SECURITY: Complete ErzCrz config 2021

Last updated
Apr 6, 2021
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 10
OS edition
Home
Login security
    • Password-less (PIN, Biometric, Face)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Other users
Other accounts are Admin users
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
ISP-issued router
Real-time protection
Microsoft Defender
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
- System Hardened with Hard_Configurator at Recommended Settings
- Microsoft Defender tweaked with ConfigureDefender set to High. (I'd go with Interactive but I prefer a more set and forget setup)
- FirewallHardening - Recommended H_C rules added
Malware testing
No malware samples
Periodic security scanners
Emisoft Emergency Kit, HitmanPro
Secure DNS
Sky Shield (ISP)
VPN
Sophos VPN for working from home connection.
Password manager
Keepass 2
Browsers, Search and Addons
Chromium Edge
uBlock Origin (@Lenny_Fox 's tweaked Medium/Hard Mode) blocking 3p.
Maintenance and Cleaning
MacrumReflect Free (backups only after major updates) OneDrive backup of documents weekly.
Personal Files & Photos backup
Monthly backup to external drive and Occasional OneDrive Sync
Personal backup routine
Manual (maintained by self)
Device recovery & backup
Backup disc image, updated every few months.
Device backup routine
Manual (maintained by self)
PC activity
  1. Working from home. 
  2. Browsing the web. 
  3. Browsing to unknown sites. 
  4. Emails. 
  5. Shopping. 
  6. PC and cloud gaming. 
  7. Multimedia. 
  8. Streaming. 
Computer specs
Computer hardware
Acer Aspire E15
Intel Core i3-400SU
Intel HD Graphics 4400
12 Gig DDR 11 RAM
1TB HDD
Personal changelog
17.02.2021 - Changed email client from Windows Mail to ThunderbirdBack
06.04.2021 - Back to Windows Mail, SecurityNightmare's Maximum Exploit settings enabled. MD running in it's own Sandbox, Controlled Folder Access enabled. Removed BD Traffic Light and using HTTPS Everywhere in Strict mode.
13.05.2021 - Reverted back to my old favourite Comodo, Firefox and Thunderbird.
22.05.2021 - Returned to MD + H_C setup.
28.08.2021 - Back to using HitmanPro 2nd opinion scanner, using H_C 6 Beta and updated uBO tweak. Thinking about using CFA again and treating messages as more informative unless is breaks something.
Feedback Response

General feedback

ErzCrz

Level 10
Verified
Aug 19, 2019
452
My configuration for 2021.

I had been tempted to revert to Comodo Internet Security or some of the other free combinations out there. However, after a fair bit of testing and playing around with various options, the best compatible option while still providing very good protection is a system hardened Windows 10 using Hard_Configurator is still what works best for me. There are a lot of options out there that protect people well and this configuration may change depending on my level of paranoia.

Comodo's containment is fantastic but I can't seem to settle on the right configuration for me and I find I'm constantly fiddling with it when I am using it.

Anyway, my browser and uBlock Origin tweaks are below:

Chromium Edge tweaked exploitation protection:

Code integrity guard - ON (with or without Also allow images signed by M$ Store CHECKED)
Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

uBlock Medium Mode tweaks:

Dynamic rules:


no-large-media: behind-the-scene false
* * 3p-frame block
* * 3p-script block
* com * noop
* gov * noop
* io * noop
* net * noop
* org * noop
* uk * noop
behind-the-scene * * noop
behind-the-scene * 1p-script noop
behind-the-scene * 3p noop
behind-the-scene * 3p-frame noop
behind-the-scene * 3p-script noop
behind-the-scene * image noop
behind-the-scene * inline-script noop

My filters:

! -----------security
! Block ping (for sending beacons and hyperlink auditing)
||*$ping
! Block insecure third-party content except stylesheet, image and media
||HTTP://*$3p,~stylesheet,~image,~media
!
! Block downloading executable content from insecure HTTP websites
http://*.exe^$empty
http://*.msi^$empty
http://*.bat^$empty
http://*.dll^$empty
http://*.hta^$empty
http://*.jar^$empty
http://*.msu^$empty
http://*.pif^$empty
http://*.ps1^$empty
http://*.ps2^$empty
http://*.reg^$empty
http://*.scr^$empty
http://*.sys^$empty
http://*.vbe^$empty
http://*.vbs^$empty
http://*.tmp^$empty
!
! Block all on much abused generic TLD's. The TLD is between ||* and ^$, e.g. ||*.BID^$
!
||*.bid^$all
||*.buzz^$all
||*.club^$all
||*.country^$all
||*.date^$all
||*.download^$all
||*.gdn^$all
||*.host^$all
||*.icu^$all
||*.jetz^$all
||*.kim^$all
||*.loan^$all
||*.men^$all
||*.mobi^$all
||*.mom^$all
||*.party^$all
||*.pics^$all
||*.racing^$all
||*.ren^$all
||*.rest^$all
||*.review^$all
||*.ryukyu^$all
||*.science^$all
||*.sex^$all
||*.shop^$all
||*.site^$all
||*.stream^$all
||*.top^$all
||*.trade^$all
||*.vip^$all
||*.wang^$all
||*.win^$all
||*.work^$all
||*.xin^$all
||*.xxx^$all
||*.xyz^$all
@@||email.ionos.co.uk*^$all,domain=ionos.co.uk
!
! Block all on much abused country code TLD's. The TLD is between ||* and ^$, e.g. ||*.AM^$
!
||*.am^$all
||*.cc^$all
||*.cf^$all
||*.cn^$all
||*.fm^$all
||*.ga^$all
||*.gg^$all
||*.ki^$all
||*.kp^$all
||*.la^$all
||*.ml^$all
||*.pw^$all
||*.ru^$all
||*.tk^$all
||*.ua^$all
||*.ug^$all
||*.vn^$all
@@discord.gg^$all,domain=discord.com
!

P.S. I'd run this machine with a limited user account but a bit to much hassle with my home setup.
 
Last edited by a moderator:

ErzCrz

Level 10
Verified
Aug 19, 2019
452
Great config (y)
According to @cruelsister is Kaspersky Antivirus Removal Tool one of the best second opinion scanners, but I can't find her post here or at Wilders at the moment. :eek:
Have you tried it?
Thanks :D

Oh, I might have a look for it. I had KIS years ago but haven't used anything of theirs since hacking claims but I don't think Kaspersky was ever directly involved.

I had thought of going with a Sophos home combination but found it was affecting browsing and gaming speeds.

Anyway. will have a search around for that OD Scanner.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,980
Thanks :D

Oh, I might have a look for it. I had KIS years ago but haven't used anything of theirs since hacking claims but I don't think Kaspersky was ever directly involved.

I had thought of going with a Sophos home combination but found it was affecting browsing and gaming speeds.

Anyway. will have a search around for that OD Scanner.
No, your config is great as is, don't change it too much.
That is a security software forum virus :D
Just enjoy your computer or is testing AV's also a hobby?
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,980
Great config (y)
According to @cruelsister is Kaspersky Antivirus Removal Tool one of the best second opinion scanners, but I can't find her post here or at Wilders at the moment. :eek:
Have you tried it?
Found that post:
 

ErzCrz

Level 10
Verified
Aug 19, 2019
452
No, your config is great as is, don't change it too much.
That is a security software forum virus :D
Just enjoy your computer or is testing AV's also a hobby?
Just security paranoid at times. I don't really fall for some of the scaremongering tactics out there these days but an old comodo fanboy I guess having used it off and on since CFW 2.0 and CAV 1.0 so I go back and try it out again when there's new releases which is a double edged sword. I end up spending week on week fiddling where as with this config, I can pretty much set and forget apart from when there are new vulnerabilities etc.

BD:TL helps particularly when searching for things. I used to use NoScript and just click all I want but that was before discovering uBO capabilities though I miss being able to check a 3rd party site for reputation there and then like you can with NoScript.

Well, Christmas evening. Didn't eat nearly as much as planned. I think I'll do myself a turkey sandwich in a few :D I'd have some port but I'm on antibiotics so will save that for new year ;)
 

Protomartyr

Level 7
Verified
Sep 23, 2019
320
BD:TL helps particularly when searching for things. I used to use NoScript and just click all I want but that was before discovering uBO capabilities though I miss being able to check a 3rd party site for reputation there and then like you can with NoScript.

I have the Bitdefender TrafficLight installed in Edge for the same reason. While Edge has SmartScreen built-in and is good on its own, I find the site reputation from TrafficLight in search results handy.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,980
I have the Bitdefender TrafficLight installed in Edge for the same reason. While Edge has SmartScreen built-in and is good on its own, I find the site reputation from TrafficLight in search results handy.
A plus for using an extension is that Edge sometimes partly downloads a file before blocking it (can still be found in cache) while in this case Bitdefender TrafficLight fully blocks the download.
 

ErzCrz

Level 10
Verified
Aug 19, 2019
452
Just a quick one to say I'm reviewing my Edge anti-exploit tweaks. Seems my tweaks in some way may be interfering with smartscreen stopping downloads.

I was testing out a couple of things with Comodo before moving over to H_C again and I got a comodo file error for guard64.dll when I ran Edge. Edge did eventually load but when I removed the tweaks it worked fine.

In a similar test with just WD, I could fully download the eircar test file or the eircar.zip file and it would only be detected on-access with the browser tweaks whereas without, it blocked the download.

Just something I'm looking into.
 
F

ForgottenSeer 85179

Just a quick one to say I'm reviewing my Edge anti-exploit tweaks. Seems my tweaks in some way may be interfering with smartscreen stopping downloads.

I was testing out a couple of things with Comodo before moving over to H_C again and I got a comodo file error for guard64.dll when I ran Edge. Edge did eventually load but when I removed the tweaks it worked fine.

In a similar test with just WD, I could fully download the eircar test file or the eircar.zip file and it would only be detected on-access with the browser tweaks whereas without, it blocked the download.

Just something I'm looking into.
I test https://www.eicar.org/?page_id=3950 and all EICAR stuff are blocked:

1609068017049.png

1609068063294.png
 

ErzCrz

Level 10
Verified
Aug 19, 2019
452
I test https://www.eicar.org/?page_id=3950 and all EICAR stuff are blocked:

View attachment 251950

View attachment 251951
Thanks. That's really weird. Maybe it was some leftover Comodo driver or something interfering. I did a temporary file cleanup and did the comodo removal tool, seems okay now.

Anyway, works with my exploit tweaks, must have just been something corrupted or comodo remaining bits affecting it.

Thanks.
 
F

ForgottenSeer 85179

ErzCrz

Level 10
Verified
Aug 19, 2019
452
Thanks for sharing @ErzCrz, particularly your uBlock Medium Mode tweaks. I'm using some from @Windows_Security from mid 2019. The base settings look the same but you have some helpful comments within the filters that help a newer user tailor them :)
Your welcome :D I'm always tweaking it some and all the credit really goes to @Lenny_Fox who's made medium mode that much easier.
 

rndmblk

Level 3
Nov 18, 2020
93

ErzCrz

Level 10
Verified
Aug 19, 2019
452
Just checking in. Doing some minor experimental changes to my ublock filters but nothing set in stone yet.

Oh and why or why do I keep reverting back to Comodo. Been doing some random experiments with it but I'm just as protected with my current setup really. Anyway, just having a bit of a rant at myself for that one. I mean 6+ fresh installs of it this year is ridiculous. I'll wait for next feature update at the very least and just stick with my WD, H_D Recommended, CD High and FH Recommended. It's not like I go anywhere dodgy online etc.
 
Top