SECURITY: Complete Geminis3's Security Config 2020

Last updated
Dec 13, 2020
About
Personal, primary device
Desktop OS
Windows 10
Login security
    • Password (Aa-Zz, 0-9, Symbols)
Primary sign-in
Local account
Primary user
Standard user - Limited permissions
Security updates
Automatic - allow all types of updates
Windows UAC
Default - notify when programs attempt to make changes
Real-time protection
Microsoft Defender
Software firewall
Microsoft Defender Firewall
Custom RTP, Firewall and OS settings
PUP detection
Malware testing
No malware samples
Periodic security scanners
  • MBAM Free
  • EEK
  • Hitman.Pro
  • NPE
Browsers, Search and Addons
Firefox, Chrome and Edge:
  • uBlock Origin
  • Bitwarden
Maintenance and Cleaning
Cleanmgr+
CCleaner portable
Personal Files & Photos backup
Google Drive
Personal backup routine
Automatic (scheduled)
Device recovery & backup
Macrium Reflect
Device backup routine
Manual (maintained by self)
PC activity
  1. Browsing the web. 
  2. Downloading software. 
  3. Browsing to unknown sites. 
  4. Working from home. 
  5. PC and cloud gaming. 
  6. Multimedia. 
  7. Streaming. 
Computer specs
Acer Predator Helios 300 (G3-571-77QK):
  • i7-7700HQ
  • GTX 1060 6GB
  • 16GB DDR4
  • 1TB WD Blue SN550 NVMe
  • 120GB Kingston SSD

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,110
@Andy Ful is it possible to perform BONUS (behavior blocker) tests with WD?
Most of the behavior detections are made in the cloud backend. That is true for most AVs, so the offline behavior blocking is usually weaker.
When considering the Bonus tests, I think that the idea is related to the proactive (non-signature) part of protection, even when the cloud backend is used. Such tests can be done for WD on files with MOTW. You can use RunBySmartscreen to run the sample and next ignore the SmartScreen alert. Many samples will be first detected by WD BAFS feature and for such samples, the Bonus tests cannot be done. But, If you will see the alert that WD blocks the file for 20 s, then it means that WD behavior detection against the cloud backend was started.
 

SeriousHoax

Level 37
Verified
Mar 16, 2019
2,655
Chrome

  • Trash software, I just use it when a website doesn't works on another browser.
😂😂

But, If you will see the alert that WD blocks the file for 20 s, then it means that WD behavior detection against the cloud backend was started.
I see this happening for new exe files everytime. So, it's related to the cloud backend behavior blocker! Great. It often triggers before any direct execution attempt is made. Yesterday, I downloaded a malware which had a .bin extension upon extraction but it was an exe malware. So, I renamed it to .exe and immediately received that 20 sec (60 sec in my case) timeout notification and 10 sec later it was detected and removed by WD.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,110
😂😂


I see this happening for new exe files everytime. So, it's related to the cloud backend behavior blocker! Great. It often triggers before any direct execution attempt is made. Yesterday, I downloaded a malware which had a .bin extension upon extraction but it was an exe malware. So, I renamed it to .exe and immediately received that 20 sec (60 sec in my case) timeout notification and 10 sec later it was detected and removed by WD.
We probably should not use the term "Behavior blocker". WD and other advanced AVs do not use a separate module which could be called a "Behavior blocker". They use behavior monitoring (locally and in the cloud) together with advanced heuristics and file reputation - the output of all of this makes behavior-based detection. If the file is running, then the detection is extended to parent and child processes (postexecution detection). The closer to the "Behavior blocker" would be WD ASR rules or Kaspersky's HIPS.

The malwares in the wild often use a multi-stage infection chain, to avoid behavior-based detection. So, the infection is often stopped not on the first chain link, but on the subsequent link. Of course, this cannot sometimes prevent the infection of the first victim.
A good example would be advanced multistage malware started by the Java (.jar) file.
I observed on Malware Hub how WD fights such attacks (in your tests) - some payloads were detected by behavior-based detections, some were blocked by ASR rules, etc.
 

geminis3

Level 18
Verified
Sep 10, 2015
859
07/06/2020

  • Cleanly installed my homebrew updated LTSC ISO, after boot I ran a script to install MS Store and installed basic UWP apps like photos, movies, camera, calculator, voice recorder, etc).
  • Latest Nvidia and Intel drivers
  • Latest Office 365 provided by my uni
  • Installed Redistributable C++ AIO
  • Removed Chrome, Brave and Vivaldi

(IDLE) RAM consumption, 2004 idled at 3.1GB

1591547634571.png


Windows Update went painlessly since my ISO already contained all the cumulative updates, so it just downloaded drivers, Intel microcode, MRT and WD updates.

ConfigureDefender worked without problems :cool:

EDIT: I forgot to say that I set telemetry level to 0 in gpedit which according to MS only sends information that’s required for Malicious Software Removal Tool, and Windows Defender. (source)

1591548287207.png
 
Last edited:

Vitali Ortzi

Level 21
Verified
Dec 12, 2016
1,057
07/06/2020

  • Cleanly installed my homebrew updated LTSC ISO, after boot I ran a script to install MS Store and installed basic UWP apps like photos, movies, camera, calculator, voice recorder, etc).
  • Latest Nvidia and Intel drivers
  • Latest Office 365 provided by my uni
  • Installed Redistributable C++ AIO
  • Removed Chrome, Brave and Vivaldi

(IDLE) RAM consumption, 2004 idled at 3.1GB

View attachment 242335

Windows Update went painlessly since my ISO already contained all the cumulative updates, so it just downloaded drivers, Intel microcode, MRT and WD updates.

ConfigureDefender worked without problems :cool:

EDIT: I forgot to say that I set telemetry level to 0 in gpedit which according to MS only sends information that’s required for Malicious Software Removal Tool, and Windows Defender. (source)

View attachment 242342
Nice.
LTSC has no feature updates that reduce stability /increase attack surface.
Only security updates are present .
I done other things in my build like replacing built in tools with ones who have better functionality or security .
Unfortunately ones that have better functionality increase my attack surface but it's more convenient for usability like replacing notepad with notepad++.
 
Top