Advanced Plus Security plat's config for 2020

Last updated
Dec 1, 2020
How it's used?
For home and private use
Operating system
Log-in security
Security updates
Check for updates and Notify
User Access Control
Notify me only when programs try to make changes to my computer
Real-time security
MS Defender w/self-sandbox, CFA and PUP det. enabled
H_C Firewall Hardening
SmartScreen for chromium Edge
NVT OSArmor
Firewall security
Microsoft Defender Firewall
About custom security
Controlled Folder Access (d/l, pictures, docs)
Core Isolation enabled
OSArmor: multiple block rules enabled over defaults
Periodic malware scanners
HitmanPro subscription--detection and removal
Microsoft Malicious Software Removal Tool--on demand
Microsoft Defender Quick Scan
AdwCleaner (rarely)
Malware sample testing
I do not participate in malware testing
Browser(s) and extensions
Microsoft Edge
AdGuard browser assistant
Trace
Clear URLs
Maintenance tools
Windows built-in/System Maintenance run weekly
Jotti for .exe, url and hash analysis (rarely)
Tree Size for bulk and to scan for leftover folders
RAMMap to release hoarded System memory
Wise Disk Care (free version)
File and Photo backup
Manually to external and enclosed HDD which are then taken offline
System recovery
Easus ToDo Backup Free/64 GB USB drive
Risk factors
    • Browsing to popular websites
    • Buying from online stores, entering banks card details
    • Logging into my bank account
    • Downloading software and files from reputable sites
    • Browsing to unknown / untrusted / shady sites
    • Gaming
    • Streaming audio/video content from trusted sites or paid subscriptions
    • Streaming audio/video content from shady sites
Computer specs
Cpu: i9 9900 @ 3.1 GHz
Cooler: Noctua U12S Chromax
Gpu: NVIDIA Gtx 1080 Founders Edition blower-type
MBd: ASUS Prime Z390A
RAM: 2x8GB GSkill TridentZ @3200 mHz (16-18-18-38)
Case: Fractal Design Meshify C
Drive: Samsung 980 PRO 500GB
Storage: 3x old 5400 rpm HDDs in offline enclosure
Machine has no internal SATA drives
PSU: EVGA SuperNova G2 Gold-rated 650 watts
Notable changes
removed: Vivaldi, PrivaZer
added: Opera
added: Tree Size folder identification software
added: RAMMap
added: Wise Disk Care for rapid junk removal
added: Insiders Beta ring for Windows 10
added: paid version NVT OSArmor
removed: Privacy Badger extension
removed: Intel XTU
removed: uBlock Origin
added: AdGuard Desktop

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
Ah yes, it's that time again. :giggle:

Running Insider build 19536.1000 with a "known" issue of a disk-related anomaly. Replaced Macrium as it had problems with prev. Insider builds. Since I need a System image, I used an NTFS-formatted USB and created a System Image using Windows built-in mechanism. It's very slow to compile the image compared to Macrium but whatever. There are Youtube guides to do this--it's not a simple point-and-click procedure but it's not difficult either. I intend to replace this static image by reformatting when major OS changes take place and things are stable.

If/when Microsoft will just fix this disk bug, I MAY reinstate Macrium. As long as there's a working image that's fairly recent, that's the main thing.

backup.PNG
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
The reason I asked is because I find it resource intensive. I asked Andy about Windows sandbox and here is one reply:

"MS admitted that Sandbox is important to prevent exploiting WD. They were very excited about it. So, if it worked flawlessly it would be already implemented by default like for example Tamper Protection. Furthermore, the developer of the application that changes some important WD settings must be cautious, because the application can be easily flagged by MS as a HackTool and quarantined (as ConfigureDefender some time ago). This could a probable scenario if MS would choose to make WD Sandbox a default feature.
There is no rush for H_C users in the home environment because exploiting WD requires first to bypass H_C restrictions.
WD Sandbox is most important in enterprises because they usually use vulnerable systems with vulnerable software. After exploiting the vulnerabilities (easy task), the malware can exploit WD, too(y). "

You may read the rest of the thread here Q&A - Questions: Windows Defender Sandbox and Tamper Protection - Have they now been combined? Will MS include default WD sandboxing?
 

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
hmmm, interesting. :unsure: Well, your observations of resource-intensiveness probably gyves with the self-sandbox NOT enabled by default. MS makes optimum use of Defender very difficult and obscure. I wish they'd cut that out.

Haven't noticed anything "off" from when it was enabled before. Reading the link, it seems more of a reason to have H_C (or OSArmor) installed to help deflect any attempts by malware to disable Defender, even for non-Enterprise. For now, it's staying enabled. Most third party have this self-protection enabled themselves, many by default, I think.
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
This setup seems very well-thought-out to me.

If I didn't have the various licenses that I do and were building from scratch -- I might have a similar setup.

"Intel Extreme Tuning Utility." I don't know about this... so I'll check it out.
For anybody else who does not know about this >> here is a description. I have several computers that this would work for... (y)

Good Stuff plat1098.

(y) (y)
 

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
Thanks, Burrito! It's not all wine and roses, however. I can't get XTU to maintain its voltage profile when waking machine from sleep. So, I've been just shutting off the monitor. If anyone has managed to get XTU or Throttlestop to maintain voltages after waking machine, PLEASE feel free to post your methods! At this point, I found it necessary to create a basic task in Task Scheduler to FORCE XTU to start with Windows. Previously, it would start up maybe 30 % of the time after a restart. (n)

The benefits still outweigh the annoyances, though. With my -.170 v offset (I can go to -.185 v stably), cpu temp is lowered a full 12-14 deg C with 100% single core use. For laptops, if you follow the procedure correctly, this can make all the difference in the world. I plan to sell this cpu eventually so I'm not overclocking it. But it seems this processor is a silicon lottery winner. (y)
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
The benefits still outweigh the annoyances, though. With my -.170 v offset (I can go to -.185 v stably), cpu temp is lowered a full 12-14 deg C with 100% single core use.

That's REAL.

The last tangible temperature difference I attained was based on driver update software.

When I have a block of time, I'm going to really check out XTU.

Thanks for alerting us to this.
 

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
Yeah, with claims like that, maybe it's better to upload some proof. First snip is without XTU (uninstalled, 0 v offset). The second is the exact same game but with XTU installed, and around .-170 v offset. This game uses 100% of one cpu core, so it's a decent example of what you can potentially achieve with a stable undervolt. :) In general, one should enjoy an overall reduction of 5 or more deg C with a stable undervolt.

ror xtu no.PNG

ror xtu yes.PNG
 

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
Hello. Installed a new internal drive, a Western Digital black. When I took the older Samsung out of the heatsink, there was distortion of the surface of the drive, so I thought I'd better replace it. The undervolt of -.165 volts is permanent, it's stable and temperatures are nice and cool without XTU on the system. Unfortunately, the undervolt is lost when waking from sleep so the machine's sleep function is disabled.

Left the Insiders for now because I had to clean-install Windows on the new drive. Windows 1909 runs very, very smoothly and error-free at the moment and the disk optimizing app works. Still looking at the change-logs for the Insider builds--when something comes up that's interesting, I'll rejoin the Fast Ring. (y)

Here's a performance index of the new Western Digital nvm-e. It runs a bit cooler than the Samsung so it's installed without a heatsink.

cdm wd.PNG
 

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
Added Opera browser. Needed a second browser because something wasn't working properly posting-wise and needed a second opinion in a hurry. Tried Firefox first and no webpage would load, only a message saying the connection wasn't secure. Like three websites in a row did this. (n) So I disabled AdGuard but no luck. I don't have the patience to twiddle and fiddle around so picked Opera out of the blue, and bam! Right out of the box working perfectly, AdGuard and all. Not as whisper-fast as Edge but good enough, and better yet: you can customize the home page and use the wallpaper of your choosing, plus eliminate those yucky thumbnail bookmarks, which you can't do on Edge.

opera cover.PNG
[/spoilerl]
 

oldschool

Level 81
Verified
Top Poster
Well-known
Mar 29, 2018
7,044
Have you tried Brave? I really like its built-in features, e.g. granular shield control, including JS, straight from the address bar. I don't know if any other browser does it this well, e.g. It's as fast as Edge (guesstimated) but better features except no Smartscreen.
 

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
Thanks for the suggestion. I'll actually try this, prob. tomorrow. I've heard some positives about it, including from you. I only need two browsers, so Brave or Opera, just one will enjoy the rare and extreme privilege of residing on my machine. :) Stay tuned.
 

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
Yes, those squares which are the most-visited sites. There's a procedure to disable that, right?-- but those thumbnails are admittedly convenient. It's just not very pretty to look at. What do you call those squares? If not "thumbnail" is there another term for these?

With Opera, I sacrificed convenience for a clean and pretty homepage. (y)

Edit: oops, posted at the same time as you, Outpost. Thanks a lot for the quick and easy procedure. (y)
 

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
Hello.

Updated to Insiders Build 19569.1000. Have to say: preliminary experience is very positive. So far, it's fast, clean, better than the previous build 19564.1005. Goodbye!

Windows embedded apps' icons got a makeover. I'll upload a sampling, you can see the calculator, calendar and alarms & clocks are redone. Not a big deal, some look nicer to me than others. But, this is something you can "look forward to" with the upcoming Spring release.

new icons.png

Had to X-nay the watermark, as usual, as well as disabling System Restore and redo a host of other undone tweaks and adjustments. But I like this here build. (y)
 

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
First new bork discovered, actually yesterday, so this is technically thru two Insider builds. Basically, using the parameter "checkhealth" in the dism command results in...nothing. Here's a snip. Searching reveals it's known about and submitted in the Feedback Hub. Some report the tool going to a percentage complete and then ending before 100%. Is this issue present on 1909 or other releases? It's kind of amusing but if one has to use this, I guess use scanhealth parameter instead.




I run dism and sfc following most new installs, that's how this was uncovered.

Edit: the image build shone on the cmd window was for 19564.1005, I see. But it was occurring while I had that build as well.
 
Last edited:

plat

Level 29
Thread author
Top Poster
Sep 13, 2018
1,793
So, Windows 1909 was running beautifully but I wanted to test the revised Sandboxie with Opera on an Insider build. No surprises: Opera runs poorly: opens in 6-7 seconds, sometimes longer, takes longer to open some sites and so on. Without SBIE, it's back to virtually instant performance.

I'll have to see if SBIE will be revised again to run properly on the upcoming Spring release so this may not be permanent. But once you're used to pretty much instant browser performance, this was simply not acceptable.

I added about 10 exploit guards to Opera without hampering its performance. At least two guards prevented Opera from launching, these being Arbitrary code guard and Disable Win32k system calls. I added 2 more ASR rules and verified that .jar files could not be opened via AMTSO tools. So, it's basically fortified Defender plus OSArmor and H_C Firewall Hardener. Runs well.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top