You can us the browser app that ties the two together but it's not necessary. Saving database or one drive or having it in your documents with regular backups. It used about 20meg of ram running in background if you restart asks for master password and windows hello pin. After hybernate it asks you for hello pin to unlock it. Anyway, quite straight forward and I use it for the built in TOTP rather thank having the keepass extension.
 

ebocious

Level 5
Thread author
Verified
Well-known
Oct 25, 2018
232
I would ditch Malwarebytes Browser Guard because it uses the most resources and with Google Safe Browsing, uBO and BD TrafficLight you are very well protected.
There is already much posted about LastPass on MT, you could consider an alternative.
How light or heavy is the Netcraft extension? I see it works with both Firefox and Chrome.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,583
How light or heavy is the Netcraft extension? I see it works with both Firefox and Chrome.
Light and efficient, but ist it really needed?
I am not sure...
It is the highlighted one here:
1704128435609.png
 
  • Like
Reactions: ebocious

ebocious

Level 5
Thread author
Verified
Well-known
Oct 25, 2018
232
Light and efficient, but ist it really needed?
I am not sure...
It is the highlighted one here:
View attachment 280635
Probably not. In truth, I’m sure I could do without any browser security extensions. Just another layer because I’m OCD. And I like if two browser extensions with +/- 75% detection achieve 90-100% together, with almost no noticeable impact on performance.

I now have uBO, BDTL, Netcraft, and LastPass in Firefox, Chrome, and Opera. I’ve decided to give the free version of Bitwarden a try, and will update my security profile once migration is complete.
 
  • Like
Reactions: Gandalf_The_Grey

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
I see it was right in your original comment that they limit the free version to 25. Yikes! Well, it’s only an extra $4.99/mo to go ahead and get premium now, which is worth it.
+1 for 1Password.
  • 14 day free trial available
  • Paid Only: Individual annual plans start at $36 per year.
  • Unique Feature: Travel mode
  • Login Safer than Bitwarden: 'Secret Key + Account Password' combination. (Passkey support for Unlocking Vault in Beta)
How to Move your data from Dashlane to 1Password
 

ebocious

Level 5
Thread author
Verified
Well-known
Oct 25, 2018
232
Update: migrated from LastPass to Bitwarden. It was actually a piece of cake, as they allow importing directly from LastPass. And not just via CSV, which excludes banking information, profile, and secure notes.
 

Nevi

Level 11
Verified
Top Poster
Well-known
Apr 7, 2016
517
ebocious
It,s funny I have the opposite experience with DNS. On my computer Cloudflare is the fastest with a nice margen. But Google is absolute on the good side, but nothing beats Clouflare on my computer. How much it is IRL I can't say. I have a feeling they are so near eachother. The difference on the first 5 is in milliseconds. How much one can feel that is the big question. I have found the single device that gave the strongest speed difference was to change from a SATA SSD to a 4 or 5 generation NVMe SSD. It's like having got a new computer with the strongest CPU. :)
 

ebocious

Level 5
Thread author
Verified
Well-known
Oct 25, 2018
232
The laptop showcased here actually came stock with a 512 GB NVMe SSD. It’s incredible to see how quickly you can copy and paste tens of gigabytes — like, mere seconds!! I haven’t calculated, but estimate that it takes about one minute to run SFC. I can even create and validate MD5 checksums in about a minute or two, on files that are tens of gigabytes in size (unless a file is somewhere other than the fixed disk). And I thought I was spoiled having SATA SSDs on all my units, lol.

I used Cloudflare for a bit, but found it hung on some websites for reasons unknown to me. Google Public DNS has been more consistent. I won’t claim it’s faster universally, as the general consensus seems to be the opposite. But I absolutely loathe when the browser randomly hangs on a pageload, and prefer to deal with that as seldom as possible, even at the cost of a few more milliseconds per pageload on average.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top