Advanced Plus Security Lenny's 2021 intention: keep this setup for a year :-)

[Lenny_Fox]

@venustus I used your trick to silence google consent popup for youtube.com also on Google.NL (search in Dutch, thanks

 

[Venustus]

@venustus I used your trick to silence google consent popup for youtube.com also on Google.NL (search in Dutch, thanks

You're welcome

 

[Lenny_Fox]

Because I sort of copies @SecurityNightmares adblocking I changed from AdGuard to AdBlockPlus, because I only use ABP to block annoyances in my bookmarked websistes

Next DNS copied setup from Next DNS guide on this forum with:
- non-latin alphabet Top Level Domains blocked
- AdGuard DNS filter (AdGuard's DNS blocklist is designed to work on DNS level*)
- Allowing affilaite and tracking links (prevents AdGuard DNS filter blocking promoted links from search results)
- some domains added manually in personal blocklist (to deal with popunder ads)
- whitelisted two Dutch banks websites

Edge
- hardened mode (blocking most site permissions and cookies from Google)
- smartscreen in browser disabled (Next_DNS has Google Safe Browsing, Router has Trend Micro url filering)
- anti-tracking on strict (whitelisting two Dutch banks)
- Bruce blank tab (also works incognito)
- AdBlockPlus (it is less advanced than AG and uBO, but fits my useage better)

AdBlockPlus to deal with remaining annoyances (using my own filters)
- Extra Security for ABP/AG/uBO https://raw.githubusercontent.com/LennyFox/Blocklists/master/Extra security
- Annoyances on popular websites https://raw.githubusercontent.com/LennyFox/Blocklists/master/Popular websites ABP
- Annoyances on bookmarked sites: https://raw.githubusercontent.com/LennyFox/Blocklists/master/Bookmarked websites

*) explanation
DNS is not the best place for adfiltering, because the DNS does not semantically looks at content (like an extension or browser build-in adblocker)

 

[Gandalf_The_Grey]

Not sure if disabling SmartScreen in Edge is wise...
You have other safeguards, but for example Google Safe Browsing in third party solutions (like Next_DNS here) is always behind / not as often updatet as Google Safe Browsing in Chrome. Also, not sure of Trend Micro URL filering in your router (as I have myself), it helps, but is it as good as SmartScreen, Safe browsing or for example Bitdefender TrafficLight?

Have you compared the performance of uBlock Origin vs AdBlockPlus with your filters?
According Raymond Hill the performance of uBlock Origin is superior to anything else.

 

[Kongo]

Not sure if disabling SmartScreen in Edge is wise...
You have other safeguards, but for example Google Safe Browsing in third party solutions (like Next_DNS here) is always behind / not as often updatet as Google Safe Browsing in Chrome. Also, not sure of Trend Micro URL filering in your router (as I have myself), it helps, but is it as good as SmartScreen, Safe browsing or for example Bitdefender TrafficLight?

Have you compared the performance of uBlock Origin vs AdBlockPlus with your filters?
According Raymond Hill the performance of uBlock Origin is superior to anything else.

Actually when using NextDNS not Google Safe Browsing but "Threat Intelligence Feeds" does pretty much all the work. But I agree, there is no valid point of disabling Smart Screen imo...

 

[blackice]

Actually when using NextDNS not Google Safe Browsing but "Threat Intelligence Feeds" does pretty much all the work. But I agree, there is no valid point of disabling Smart Screen imo...

In the latest DNS testing it seemed that NextDNS was one of the best, about on par with Safe Browsing. Of course with the small sample sizes you never know the overall picture..

 

[Kongo]

In the latest DNS testing it seemed that NextDNS was one of the best, about on par with Safe Browsing. Of course with the small sample sizes you never know the overall picture..

The link isn't working. I just meant that within NextDNS Google Safe Browsing is blocking far less than Threat Intelligence Feeds from my experience.

You can also see it in that video:

 

[blackice]

The link isn't working. I just meant that within NextDNS Google Safe Browsing is blocking far less than Threat Intelligence Feeds from my experience.

You can also see it in that video:

Fixed, thanks! Yeah I see what you are saying. I agree with you. I use NextDNS Threat Intelligence for our home router's DNS setup.

Edit: nevermind, not fixed. It seems to be getting blocked by something even though it works before I post it.

 

[blackice]

This is the testing I was trying to link to: Q&A - [Updated 29/12/2018] Browser extension comparison: Malwares and Phishings

 

[Lenny_Fox]

Why disable SmartScreen?
I don't like the fact that SmartScreen send full URL for the check. When I tried to download malware executables, because someone on Wilders had used my AdGuard extra security blocklist in uBlock (which did not work for uBO), I only got 1 (ONE!) smartscreen block when I disabled Next_DNS and TrendMicro in the router because I was unable to download a malware link from the list that guy on Wilders had used.


Performance UBO versus ABP
With less than 200 rules, this question has little relevance. uBo has a lot of features, which means that is has much more code than ABP. Less code means lower external code dependance and less coding errors. (remember what Cruel Sister always says about extensions).


Now for something completely different
Kaspersky Cloud Security free stopped working tonight. Spend nearly an hour figuring what was worng, decided to fall back to Windows Defender (configured through GPO simular to Configire Defender on MAX). Also dropped Neushield in favor of Protected Folders. So broke my promise to keep this setup for 2021.


Bitdefender Traffic Light
@Gandalf_The_Grey do you know whether BTL only sends domain or full URL for the URL check? Website of Bitdefender still mentions old BTL which also included tracking warning (Bitdefender now has a separate extension for this : Bitdefender Anti-tracker). Editld BTL checks on page, so probably also full URL.

 

[ForgottenSeer 85179]

The link isn't working. I just meant that within NextDNS Google Safe Browsing is blocking far less than Threat Intelligence Feeds from my experience.

You can also see it in that video:

Thanks!
Nice to see that he uses OISD and have the same experience with NextDNS default vs OISD like me.

 

[Gandalf_The_Grey]

Why disable SmartScreen?
I don't like the fact that SmartScreen send full URL for the check. When I tried to download malware executables, because someone on Wilders had used my AdGuard extra security blocklist in uBlock (which did not work for uBO), I only got 1 (ONE!) smartscreen block when I disabled Next_DNS and TrendMicro in the router because I was unable to download a malware link from the list that guy on Wilders had used.


Performance UBO versus ABP
With less than 200 rules, this question has little relevance. uBo has a lot of features, which means that is has much more code than ABP. Less code means lower external code dependance and less coding errors. (remember what Cruel Sister always says about extensions).


Now for something completely different
Kaspersky Cloud Security free stopped working tonight. Spend nearly an hour figuring what was worng, decided to fall back to Windows Defender (configured through GPO simular to Configire Defender on MAX). Also dropped Neushield in favor of Protected Folders. So broke my promise to keep this setup for 2021.


Bitdefender Traffic Light
@Gandalf_The_Grey do you know whether BTL only sends domain or full URL for the URL check? Website of Bitdefender still mentions old BTL which also included tracking warning (Bitdefender now has a separate extension for this : Bitdefender Anti-tracker). Editld BTL checks on page, so probably also full URL.

I had the same problem on my son's laptop with Kaspersky Security Cloud Free.
It stopped working and without any warning or visible notification on the taskbar icon.
So I went back to Microsoft Defender, ConfigureDefender on HIGH settings and Controlled Folder Access.

I think you are right that Bitdefender TrafficLight also sent the full URL back, like SmartScreen.

 

[Ink]

Why disable SmartScreen?
I don't like the fact that SmartScreen send full URL for the check. When I tried to download malware executables, because someone on Wilders had used my AdGuard extra security blocklist in uBlock (which did not work for uBO), I only got 1 (ONE!) smartscreen block when I disabled Next_DNS and TrendMicro in the router because I was unable to download a malware link from the list that guy on Wilders had used.

Is Reputation-based protection disabled, or "SmartScreen for Microsoft Edge" only?

Windows Security > App & browser control:

 

[ForgottenSeer 85179]

- Extra Security for ABP/AG/uBO https://raw.githubusercontent.com/LennyFox/Blocklists/master/Extra security

! Block third-party executable content from insecure HTTP websites
||HTTP://*$third-party,~stylesheet,~media,~image

this rule isn't for security but privacy. Anyway, it will break some sites without any advantage.

! Block downloading executable content from insecure HTTP websites
|http://*.exe^$document
...

Edge blocks all HTTP automatic downloads already by default.

 

[blackice]

I think you are right that Bitdefender TrafficLight also sent the full URL back, like SmartScreen.

Yes they send full URLs, based on @Fabian Wosar ’s comments, and last I double checked it was sent unencrypted. Malwarebytes Browser Guard is much better in both regards.

 

[Lenny_Fox]

this rule isn't for security but privacy. Anyway, it will break some sites without any advantage.

It blocks third-party scripts, subdocuments from insecure websites. Unencrypted websites are not used in western world since domain SSL certificates became free. Although the simplest SSL certificate, says nothing about the website or its owner, the registration process of a domain SSL is only issued when the person requesting the certificate has the legal right to ask for one. The data needed to get one, makes it less attractive for criminals, so most malware websites operate as HTTP. When this advantage is not clear to you I rest my case.

Since Google started to lower your ranking when using a HTTP website, all websites converted to HTTPS in the western world. So it will hardly ever break a website.

 

[Lenny_Fox]

Is Reputation-based protection disabled, or "SmartScreen for Microsoft Edge" only?

Windows Security > App & browser control:
View attachment 257310

Only URL filtering in Edge, Smartscreen is enabled for explorer and store apps.

 

[ForgottenSeer 85179]

It blocks third-party scripts, subdocuments from insecure website

And can be done native done in Edge.
It's recommend to not block only third party http scripts but all http scripts.

Just add http://* as blocking rule in Edge Javascript permissions.
No need to make things even more complicated

 

[Lenny_Fox]

And can be done native done in Edge.
It's recommend to not block only third party http scripts but all http scripts.

Just add http://* as blocking rule in Edge Javascript permissions.
No need to make things even more complicated

This only blocks first party scripts. When you are on a HTTPS website which uses HTTP scripts as third-party those insecure scriptswill be executed. The HTTP://* rule in blocking scripts does not protect you against that.

I don't get your responses. Frst you are posting that blocking third-party scipts hardly has any advantage, now you are advising to block all http-scripts.

Are you just responding to have a discussion/making fun? I dont understand why you are posting wrong information.

 

[Jan Willy]

When you are on a HTTPS website which uses HTTP scripts as third-party those insecure scripts will be executed.

When I visit in MS Edge this testsite Mixed content test page (https content including http content) - Bennish.net I can't confirm your statement.