Advanced Plus Security Max90 Security Config 2023.

Last updated
Mar 24, 2023
How it's used?
For home and private use
OS (desktop)
Other operating system (see below)
Other operating system
Windows10 Pro with WDAC & SRP
On-device encryption
User sign-in
    • Biometrics, Windows Hello PIN, Apple TouchID
OS update
Automatically download and install system updates
User Access Control
Always notify
WiFi network firewall
Router firewall is On
About WiFi router
Home Care protection and QoS enabled. TP-Link tri-band router with the two 5Ghz channels separated for work and home use. The 2.4 Ghz is channel for smart phones with our IoT devices on the 2.4 Ghz guest network with a lease time of 8 hours.
Malware protection
Microsoft Defender on MAX set through GPO (Zero Tolerance cloud protection, ASR-rules and Protected Folders enabled)
Firewall protection
Microsoft Defender Firewall for Windows 11 / 10
About custom security
1. Early Launch Anti Malware set to allow good only at startup
2. Enabled Integrity Guard for Office, Edge and often attacked Windows medium Integrity Level system processes
3. WDAC for user folders with explicit allow for security, image and data backup and cleanup programs
4. Blocking LoLBins with Application Control, Exploit Protection and SRP
5. Sofware Restriction Policy in user folders for standard user
Periodic malware scanners
Monthly Windows Malicious Software Removal Tool, Norton Scan & Erase and SophosScanAndClean
Malware samples
I do not participate in malware testing.
Default browser & extensions
Edge hardened through registry (enabling sandboxes, reducing site permissions, disabling Microsoft annoyances and features as much as possible, forcing NextDNS over HTTPS)
Allowing (whitelisting) only two extensions: Blank new Tab and UBlockOrigin, with the following filters:
- Kees1958 EU-US most used ad&tracking networks (third-party block)
- Kees1958 EU US most used URL tracking parameters
- LennyFox News websites without ads
- LennyFox Youtube without ads
Secure DNS
NextDNS with all security features enabled and extra blocking non latin character Top Level Domains. For privacy I enabled blocking cloacked CNAME and added OISD-filter and enabled the option to allow affiliate tracking (to prevent Google search result links getting blocked when clicked on).
Windscribe free 30GB
Password manager
None, by head
Maintenance tools
Windows own Disk Cleanup and Wise Registry Cleaner
Personal backup
Syncback FREE to a second HD (data is on SSD) and once a month to USB disk. The ad hoc backup to second HD is extra protected with NTFS file permissions only allowing standard users full access (most ransomware tries to get admin/system rights :) )
How often I backup?
Emergency recovery
Macrium Reflect free image backup
Risk factors
    • Browsing to popular websites
    • Working from home
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Streaming audio/video content from trusted sites or paid subscriptions
Notable changes
Cleaned up and updated settings
What I'm looking for?

Looking for minimum feedback.


Level 8
Thread author
Nov 9, 2022
I liked MBAM Browser Guard, but back to AdGuard MV2 again with following filters
- Kees1958 EU US most used ads & trackers networks
- Kees1958 EU US most used URL trackers
- LennyFox Allow list for Dutch payment services
- LennyFox Youtube without ads
- LennyFox News websites without ads

and Jan Willy's easy-medium mode for Adguard with extra warning for Most Abused Top Level Domains (second rule with $document)


Because of Jan Willy's rule, the third-party surface exposure is limited, allowing to create a simple strict warning ($document) rule for most abused TLD's.
For trusted websites, just add a denyallow to the end of the second rule (e.g.|cc|vg,

PS. I noticed Kees1958 has updated his lists again
Last edited:


Level 8
Thread author
Nov 9, 2022
Set all Edge security and anti-tracking to STRICT again, therefor installed uBlockOrigin again (to see what Edge anti-tracking is missing),

uBlockOrigin (cosmetic filtering off) with the following lists
- Kees1958 - EU US most used URL trackers (remove parameters from URL)
- LennyFox - News websites without ads (for these websites Cosmetic Filtering Enabled)
- LennyFox - Videos (like Youtube) without ads

My filter rule: ||*$third-party,script,frame,to=~NL|~BE|~DE|~UK|~com|~io|~net|~org
Last edited:


Level 8
Thread author
Nov 9, 2022
Had some issues with website functionality breaking. Therefore EDGE anti-tracking and security back to basic and also removed all adblocking filters in NextDNS.

To keep the number of rules under 30.000 (no need with MV2) I used a trick by
1. Disabled cosmetic filtering and deselected importing and applying cosmetic rules in filter lists.
2. Copying LennyFox news websites and video (youtube) filter lists into My Filters and enabled cosmetin filtering for all websites in My Filters.
3. Only using the following filter lists
- AdGuard URL parameter filter
- AdGuard optimized Base + EasyList advertising
- AdGuard optimized tracking protection

Total number of network rules 24.138 with 60 cosmetic rules
Last edited:


Level 8
Thread author
Nov 9, 2022
I'm enjoying using straight medium mode. For me, it's just easier to use instead of trying to find different combos of filter lists, rules, etc. But variety is the spice of life, eh? :cool:
(y)Do you have filters enabled with straight medium mode?

I have spend a lot of time tweaking and micro managing my AdBlocker, may be it is time for a looser approach, thanks for the wise words.
Last edited:


Level 8
Thread author
Nov 9, 2022
Could not sleep because I just returned from work abroad. I always seem to have more problems to overcome jetlag flying eastward. On Saturday my wife goes shopping with her friends, so I made two image backups (of my desktop and her laptop) and did a fresh install of Windows11 to see whether i could Smart Application Control working on her laptop.

By tweaking the registry key I could force SAC on without problems. Because I had Avast Free on her laptop I decided to keep it and I was also able to add H_C SRP to the mix (by setting the AppLocker rule count to zero). Only downside was that I could not run her favorite photobook software (unsigned DLL's blocked). So I reverted to the old image and decided to make a WDAC policy (Windows Defender Application Control Wizard Configure Windows Defender Application Control | WDAC and SPynetGirl automated scripts for WDAC ).

Now her Windows11 laptop runs without SAC but with WDAC ISG (no dynamic code security), Avast Free (hardened) and SRP (SWH-like & some sponsors blocked), seems to work well (y)
To keep an eye on this setup I changed my setup identical to hers, so temporarily on different setup (with Microsoft Recommended Block rules in WDAC and additional sponsors blocked with SRP for basic user, see spoiler).

Last edited:
  • Like
Reactions: oldschool


Level 8
Thread author
Nov 9, 2022
Decided to make my temporary setup my new setup (change from Microsoft Defender to Avast Free and fom strictly managerd WDAC to loosely managed ISG), I had to reduce Early AntiMalware protection from good only to good and unknown (since I am still using WDAC and AVAST has its own root-kit scan on startup it is no big deal). Because I decided to sort of mirror my setup with my wife's windows 11 laptop.

I am running Egde with a hardened profile with anti-racking on balanced and enhanced security on basic. For both options I have enabled STRICT mode for inprivate browsing, so when I switch to inprivate browsing, I automatically increase tracking and javascript protection.

EDIT: although I like Avast Free very much, I decided to change to F-secure Safe, which I get as a rebranded Ziggo Safe-online from my ISP for free. Years ago I read somewhere that it was better to use different Anti-Virus solutions because the chance that they both miss a sample is smaller. After installing I realized that F-secure uses Avira signatures data base, so I think I changed for a dummy reason (since Avast and Avira both belong to Norton, my guess is that they share signatures).
Last edited:
  • Like
Reactions: oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.