SECURITY: Complete Gandalf_The_Grey's laptop config for 2020

Last updated
Nov 30, 2020
About
Personal, primary device
Desktop OS
Windows 10
Login security
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Real-time protection
Microsoft Defender Antivirus
HomeCare by Trend Micro on TP-Link Archer AX6000 router
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Microsoft Defender Antivirus set to High with ConfigureDefender
Controlled Folder Access enabled (not on the kid's laptops)
Memory integrity under Core Isolation enabled (not on the kid's laptops)
Hard_Configurator with Windows_10_Basic_Recommended_Settings
Malware testing
No malware samples
Periodic security scanners
HitmanPro, Kaspersky Virus Removal Tool and AdwCleaner (for the kids)
Browsers, Search and Addons
Microsoft Edge with uBlock Origin, Bitdefender TrafficLight, Bitwarden and Microsoft Editor
Google Chrome with the same extensions plus the Microsoft Defender Browser Protection extension on the kid's laptops.
They use Edge for school and Chrome for fun
Maintenance and Cleaning
Autoruns, CCleaner, PatchMyPC, SUMo and Driver Easy Pro
Personal Files & Photos backup
Windows File History on external drive (weekly)
OneDrive with Microsoft 365 ransomware protection (always on sync)
Personal backup routine
Automatic (scheduled)
Device recovery & backup
Windows system image
Device backup routine
PC activity
  1. Browsing the web. 
  2. Banking. 
  3. Working from home. 
  4. Multimedia. 
  5. Streaming. 
  6. Shared access. 
Computer specs
Acer Aspire VN7-791G-576X
Intel Core i5-4210H
Intel HD Graphics 4600 / NVIDIA GeForce GTX 860M
Kingston 16GB Dual-Channel DDR3 PC3-12800 RAM
Samsung SSD 850 EVO M.2 250GB
Seagate HDD ST1000LM014-1EJ164 1TB
Realtek High Definition Audio
Personal changelog
2020.02.23 removed VoodooShield and uBlock Origin and added Kaspersky Security Cloud Free and AdGuard (extension).
2020.03.09 removed AdGuard and Kaspersky Security Cloud Free and added Hard_Configurator 5.0.0.1 beta uBlock Origin and the Netcraft extension. replaced Bandizip with Explzh because of the advertisements in the free version.
2020.03.22 removed Hard_Configurator, kept ConfigureDefender, DocumentsAntiExploit and RunBySmartscreen.
Added NoVirusThanks SysHardener, VoodooShield and the Certificate Info extension.
2020.03.28 added Ziggo safe Online and Hard_Configurator and removed SysHardner.
2020.03.30 removed CCleaner Pro
2020.04.05 installed HC 5.0.01 beta with recommended settings. Removed VoodooShield.
Tried to minimize extensions: replaced uBlock Origin with AdGuard and removed Certificate Info and Netcraft. Added Microsoft Editor. All extensions are now from the Microsoft Store except Browsing Protection by F-Secure (installed automatically).
2020.04.22 Removed Ziggo Safe Online and Hard_Configurator Trying Windows Defender with Comodo Firewall.
2020.05.04 removed Comodo Firewall and installed Emsisoft Ant-Malware Home.
2020.05.08 replaced Emsisoft Anti-Malware with Kaspersky Security Cloud Free
2020.05.18 replaced KSC Free with WD and uninstalled some browser extensions.
2020.07.05 back to Bitwarden and Bitdefender TrafficLight and WhitelistCloud added.
2020.07.08 switched form WhitelistCloud to VoodooShield Pro. Went from uBlock Origin to AdGuard.
2020.07.15 Back to KSC Free.
2020.08.09 added SpywareBlaster 5.7 Private Beta with MS Edge support.
2020.08.12 back to Microsoft Defender Antivirus
2020.08.15 back to Kaspersky Security Cloud Free
2020.08.31 removed O&O ShutUp 10 and went back to Microsoft Defender
2020.09.27 removed Bitdefender TrafficLight and went back from Simple Windows Hardening to Hard_Configurator
2020.10.27 went from WD to KSCFree and from uBlock Origin to AdGuard.
2020.11.14 back to WD on high and simplified config

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,080
Nice setup, indeed! How about Driver Easy, is it any good? Im using Driver Booster/Snappy Driver Installer Origin.
According to your hw spec, you are using 850 Evo m.2. About a week ago Samsung released v3.3 nvme m.2 drivers. Im using two years old Lenovo Legion desktop 'puter with OEM Samsung m2 nvme 256gb. So for testing purposes, i "forced" to install the new v3.3 driver. Then i ran crystal disk mark and noticed roughly +7 % read/write speed boost. Well, even +7% is not much, but not bad either. :)
Do regular SATA-attached SSDs need updates?
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,974
I noticed that you use PatchMyPC and SUMo, do you find that one of them finds enough updates that the other one misses to make it worthwhile to use both? Currently I'm only using PatchMyPC, I used to use both but I wasn't too sure what KCSoftwares (SUMo's makers) do with the information SUMo gathers from our devices.


(y)
I use the free version of Suma because you can add a folder with some portable apps and you will be noticed of updates for them.
That's the plus of Suma. PatchMyPC can updates apps itself (for free), that's the plus of PatchMyPC.
Some screenshots:
Aantekening 2020-03-31 111041.png
Aantekening 2020-03-31 111042.png
 

stefanos

Level 28
Verified
Oct 31, 2014
1,726
@stefanos and @The Cog in the Machine No issues here with boot time and delays of the web browser.

For me, the boot time is always the same with Windows Defender, Kaspersky Security Cloud Free, and Ziggo safe Online:
View attachment 235704
Maybe disabling banking protection is the cause that I notice no delays in web browsing.

And of course, every system is different...
The problem to my system is I have a delay in all applications. But not in browser. And have some freezes on the laptop. I have noticed that in some systems it is very good, and in some like mine not. For this reason, everyone should find what suits him and works well in his system. That's why when I try something I say that in my system this product is good or not. I never blame any product. Only the Panta Protection :LOL: :LOL:

The problem to my system is I have a delay in all applications. But not in browser. And have some freezes on the laptop. I have noticed that in some systems it is very good, and in some like mine not. For this reason, everyone should find what suits him and works well in his system. That's why when I try something I say that in my system this product is good or not. I never blame any product. Only the Panta Protection :LOL: :LOL:
with WINDOWS DEFENDER i have very fast boot
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,974
Nice setup, indeed! How about Driver Easy, is it any good? Im using Driver Booster/Snappy Driver Installer Origin.
According to your hw spec, you are using 850 Evo m.2. About a week ago Samsung released v3.3 nvme m.2 drivers. Im using two years old Lenovo Legion desktop 'puter with OEM Samsung m2 nvme 256gb. So for testing purposes, i "forced" to install the new v3.3 driver. Then i ran crystal disk mark and noticed roughly +7 % read/write speed boost. Well, even +7% is not much, but not bad either. :)
EDIT: Forgot to say, for OEM nvme m2, Windows uses its own "Microsoft surface..." drivers. Force it to use samsung nvme m2, and speeds goes up to like 15%. Which is quite funny i think.
Thanks, but my SSD is not a nvme one, so I won't need or benefit from those drivers.
Driver Easy is (paid) a very nice driver updater.
More info here: Update - Driver Easy
 

sepik

Level 11
Aug 21, 2018
521
Do regular SATA-attached SSDs need updates?
Samsung released their "Magician" software v6.1 while ago. This v3.3 driver is for their nvme m2 drives only. But it works really good for their OEM nvme m2 drives too. If you use or have a friends that use samsung oem nvme m2 drive(s), just install latest v3.3. According to Crystal DiskMark, for example SeqQ32T1 speeds were about 2.900/mbs and now with forced v3.3 it went to 3.100mb/s. 4KibQ1T write speed was about 96mbit/s, now its 128mbit/s. Not bad, eh? :)
 

Stopspying

Level 14
Verified
Jan 21, 2018
624
I use the free version of Suma because you can add a folder with some portable apps and you will be noticed of updates for them.
That's the plus of Suma. PatchMyPC can updates apps itself (for free), that's the plus of PatchMyPC.
Some screenshots:
View attachment 235913View attachment 235914
Thanks for the reply. I had a SUMo license and then removed it when that ran out, I'll probably get the free version and see what it finds needs updating which PatchMyPC has missed after you've shown us this. I've kept an eye on software that regularly has updates that I noticed PatchMyPC didn't pick up on, but there's likely to be somethings I've missed. Thanks again.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,974
Further cleanup of my config.
Uninstalled VoodooShield (nice but not really needed).
Replaced uBlock Origin with AdGuard because I get less ad block warnings with AdGuard now and it just works.
Can change repeatedly, I just like them both :D
Removed Certificate Info and Netcraft because they are not available in the Microsoft Store and not really needed.

The biggest change is going with the recommended settings of Hard_Configurator 5.0.0.1 beta again.
So far printing and scanning with my HP OfficeJet Pro 9015 is working great.

I had only 1 block in the logs for C:\Users\Gandalf\AppData\Local\Temp\7zS6ECF\FileExtractor.exe
This extracts a fresh copy of HP Print and Scan Doctor when you want to solve any issues.
I whitelisted that file by hash.
@Andy Ful Is that the right way?
 

blackice

Level 33
Verified
Apr 1, 2019
2,204
Further cleanup of my config.
Uninstalled VoodooShield (nice but not really needed).
Replaced uBlock Origin with AdGuard because I get less ad block warnings with AdGuard now and it just works.
Can change repeatedly, I just like them both :D
Removed Certificate Info and Netcraft because they are not available in the Microsoft Store and not really needed.

The biggest change is going with the recommended settings of Hard_Configurator 5.0.0.1 beta again.
So far printing and scanning with my HP OfficeJet Pro 9015 is working great.

I had only 1 block in the logs for C:\Users\Gandalf\AppData\Local\Temp\7zS6ECF\FileExtractor.exe
This extracts a fresh copy of HP Print and Scan Doctor when you want to solve any issues.
I whitelisted that file by hash.
@Andy Ful Is that the right way?
Glad to hear this is working for you. My HP is very finicky, so it’s always good to find a setup that is secure and lets it just work.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,144
...
I had only 1 block in the logs for C:\Users\Gandalf\AppData\Local\Temp\7zS6ECF\FileExtractor.exe
This extracts a fresh copy of HP Print and Scan Doctor when you want to solve any issues.
I whitelisted that file by hash.
@Andy Ful Is that the right way?
Yes, the hash rule is the safest one. The folder:
...\AppData\Local\Temp\7zS6ECF\
is a 7-Zip temporary folder - the 4 letters and digits (6ECF) will change any time the file will be executed. So, whitelisting by path would require a special path rule with wildcards.

I noticed something strange anyway. The rule used by H_C to block the execution from 7-Zip temporary folder is:
...AppData\Local\Temp\7z?????????\
But, your blocked folder is another type, because it has only 4 changing letters and digits (instead of 8).
Could you look at H_C log, to confirm what rule blocked the FileExtractor.exe ?
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,974
Yes, the hash rule is the safest one. The folder:
...\AppData\Local\Temp\7zS6ECF\
is a 7-Zip temporary folder - the 4 letters and digits (6ECF) will change any time the file will be executed. So, whitelisting by path would require a special path rule with wildcards.

I noticed something strange anyway. The rule used by H_C to block the execution from 7-Zip temporary folder is:
...AppData\Local\Temp\7z?????????\
But, your blocked folder is another type, because it has only 4 changing letters and digits (instead of 8).
Could you look at H_C log, to confirm what rule blocked the FileExtractor.exe ?
Thanks Andy (y)
This is the complete line in the log:
De beheerder heeft de toegang tot C:\Users\Gandalf\AppData\Local\Temp\7zS6ECF\FileExtractor.exe beperkt op locatie met de beleidsregel {1016bbe0-a716-428b-822e-3e544b6a3281} voor het pad C:\Users\*\AppData\Local\Temp\7z?????????\*.exe.
 

Stopspying

Level 14
Verified
Jan 21, 2018
624
Replaced uBlock Origin with AdGuard because I get less ad block warnings with AdGuard now and it just works.
That is interesting, I get very few warnings from uBlockOrigin. I haven't tweaked it very much from the default settings as it seemed to work well at blocking what I wanted blocked with those. I browse a wide variety of sites so I know that I'm go to ones which want to load up tons of ads, but I never see any.
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,974
That is interesting, I get very few warnings from uBlockOrigin. I haven't tweaked it very much from the default settings as it seemed to work well at blocking what I wanted blocked with those. I browse a wide variety of sites so I know that I'm go to ones which want to load up tons of ads, but I never see any.
Next week it can be the other way around for some sites I'm visiting...
Now I use Edge Tracking Protection on Strict and AdGuard with optimized (now 63100 adblocking rules) filters.
 
Top