General Comments On Building A Strong Security Configuration

Status
Not open for further replies.
H

hjlbx

Thread author
Hello All,

This thread is a Work-In-Progress...

NOTE: If you are a novice user on W8.1 (I'm not sure on W10 - haven't tested it but I would bet it performs the same as on W8.1) and are looking for a quick answer as to which AV you should use, then I strongly suggest Emsisoft Internet Security. It is almost bug free and has very good learnability and usability. The product is particularly well-suited to the novice user.

I feel compelled to post this thread since I see users making the same misguided, uninformed mistakes over-and-over. What is contained herein is solely my own thoughts on how to go about developing your own optimized security configuration. My ideas have developed over time and are based upon hard-won, real world experience. In other words I've made most, if not all, the mistakes. If I can prevent even just one user from experiencing the disappointment, confusion and frustration that I have experienced then I will be satisfied.

This is not meant to be a comprehensive guide to which types of softs you should include in your security configuration. There exists such infos here at MT. See @Umbra's suggestions here: http://malwaretips.com/threads/umbras-concept-of-layered-config.12352/ .

Ultimately, each user must decide for themselves what works best for them - both personally and on their specific system.

0. Ground "Zero"...

Be patient and tolerant. Your attitude towards IT will greatly influence your user experience. As you gain knowledge and experience your attitude toward IT quirks, bugs, problems, etc will change. A bad attitude towards IT security will ensure you do things that are both utterly stupid and very high-risk...

Letting bugs, strange soft behaviors and other issues get to you serves no purpose whatsoever. Calmly solve the problem... even if it takes weeks or months. If you try your level best to solve issues to no avail, then you still have a lot of options available such as alternative softs, a "wait-and-see" posture, or just let it go.

Your peace-of-mind in all matters IT is completely up to you...

1. Get rid of OEM crapware; perform a clean install of Windows. OEM crapware needlessly consumes system resources.

NOTE: Simply removing installed OEM crapware via Windows Programs and Features is not enough as it leaves remnants behind that can continue to cause various problems.

2. Once you lighten your system load, don't add too many security softs. In fact, don't overload your system with too many softs... period.

It makes absolutely no sense to go through all the trouble of a clean install of Windows only to add too many security and other softs that consume all the system resource capacity you just liberated via the clean install. The goal is a configuration that provides a solid base-line security along with good system responsiveness.

3. If a security soft doesn't work, you can't get it to work and\or you can't figure out how it works, then it is useless. After your best efforts, drop that soft and move on. Common sense...

System and soft reliability and dependability are the absolute first priority. Common sense...

4. Unrealistic expectations of hardware and softs causes nothing but bitter disappointment and resentment.

If you expect that any security configuration or model will protect your system 100 % - well - all I will say is that it is not technologically possible. The current technological state of OSes, hardware and softs are such that no matter what configuration\security model you adopt, you will never protect any system 100 %.

Furthermore, hardware and softs do not work flawlessly. All manner of problems - from BSODs to bugs to hardware failures - are a fact of IT-life... an ability to cope with frustration is invaluable in this regard.

Experienced users tend to develop workarounds for bugs that are persistent. If they cannot find a workaround, they either accept the bug and ignore it or abandon the soft without getting all bent-out-of-shape about it.

5. Build a security configuration that correlates with the risk level of your computing habits. Once again, don't add too much.

The natural inclination towards IT security is to build an impenetrable fortress. While on the surface this seems to be logical thing to do, it isn't practical nor possible. What I am suggesting is this:

If you turn on your computer once per week, visit MalwareTips for 15 minutes, then turn it off - you have no need of anything other than a minimalistic security config.

If you are an over-the-top, high-risk user - click-happy, tests malware without knowing what you are doing, download & install anything-and-everything, use warez, cracks & keygens, visit the porn sites, file share, and use torrent sites - you need a well-rounded, fuller-featured security config that addresses most of the associated risks of such behaviors.

ONE CRITICAL POINT ABOUT VIRTUALIZATION: Virtualization is not a security panacea. It does have serious limitations... first, and foremost, being that during any virtual session data can be stolen. A second major concern is encryption containment. Always follow the guidance of soft publishers, security experts and advanced users when configuring light virtualization softs and virtual machines. This topic is huge and can't be covered in any meaningful way here, except to say:

WARNING !! Virtualization does not protect sensitive personal data ! When using any virtualization soft it is recommended that the user put in place guards to protect data during the virtual session. If any malicious file is permitted to run without restriction during a virtual session, then data theft and\or encryption of personal files can occur.

6. Don't use the softs that are widely distributed and regularly targeted for vulnerabilities - Microsoft Office, Microsoft Silverlight, Windows Media Player, Adobe Acrobat, Reader and Flash, Java and Java Runtime Environment, RealPlayer, etc.

The above list is not complete, but does cover the most frequently targeted softs. Reducing the attack surface is particularly effective and easy; not using a vulnerable soft means it can't be exploited on your system and there are many high quality alternatives to be found.

7. Keep your softs up-to-date... always - no matter what.

Unfortunately, there is no straight-forward, direct path to the best security config for you. Only though careful consideration and trial-and-error will any user find what works best. There's no way around it... it is a process that takes time and effort. The end results are a good user experience with adequate base-line security.

Best Regards,

HJLBX
 
Last edited by a moderator:

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
First step to build a strong security foundation is to ditch Windows and move to Linux/Ubuntu or other distros. Like I said, everyone will be unhappy. Even I use Windows sometimes where there are no SW for linux that match features offered by Windows for example a simple word processor or spreadsheet programs like Word and Excel.
 
H

hjlbx

Thread author
What does OEM stand-for?

Original Equipment Manufacturer. The primary PC OEMS are Acer, Asus, Dell, Hewlett Packard, Lenovo, Toshiba...

I haven't listed them all, but you will readily understand what I mean. The OEMs above routinely do a "custom" install of Windows via license and bundle it with 3rd party softs - like McAfee Live and Norton Internet Security - plus their own in-house applications. This practice creates nothing but a needless nuisance for the end-user...
 
  • Like
Reactions: Rolo and Ink
S

SkyJP

Thread author
Another thing we see often are users who constantly change their antivirus program every week from their dependence on test results (...!) or whenever there is a new promo/giveaway from a security vendor. Sure, it makes sense if you're just trying out the software to see what works for you and your PC. Give an antivirus at least a month to settle in so you can see what it's capabilities are.
 
H

hjlbx

Thread author
Another thing we see often are users who constantly change their antivirus program every week from their dependence on test results (...!) or whenever there is a new promo/giveaway from a security vendor. Sure, it makes sense if you're just trying out the software to see what works for you and your PC. Give an antivirus at least a month to settle in so you can see what it's capabilities are.

Very good point @SkyJP... and I agree. Once you find a security config that works for you it is best to commit to it and learn to use and tweak it to the fullest. Only in this way can one realize the full protection potential.

As I don't change my systems very often your point didn't cross my mind during my original post. Although, I admit that I do get restless and think about changing configs on a frequent basis. However, I am too lazy to follow through. Besides my configs protect my systems despite some foul malware testing... so I have no need to change other than to play with toys.
 

Rolo

Level 18
Verified
Jun 14, 2015
857
If you are an over-the-top, high-risk user - click-happy, tests malware without knowing what you are doing, download & install anything-and-everything, use warez, cracks & keygens, visit the porn sites, file share, and use torrent sites - you need a well-rounded, fuller-featured security config that addresses most of the associated risks of such behaviors.
Actually, in this case, one needs a full virtual machine. I don't run anything remotely questionable on my production system without looking at it on a VM first. This means practically a fortress on the VM (I don't' care about performance there) and an installation/system modification monitor/logger (Soft Organizer) to take an "x-ray" of what the install did and what the software did when it was running (not just it's installer).

Having a VM frees resources on your production machine to get, like you said and I fully agree, performance/responsiveness--which is my #1 priority since I'm 1) a gamer and 2) generally impatient. :)

Original Equipment Manufacturer. The primary PC OEMS are Acer, Asus, Dell, Hewlett Packard, Lenovo, Toshiba...

I haven't listed them all, but you will readily understand what I mean. The OEMs above routinely do a "custom" install of Windows via license and bundle it with 3rd party softs - like McAfee Live and Norton Internet Security - plus their own in-house applications. This practice creates nothing but a needless nuisance for the end-user...
+1,000,000

Clean install. Always. No bad juju that way. The Win10 upgrade --> Activate --> Clean install is nice and easy on OEM machines.
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Better isolate the comparison test of your AV, to the actual you're using on the system cause; let the product do the job on any accident situation.

Cause it makes only yourself too dependent on the test.
 

XhenEd

Level 28
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 1, 2014
1,708
I do like some of the OEM programs installed on my computer. For example, HP Support Assistant is there for driver updates. HP Coolsense and HP 3D Driveguard are also great. I actually installed them again after I reset Windows 10.
 
H

hjlbx

Thread author
I do like some of the OEM programs installed on my computer. For example, HP Support Assistant is there for driver updates. HP Coolsense and HP 3D Driveguard are also great. I actually installed them again after I reset Windows 10.

I should have mentioned that certain OEM apps are there for convenience and also because they offer better control or functionality over that of Windows. In those cases, which is hard to predict until you actually get to inspect the OEM apps, they are worthwhile and probably should not be permanently removed from the system. In other words, after performing the Windows clean install, reinstall those type of OEM apps for optimum system control. To learn how to accomplish all of this just do some research here at MT and online.

For example, on my Toshiba units there are keyboard apps without which all the f-key functionality would not work. So I keep them despite the fact that they are heavy on system boot resources...
 
Last edited by a moderator:

Rolo

Level 18
Verified
Jun 14, 2015
857
I was surprised: all of my MSI Gaming Laptop (GT70) stuff worked with a clean W10 install (all the extra buttons, Fn stuff); the only things I had to install were the SteelSeries keyboard software and the KillerSuite (network interface control software), obviously, but that's not OEM bloat.

Once you find a security config that works for you it is best to commit to it and learn to use and tweak it to the fullest.
Good advice. Works for cars, bikes, etc. too!
 
D

Deleted member 178

Thread author
If you are an over-the-top, high-risk user - click-happy, tests malware without knowing what you are doing, download & install anything-and-everything, use warez, cracks & keygens, visit the porn sites, file share, and use torrent sites - you need a well-rounded, fuller-featured security config that addresses most of the associated risks of such behaviors.

if you are this kind of user , read my article (when i was paranoid ):

http://malwaretips.com/threads/umbras-concept-of-layered-config.12352/
 
D

Deleted member 2913

Thread author
HJLBX... its a good guide.

I had decided that with Win 10 fresh install I am not going to waste any time trying security software but decide & install one & stick to it till it gives any major prob.
After I installed Win 10... with past experience of quite a few free security software (I am all for free software) I weighed my options (for a user like me who like free clean software with no bloats..the options are very few nowadays) & decided to go with Comodo Internet Security first.
Latest CIS (fresh install) running light & good here on Win 10 64 (fresh install).
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top