Advanced Plus Security Geminis3's Security Config 2020

Last updated
Dec 13, 2020
How it's used?
For home and private use
Operating system
Windows 10
Log-in security
Security updates
Allow security updates and latest features
User Access Control
Notify me only when programs try to make changes to my computer
Real-time security
Microsoft Defender
Firewall security
Microsoft Defender Firewall
About custom security
PUP detection
Periodic malware scanners
  • MBAM Free
  • EEK
  • Hitman.Pro
  • NPE
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Firefox, Chrome and Edge:
  • uBlock Origin
  • Bitwarden
Maintenance tools
Cleanmgr+
CCleaner portable
File and Photo backup
Google Drive
System recovery
Macrium Reflect
Risk factors
    • Browsing to popular websites
    • Downloading software and files from reputable sites
    • Browsing to unknown / untrusted / shady sites
    • Working from home
    • Gaming
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
Computer specs
Acer Predator Helios 300 (G3-571-77QK):
  • i7-7700HQ
  • GTX 1060 6GB
  • 16GB DDR4
  • 1TB WD Blue SN550 NVMe
  • 120GB Kingston SSD

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
@Andy Ful is it possible to perform BONUS (behavior blocker) tests with WD?
Most of the behavior detections are made in the cloud backend. That is true for most AVs, so the offline behavior blocking is usually weaker.
When considering the Bonus tests, I think that the idea is related to the proactive (non-signature) part of protection, even when the cloud backend is used. Such tests can be done for WD on files with MOTW. You can use RunBySmartscreen to run the sample and next ignore the SmartScreen alert. Many samples will be first detected by WD BAFS feature and for such samples, the Bonus tests cannot be done. But, If you will see the alert that WD blocks the file for 20 s, then it means that WD behavior detection against the cloud backend was started.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Chrome

  • Trash software, I just use it when a website doesn't works on another browser.
😂😂

But, If you will see the alert that WD blocks the file for 20 s, then it means that WD behavior detection against the cloud backend was started.
I see this happening for new exe files everytime. So, it's related to the cloud backend behavior blocker! Great. It often triggers before any direct execution attempt is made. Yesterday, I downloaded a malware which had a .bin extension upon extraction but it was an exe malware. So, I renamed it to .exe and immediately received that 20 sec (60 sec in my case) timeout notification and 10 sec later it was detected and removed by WD.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
😂😂


I see this happening for new exe files everytime. So, it's related to the cloud backend behavior blocker! Great. It often triggers before any direct execution attempt is made. Yesterday, I downloaded a malware which had a .bin extension upon extraction but it was an exe malware. So, I renamed it to .exe and immediately received that 20 sec (60 sec in my case) timeout notification and 10 sec later it was detected and removed by WD.
We probably should not use the term "Behavior blocker". WD and other advanced AVs do not use a separate module which could be called a "Behavior blocker". They use behavior monitoring (locally and in the cloud) together with advanced heuristics and file reputation - the output of all of this makes behavior-based detection. If the file is running, then the detection is extended to parent and child processes (postexecution detection). The closer to the "Behavior blocker" would be WD ASR rules or Kaspersky's HIPS.

The malwares in the wild often use a multi-stage infection chain, to avoid behavior-based detection. So, the infection is often stopped not on the first chain link, but on the subsequent link. Of course, this cannot sometimes prevent the infection of the first victim.
A good example would be advanced multistage malware started by the Java (.jar) file.
I observed on Malware Hub how WD fights such attacks (in your tests) - some payloads were detected by behavior-based detections, some were blocked by ASR rules, etc.
 

bayasdev

Level 19
Thread author
Verified
Top Poster
Well-known
Sep 10, 2015
901
07/06/2020

  • Cleanly installed my homebrew updated LTSC ISO, after boot I ran a script to install MS Store and installed basic UWP apps like photos, movies, camera, calculator, voice recorder, etc).
  • Latest Nvidia and Intel drivers
  • Latest Office 365 provided by my uni
  • Installed Redistributable C++ AIO
  • Removed Chrome, Brave and Vivaldi

(IDLE) RAM consumption, 2004 idled at 3.1GB

1591547634571.png


Windows Update went painlessly since my ISO already contained all the cumulative updates, so it just downloaded drivers, Intel microcode, MRT and WD updates.

ConfigureDefender worked without problems :cool:

EDIT: I forgot to say that I set telemetry level to 0 in gpedit which according to MS only sends information that’s required for Malicious Software Removal Tool, and Windows Defender. (source)

1591548287207.png
 
Last edited:

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
07/06/2020

  • Cleanly installed my homebrew updated LTSC ISO, after boot I ran a script to install MS Store and installed basic UWP apps like photos, movies, camera, calculator, voice recorder, etc).
  • Latest Nvidia and Intel drivers
  • Latest Office 365 provided by my uni
  • Installed Redistributable C++ AIO
  • Removed Chrome, Brave and Vivaldi

(IDLE) RAM consumption, 2004 idled at 3.1GB

View attachment 242335

Windows Update went painlessly since my ISO already contained all the cumulative updates, so it just downloaded drivers, Intel microcode, MRT and WD updates.

ConfigureDefender worked without problems :cool:

EDIT: I forgot to say that I set telemetry level to 0 in gpedit which according to MS only sends information that’s required for Malicious Software Removal Tool, and Windows Defender. (source)

View attachment 242342
Nice.
LTSC has no feature updates that reduce stability /increase attack surface.
Only security updates are present .
I done other things in my build like replacing built in tools with ones who have better functionality or security .
Unfortunately ones that have better functionality increase my attack surface but it's more convenient for usability like replacing notepad with notepad++.
 

bayasdev

Level 19
Thread author
Verified
Top Poster
Well-known
Sep 10, 2015
901
Thanks I will try using it with a custom shell.
Don't forget to integrate all the updates in the ISO, it's a PITA to manually update an OS from 2018
EDIT: The last time I used LTSC, I installed the ISO as is and had to spend like 2 hours with my laptop stuck installing lots of updates, such a time waster.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top