Advanced Security oldschool's surfing laptop configuration

Last updated
Nov 20, 2024
How it's used?
For home and private use
Operating system
Windows 11
Other operating system
Windows Pro
On-device encryption
N/A
Log-in security
    • Biometrics (Windows Hello PIN, TouchID, Face, Iris, Fingerprint)
Security updates
Allow security updates
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
Off
Network firewall
Enabled
About WiFi router
Provided by ISP
Real-time security
Windows Security
Firewall security
Microsoft Defender Firewall
About custom security
MS Defender - Default | ASR rules | Platform & Engine Beta channel updates
All system-wide Exploit Protections enabled, plus these for Edge & Chrome.
Firewall Hardening
RunBySmartscreen
Windows Spy Blocker
Periodic malware scanners
NPE
Malware sample testing
I do not participate in malware testing
Environment for malware testing
N/A
Browser(s) and extensions
Chrome | Privacy Badger | Brave Search
Edge | Privacy Badger | Brave Search | Surf profile & secure profile
Chrome flags | Edge flags
Secure DNS
Quad9 DNS
Desktop VPN
None
Password manager
Maintenance tools
Windows built-in
File and Photo backup
Copy/Paste
Subscriptions
    • None
System recovery
Aomei Backupper Pro Lifetime - Primary
Wiindows Backup & Restore- Secondary image backup
Risk factors
    • Browsing to popular websites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Downloading software and files from reputable sites
    • Streaming audio/video content from trusted sites or paid subscriptions
Computer specs
Lenovo L340 Intel(R) Core(TM) i3-8145U CPU @ 2.10GHz 2.30 GHz 16GB RAM 500GB SSD 1TB HDD
Notable changes
22-12-5 Reverted to MS Defender.
23-1-21 Refreshed Windows with SAC in evaluation mode.
23-2-2 Clean Windows installation
23-2-18 SAC user-enabled on
27-2-23 Added Chrome for the lack of 'feature' bloat.
28-2-23 Changed default browser to Chrome
24.2.24 Refreshed Windows and re-enabled Smart App Control
5.7.24 Performed a repair installation via Windows Update. Nice & easy!
6.10.24 Updated to 24H2 OS build 26100.1882
10.10.24 Rolled back to 23H2 due to bugs & performance
16.10.24 Added Chrome browser. Privacy Badger listed as main extension, but I also keep µBO, JShelter and Local CDN installed, not enabled.
What I'm looking for?

Looking for minimum feedback.

oldschool

Level 85
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
Interesting development. I had CleanMem installed prior to turning SAC on and, after SAC was turned on, it blocked parts of it due to being unsigned, effectively breaking it. I opened a new issue in Feedback Hub, submitted a sample to MS, and uninstalled CleanMem. Finally, I re-installed CleanMem on a whim and SAC has not blocked it. Very interesting, indeed. Or am I missing something?🤔
 
Last edited:
F

ForgottenSeer 97327

Interesting development. I had CleanMem installed prior to turning SAC on and, after SAC was turned on, it blocked parts of it due to being unsigned, effectively breaking it. I opened a new issue in Feedback Hub, submitted a sample to MS, and uninstalled CleanMem. Finally, I re-installed CleanMem on a whim and SAC has not blocked it. Very interesting, indeed. Or am I missing something?🤔
I had simular experience with ISG (intelligent Security Graph of WDAC). I used to test my WDAC config being active with an unsigned applicatiion. This worked from 2019 until end 2022. When I was updating an image with WDAC ISG with Bitdefender Free and another image with WDAC ISG combined with AVAST Free. All of a sudden ISG allowed the unsigned app, first I thought that my WDAC ran in audit mode, but ISG had whitelisted the unsigned app while I was updating my images.

I read somewhere that Smartscreen, ISG and SAC share (parts) of the same cloud whitelist backbone. So ISG seems to benefit from SAC. This made me think that Microsoft is really trying to make SAC work for general use. Your experience is another example that Microsoft is preparing SAC for a broad audience rollout. (y)
 

oldschool

Level 85
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
So ISG seems to benefit from SAC. This made me think that Microsoft is really trying to make SAC work for general use. Your experience is another example that Microsoft is preparing SAC for a broad audience rollout. (y)
From my not-very-technical perspective, I would have to agree, contrary to what some MS critics claim. SAC is not simply a whitelisting protection. My experience was quite surprising.
 
F

ForgottenSeer 98186

So ISG seems to benefit from SAC.
ISG is the "data layer" that collects and processes the data which is eventually enforced by WDAC and SAC (based upon WDAC) policies.

1676912736268.png


What is not exactly clear is how or to what extent non-subscribing users are interfaced with ISG.

Source:

 
F

ForgottenSeer 97327

I've now successfully run Mindfulness at the computer, which is not signed, and definitely not prevalent, with no block from SAC. So far, I'm impressed. (y) :cool:
Kind of fun that Mindfulness made you worry ;)(y) Good to see you are happy again, so ....

sit upright close your eyes, breathe in, relax and say "Smart App Control" while breathing out and repeat for around 15 minutes
 

oldschool

Level 85
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
I'm going to try out browser compartmentalization since I recently installed Chrome after @Sammo's posts here and here tweaked my curiousity. The 'plan' is to use Edge for sensitive browsing like purchases, email, etc., Chrome for tech and forum stuff, and Firefox for more general browsing. Use Chrome's µBO in medium mode. We'll see how this goes.
 

oldschool

Level 85
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
At @Correlate's request, I've provided my Edge settings below:
Code:
Profiles - All OFF except Passwords set as needed
Privacy, etc. - Tracking protection @ Strict
                Clear browsing data on exit @ all checked except Passwords & Site permissions
                Privacy @ all OFF
                Optional diagnostics @ OFF
                Search & Service improvement :) @ OFF
                Personalizations & advertising @ OFF
                Security @ All ON except Website typo info & Site safety info
                Services @ All OFF except Enhance images
                Address bar & search @ search on address bar
Appearance - Home, Favorites & History @ ON
Sidebar - All OFF
Start, Home & New tabs - Preload new tab @ OFF
Share,copy & paste - Use format selected above... @ OFF
Cookies & data stored - Block 3rd party cookies @ ON
Default browser @ ??? :)
Downloads - All OFF except Show downloads menu
System & performance - All @ OFF except Hardware acceleration @ ON & Turn on effciency mode @ ALWAYS
Accessibility - All @ OFF except Show downloads menu & Use F12 to open dev tools @ ON
 

oldschool

Level 85
Thread author
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
MS Defender relies on the BAFS and the cloud backend but in case you're interested in configuring the signature update interval for the latest sigs, the best interval I've found is 2 hours. Enjoy the goodness of built-in features! (y) :cool:

My Chrome hardening flags:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top