Advanced Plus Security Gandalf_The_Grey's Security Config 2022

Last updated
May 20, 2022
About
Personal, primary device
Additional PC users
Not shared with other users
Desktop OS
Windows 11
OS edition
Pro
Login security
    • Password-less (PIN, Biometric, Face)
Primary sign-in
Microsoft account
Primary user
Admin user - Full permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Maximum - always notify
Network firewall
Third-party router
Real-time protection
Microsoft Defender Antivirus
HomeCare by Trend Micro on TP-Link Archer AX6000 router
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
Microsoft Defender Antivirus
  • ConfigureDefender: High settings
Windows 11 Pro
Adobe Acrobat Reader and Microsoft 365
  • DocumentsAntiExploit: both all users restrictions ON
Malware testing
No malware samples
Periodic security scanners
HitmanPro and Norton Power Eraser
Secure DNS
From my ISP (Ziggo)
VPN
AdGuard VPN (seldom used)
Password manager
Bitwarden browser extension
Browsers, Search and Addons
Microsoft Edge using Google search with uBlock Origin, Bitwarden, Bitdefender TrafficLight and Microsoft Editor as extensions
Maintenance and Cleaning
Autoruns, CCleaner, Disk Cleanup, PatchMyPC, SUMo, Driver Easy and Winget (upgrade --all)
Personal Files & Photos backup
Windows File History on external drive (weekly)
OneDrive with Microsoft 365 ransomware protection (always on sync)
Personal backup routine
Automatic (scheduled)
Device recovery & backup
Windows system image
Device backup routine
Manual (maintained by self)
PC activity
  1. Working from home. 
  2. Browsing the web. 
  3. Browsing to unknown sites. 
  4. Emails. 
  5. Shopping. 
  6. Banking. 
  7. Downloading software. 
  8. Remote assistance. 
  9. Multimedia. 
Computer specs
Personal changelog
2022.01.01 new config for the new year.
2022.01.31 removed Bitsum Process Lasso, Samsung Magician. Switched from DefenderUI Free and VoodooShield to the all-in-one DefenderUI Pro.
2022.02.12 back to Ziggo Safe Online by F-Secure
2022.02.16 added Quad9 secure DNS
2022.03.22 have to use Adobe Reader for work, removed KVRT.
2022.04.09 trying the AdGuard extension instead of uBlock Origin
2022.04.10 back to uBlock Origin
2022.05.01 removed Ziggo Safe Online, back to Microsoft Defender and installed Kerish Doctor
2022.05.04 installed the latest VoodooShield
2022.05.13 installed fs protection by F-Secure 18.4 beta 2
2022.05.20 back to Microsoft Defender Antivirus and Andy's tools
Feedback Response

Most critical feedback

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,841
New config for the new year with the new tools released by @danb
 

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,841
Hi @Gandalf_The_Grey two questions

1. Could you explain what the benefits of Microsoft Editor are over the build-in spellcheckers (Word, Edge and Mail)?

2. Why do you prefer Foxit PDF reader over Edge PDF reader?
Hi Kees,

1) when you have a Microsoft 365 license it offers advanced grammar and style refinements like clarity, conciseness, formality, vocabulary suggestions, and more :D
It will be integrated in Edge:

Microsoft editor is already integrated in Word, Excel (the office programms).

2) I like Foxit for the Protected View, the thumbnails in Windows Explorer, and you can open a PDF inside MS Outlook, both were on the roadmap for MS edge.

Hopefully soon I don't need both anymore.
 

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,841
Thanks for this link. Can you give some idea of what you did or didn't use, e.g. the reg tweaks?
NOTE: Always set a service’s startup type to MANUAL and never set it to DISABLED. We suggest this because if a service is set to MANUAL start and Windows needs the service, it’ll be able to start the service and there will be no affect on OS functionality. But if a service is set to DISABLED and Windows requires that service, it’ll not be able to start the service and you may face problems.
 
Last edited:

JasonUK

Level 5
Apr 14, 2020
203
Cleaned my config and went from DefenderUI Free and VoodooShield to the all-in-one DefenderUI Pro.
Only reason I haven't done the same (when using VS & DUI) is that I found the alerts in DUI Pro didn't persist/stay on top so if multiple windows were open they could be missed unlike VS alerts. Haven't checked latest version of DUI Pro though so would be interested if you still experience this.
 

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,841
Only reason I haven't done the same (when using VS & DUI) is that I found the alerts in DUI Pro didn't persist/stay on top so if multiple windows were open they could be missed unlike VS alerts. Haven't checked latest version of DUI Pro though so would be interested if you still experience this.
I don't think that is still a problem, at least I haven't noticed that.
 

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,841
Back to Ziggo Safe Online by F-Secure (F-Secure Safe).
  • It had impressive results in the testing done by @Shadowra and in the HUB tests by @upnorth (y)
  • Malicious downloads are completely blocked and not partially downloaded like with the SmartScreen when using Microsoft Edge.
  • It doesn't use a root certificate like Kaspersky does.
  • It is noticeably light on the system and the slowdowns when shutting down are now resolved: F-Secure 18.2 released Thanks for that post @Bill K (y)
  • When I follow the analysis of current threats done by @Andy Ful adding Simple Windows Hardening and Documents Anti-Exploit closes any potential weaknesses for fileless and Microsoft Office based attacks. Thanks again @Andy Ful for your tools and your analysis (y)
  • EDIT: forgot to mention the (also) impressive results for banking protection done by AVLab.pl: AVLab.pl - Test of security solutions in blocking attacks on Internet banking
 
Last edited:

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,841
With defender, does this make any reason to switch over?
I found (when using a second opinion scanner) that because I use file history as backup solution that the malicious files blocked by SmartScreen were also present in the file history backups.
If you use Disk Cleanup to clean your system including file history before doing a backup, they are no longer present.
So, it depends on your config.
If you don't use file history or clean file history regularly it is not a problem.
When we tested extensions with @Evjl's Rain I saw the same behavior with Emsisoft Browser Security, but not with for example Bitdefender TrafficLight.
 

Gandalf_The_Grey

Level 59
Thread author
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
4,841
Is Quad9 any good ? its not as fast like cloudflare in my country , but i wonder about their uptime ? (if its down a lot or not)
So far so good...
What has your DNS up-time been?
Quad9 is a global anycast service. Multiple points of presence around the world mean redundancy is built into the system. If a resolver goes down, the traffic is automatically routed to the next closest resolver. To date, our uptime has been 99.999%.
 

blackice

Level 36
Verified
Top poster
Well-known
Apr 1, 2019
2,524
Quad9 is not as fast as my own ISP, so back to Ziggo.
Trying the new AdGuard extension.
I spoke with Quad9 about some routing issues. Their speed wasn’t bad for name resolution, but not all their servers are setup for transit, and your ISP may route you elsewhere based on their network optimization. This causes issues with getting CDNs close to you, I was being routed halfway across the country to Chicago. Which was fine for DNS queries, but awful for getting CDNs based on the DNS server location half way across the US (a long way). I tried their EDNS Client Subnet, which helps with some CDNs, but others only accept edns info from Google or OpenDNS as they have agreements about how to handle the location data safely/privately. So, results were mostly good, but family streaming services buffered. Also their DoT implementation has a higher rate of failed requests.

All of this to say they responded quickly and worked with me to troubleshoot. The couldn’t fix the problem since they have no agreement with my ISP, but they are working on implementing more servers for transit to help alleviate these issues. And their “customer service” is fantastic! They were friendly, prompt, and helpful. Quad9 is an amazing not for profit, but for now we also went back to my ISP. It is lightning fast and have CDN caches in their edge services that you can’t beat the performance.

Sorry for the long winded post in your wall, but I really like Quad9 even if I don’t use them either.
 
Last edited: