Advanced Plus Security Kongo's Computer Security Config 2024

Last updated
Feb 25, 2024
How it's used?
For home and private use
Operating system
Windows 11
On-device encryption
BitLocker Device Encryption for Windows
Log-in security
    • Hardware security key
Security updates
Allow security updates and latest features
Update channels
Allow stable updates only
User Access Control
Always notify
Smart App Control
Off
Network firewall
Enabled
About WiFi router
- Speedport Smart 4
- Firewalla Blue +
Real-time security
Deep Instinct Endpoint Protection
Firewall security
Microsoft Defender Firewall with Advanced Security
About custom security

Hardening tools:
- Firewall Hardening (blocking outbound connections of LOLBins)
- Run by SmartScreen (forces SmartScreen to scan files of choice)
- STOP/DJVU Ransomware Vaccine (immunizes system against this type of ransomware)
- O&O ShutUp10 (recommended settings)
- O&O AppBuster (removed unecessary Windows 11 apps)
- Windows Sandbox


System settings:
- Microsoft Defender running in sandbox (inactive)
- Reputation Based Protections (all modules enabled)
- Smart App Control enabled
- Data Execution Prevention set to AlwaysOn
- Core Isolation: Memory Integrity enabled
- Kernel-mode Hardware-enforced Stack Protection enabled
- Secure Boot enabled
- Drives encrypted via TPM (BitLocker)
- Windows Update Delivery Optimization disabled
- AutoPlay disabled
- Network Discovery disabled (Public Firewall profile)
- PowerShell --> Constrained Language Mode
- Hide extensions for known file types --> disabled
- Show hidden files --> enabled
- Virtualization enabled (allows Application Sandboxing)
- Custom Exploit Protection Settings for Firefox:
Code: 
Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

Thanks to @oldschool for sharing! :)

ㅤㅤㅤHardware Firewall (Firewalla Blue Plus):
- Active Protect (Strict)
- Ad Block (Strict)
- OISD blocklist enabled in Firewalla
- New Device Quarantine (restricted internet access for newly connected devices)
- Geo-IP Filtering (blocking connections from and to Russian + Chinese IPs)
- Unbound DNS enabled for all devices
‎‎‎ㅤ‎ ‎ ‎ ‎
Periodic malware scanners
Norton Power Eraser, X-Sec and AdwCleaner
Malware sample testing
I do participate in malware testing. See details about my testing environment below.
Environment for malware testing
‎‎‎ㅤㅤㅤ
VMware Workstation Player + Mullvad VPN on host machine while connected to the guest network.

Online Malware Analysis Platforms that I use:

- FileScan.iO
- Intenzer Analyze
- Hybrid Analysis
- VirusTotal
- Sophos Intelix
- Valkyrie
- ANY.RUN
- Triage
- Kaspersky Threat Intelligence Portal
- Docguard.iO
- PolySwarm
- Yomi
- Neiki.Dev
- ThreatZone
- UnpacMe

--> Currently I am barely testing
Browser(s) and extensions

Mozilla Firefox v. 124.0.2

Extensions:
- uBlock Origin Lite
- SafeToOpen
- Bitwarden


Browser privacy and security settings:
- Tracking protection: Strict (enables Total Cookie Protection)
- Enable secure DNS using: Max Protection
- HTTPS-only-mode enabled
- DuckDuckGo set as search engine
- Pocket disabled
- Sending DNT-requests disabled (enabling makes you more identifiable and barely gives any advantage on most sites.)
- Clearing browsing data on exit
- Search suggestions disabled
- Websites overview disabled
- Blocking incoming location, camera and microphone requests
- AutoPlay for audio and video disabled
- Firefox telemetry disabled (also in about:config)
- Blocking pop-ups
- Warn when websites try to install addons enabled
- Protection against fraudulent content and dangerous software enabled


about:config tweaks:
- network.dns.echconfig.enabled = true
- network.dns.use_https_rr_as_altsvc = true
- fission.autostart = true
- pdfjs.enableScripting = false
- network.IDN_show_punycode = true
- security.ssl.require_safe_negotiation = true
- geo.enabled = false
- webgl.disabled = true
- network.trr.mode = 3 (NextDNS)
ㅤㅤ
Secure DNS

- NextDNS with DoH + OISD blocklist (Firefox exclusively)
- Unbound DNS (Network-wide)


Desktop VPN
Proton VPN with Secure Core, NetShield and Permanent Kill Switch
Password manager
Bitwarden Premium
Maintenance tools
PatchMyPC, RuckZuck, UpdateHub, HiBit Uninstaller and Windows built in tools for cleaning and optimization
File and Photo backup
backup to external drive when necessary
Active subscriptions
    • Google One Standard 200GB
System recovery
Aomei Backupper
Risk factors
    • Browsing to popular websites
    • Browsing to unknown / untrusted / shady sites
    • Opening email attachments
    • Buying from online stores, entering banks card details
    • Downloading software and files from reputable sites
    • Gaming
    • Streaming audio/video content from shady sites
    • Downloading malware samples
Computer specs
GPU: Nvidia Geforce RTX 360 TI
CPU: Intel I5 12600K
RAM: 16 GB DDR4-3200 Crucial
Hard disks: 500 GB Samsung 970 EVO Plus + 1 TB Western Digital Blue
Notable changes
- Updated for year 2024
What I'm looking for?

Looking for minimum feedback.

Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,498
- replaced AdGuard Windows with AdGuard Browser extension and NextDNS via YogaDNS for now. (Sophos Intercept X also prevents AdGuard Windows from filtering)
- removed Flagfox
- added ClearURLs
 
  • Like
Reactions: Zartarra, Venustus, Nevi and 3 others
Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,498
klepto said:
I use NextDNS with YogaDNS too, the NextDNS client for Windows is kinda meh.. Is Sophos Intercept X better than Hitman Pro Alert? How has it worked for you?
Click to expand...
HitmanPro.Alert is integrated into Sophos Intercept X so it should perform similiar in terms of exploit and ransomware protection. It has some extra features that are not included in HitmanPro.Alert nor Sophos Home Premium.

Here are the Threat Protection Policies of Intercept X if you are interested:
1.
1.PNG


2.
2.PNG


3.
3.PNG
 
  • Like
  • +Reputation
Reactions: Venustus, SeriousHoax, Nevi and 4 others
Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,498
klepto said:
That is quite a large feature set but I appreciate that they give you options and not just hoover all your data and send it to Sophos. How is the resource usage?
Click to expand...
Well, CPU usage is fine, but the RAM usage and the amount of processes is quite a lot. I have 16 Gb of RAM so I didn't run into any problems for now, but for older systems it might be an issue.

1.PNG

2.PNG

3.PNG

This is the usage after one day of use and after performing a system scan. Might be lower after some days of use...
 
  • Like
  • Wow
Reactions: plat, Venustus, SeriousHoax and 3 others
Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,498
ZeePriest said:
How is Sophos so far? Is it light? Do you recommend it? and is there a free version? I would like to try it after my subscription with BD ends...
Click to expand...
I wouldn't say that it's too light but not too heavy, but there are definitely lighter solutions out there. At the moment I don't recommend the home version of Sophos, if you check out the tests in the Malware Hub here on MalwareTips you will understand. 😄 It does have a free version, but it's pretty basic and can't keep up with Kaspersky Free, Microsoft Defender or Bitdefender Free if you ask me. I think Sophos Home Premium has a lot of potential but things like their AMSI scanning (script protection) have to be improved in the future if it wants to compete with the big players like Kaspersky. After all it's not right to say that Sophos is bad, it has good ranswomware protection and also good exploit protection. (thanks to HitmanPro.Alert) If you wan't to give it a try then do it, I'm sure it will offer solid protection after all. Keep in mind that I'm using the business version at the moment, so the protection may differ from the home version, as some modules are missing in the version for Home users. Hope it helped! :)
 
  • Like
  • Thanks
Reactions: Zartarra, Venustus, Pat MacKnife and 4 others
ZeePriest

ZeePriest

Level 7
Verified
Well-known
Jul 2, 2020
305
SecureKongo said:
I wouldn't say that it's too light but not too heavy, but there are definitely lighter solutions out there. At the moment I don't recommend the home version of Sophos, if you check out the tests in the Malware Hub here on MalwareTips you will understand. 😄 It does have a free version, but it's pretty basic and can't keep up with Kaspersky Free, Microsoft Defender or Bitdefender Free if you ask me. I think Sophos Home Premium has a lot of potential but things like their AMSI scanning (script protection) have to be improved in the future if it wants to compete with the big players like Kaspersky. After all it's not right to say that Sophos is bad, it has good ranswomware protection and also good exploit protection. (thanks to HitmanPro.Alert) If you wan't to give it a try then do it, I'm sure it will offer solid protection after all. Keep in mind that I'm using the business version at the moment, so the protection may differ from the home version, as some modules are missing in the version for Home users. Hope it helped! :)
Click to expand...
Thanks for the elaboration and yes it helped a lot :)
 
  • Like
Reactions: Venustus, Gandalf_The_Grey and Kongo
Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,498
ElGreco94 said:
Nice post, really helpfull
but for Mozilla have those tweaks, for privacy and security without any trouble.
More info here: Mozilla Firefox and a bit better Privacy /// Privacy Guide /// arkenfox/user.js /// Firefox Hardening Guide 2018
about:config tweaks:
-----------------------------------------------------------
accessibility.force_disabled =1
javascript.options.asmjs = false
javascript.options.wasm = false
layout.css.visited_links_enabled = false
-----------------------------------------------------------
privacy.cpd. = all true
privacy.clearOnShutdown = all true
plugin.scan.plid.all =false
pdfjs.enableScripting = false
privacy.firstparty.isolate =true
-------------------------------------------------------------
security.ssl3.rsa_aes_128_gcm_sha256 =false
security.ssl3.rsa_aes_256_gcm_sha384 =false
security.ssl3.ecdhe_ecdsa_aes_128_sha =false
security.ssl3.ecdhe_rsa_aes_128_sha =false
security.ssl3.rsa_aes_128_sha =false
security.ssl3.rsa_des_ede3_sha =false
security.ssl3.ecdhe_ecdsa_aes_256_sha =false
security.ssl3.ecdhe_rsa_aes_256_sha =false
security.ssl3.rsa_aes_256_sha =false
security.ssl.disable_session_identifiers = true
security.ssl.enable_false_start = false
security.tls.enable_0rtt_data =false
security.ssl.require_safe_negotiation = true
security.tls.enable_delegated_credentials =true
security.tls.enable_post_handshake_auth = True
security.tls.hello_downgrade_check = False
security.mixed_content.block_display_content = true
security.mixed_content.block_object_subrequest = true
security.mixed_content.upgrade_display_content = true
security.secure_connection_icon_color_gray = false
security.insecure_connection_text.enabled = true
security.insecure_connection_text.pbmode.enabled = true
security.remote_settings.crlite_filters.enabled = true
security.pki.sha1_enforcement_level =1
security.cert_pinning.enforcement_level =2
security.pki.crlite_mode =2
security.family_safety.mode =0
security.enterprise_roots.enabled =true
--------------------------------------------------------------
beacon.enabled = false
browser.cache.offline.enable = false
browser.cache.disk.enable = false
browser.cache.disk_cache_ssl = false
browser.cache.memory.enable = false
browser.cache.insecure.enable =false
browser.urlbar.speculativeConnect.enabled = false
browser.fixup.alternate.enabled = false
browser.urlbar.trimURLs =false
browser.shell.shortcutFavicons =false
browser.ssl_override_behavior =1
browser.sessionstore.privacy_level = 2
browser.send_pings.max_per_link = 0
browser.sessionstore.max_tabs_undo = 0
browser.urlbar.dnsResolveSingleWordsAfterSearch = 0
browser.newtabpage.activity-stream.feeds.telemetry = false
browser.newtabpage.activity-stream.telemetry = false + Blank Url Pages
browser.newtabpage.activity-stream.filterAdult = false
browser.tabs.crashReporting.sendReport = false
browser.ping-centre.telemetry = false
browser.taskbar.lists.enabled = false
browser.taskbar.lists.frequent.enabled = false
browser.taskbar.lists.tasks.enabled = false
browser.uitour.enabled = false
browser.aboutConfig.showWarning = false
----------------------------------------------------------------
dom.ipc.plugins.flash.subprocess.crashreporter.enabled = false
dom.ipc.plugins.reportCrashURL = false
dom.security.https_only_mode_pbm = true
dom.security.https_only_mode_send_http_background_request = false
dom.security.https_only_mode.upgrade_local = true
dom.block_download_insecure = true
dom.popup_allowed_events = click dblclick mousedown pointerdown
dom.event.contextmenu.enabled = false
dom.event.clipboardevents.enabled = false
dom.allow_cut_copy = false
dom.battery.enabled = false
dom.vr.enabled = false
dom.gamepad.enabled = false
dom.vibrator.enabled = false
-----------------------------------------------------------
network.dns.disablePrefetch = true
network.predictor.enabled = false
network.prefetch-next = false
network.dns.echconfig.enabled = true
network.dns.use_https_rr_as_altsvc = true
network.http.http3.enabled = true
network.trr.mode = 3
network.cookie.thirdparty.sessionOnly = true
network.cookie.thirdparty.nonsecureSessionOnly = true
network.IDN_show_punycode = true
network.http.speculative-parallel-limit =0
network.http.referer.XOriginPolicy = 1
network.http.referer.XOriginTrimmingPolicy = 2
network.auth.subresource-http-auth-allow =1
---------------------------------------------------------
media.gmp-widevinecdm.enabled = false
media.eme.enabled = false
media.navigator.enabled = false
media.peerconnection.video.vp9_enabled = false
media.peerconnection.identity.enabled = false
media.peerconnection.dtmf.enabled = false
media.peerconnection.enabled = false
media.peerconnection.use_document_iceservers = false
media.peerconnection.video.enabled = false
media.peerconnection.identity.timeout = 1
media.getusermedia.screensharing.enabled = false
media.peerconnection.turn.disable = true
media.peerconnection.ice.default_address_only = true
-----------------------------------------------------
datareporting. = false + Blank Url Pages
device.sensors.enabled = false
webgl.disabled = true
webgl.disable-wgl = true
identity.fxaccounts.enabled = false
toolkit.telemetry = all false + Blank Url Pages
extensions.pocket.enabled = false
app.normandy.enabled =false
geo.enabled =false

Extensions
--------------------------------
HTTPS Everywhere
Encrypt All Sites Eligible is ON
---------------------------------
NoScript
---------------------------------
Ublock Origin
Add

AdGuard Base
AdGuard Tracking Protection
AdGuard Annoyances
EasyList Cookie
MVPS HOSTS

Custom Filters
Web Annoyances Ultralist
Click to expand...
Damn, those are a lot... You really aren't facing any problems with all those tweaks enabled?
HTTPS Everywhere isn't necessary in Firefox anymore btw, it's integrated already. When setting tracking protection to strict in Firefox, you don't need First Farty Isolation either, as setting it to strict enables Total Cookie Protection which is an improved and more user friendly option of FPI.
 
Last edited:
  • Like
Reactions: ZeePriest, Venustus and silversurfer
blackice

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,783
SecureKongo said:
- replaced Sophos Intercept X with AVG Internet Security
Click to expand...
If you have 3D mark installed give it a test. Something is up with frame rates in many games with AVG installed. And 3D mark took a nearly 10% hit to the cpu score, showing the source of my issue. I reported it to their team and they sent it on to the engineers. I never heard back.
 
  • Like
  • Wow
Reactions: ZeePriest, Zartarra, Kongo and 1 other person
Kongo

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,498
blackice said:
If you have 3D mark installed give it a test. Something is up with frame rates in many games with AVG installed. And 3D mark took a nearly 10% hit to the cpu score, showing the source of my issue. I reported it to their team and they sent it on to the engineers. I never heard back.
Click to expand...
Might be caused by the gaming or no notification mode. Will see if I face the same issues, thanks for letting me know. (y)
 
  • Like
Reactions: ZeePriest, Zartarra, harlan4096 and 3 others
Moonhorse

Moonhorse

Level 37
Verified
Top Poster
Content Creator
Well-known
May 29, 2018
2,607
Thats a one very well detailed config, only thing wich comes into my mind is fallback browser if you run into problems with those tweaks of firefox

Heres checklist if you find anything helpful, you could add it as you have firefox tweak sites noted:
github.com

GitHub - Lissy93/personal-security-checklist: 🔒 A compiled checklist of 300+ tips for protecting digital security and privacy in 2024

🔒 A compiled checklist of 300+ tips for protecting digital security and privacy in 2024 - Lissy93/personal-security-checklist
github.com github.com
 
  • Like
  • Thanks
Reactions: Venustus, ZeePriest, silversurfer and 3 others

Similar threads

Kongo
    • Like
    • Applause
Advanced Security Kongo's Mobile Security Config 2024
Replies
9
Views
582
Mobile Setup Configuration Help & Showcase
Kongo
Kongo
Shadowra
    • +Reputation
    • Like
    • Thanks
App Review ArcaBit Internet Security 2024
Replies
4
Views
890
Video Reviews - Security and Privacy
Trident
Trident
Victor M
    • Like
Advanced Plus Security Victor M - Aging PC Security Config
Replies
5
Views
1,097
PC Setup Configuration Help & Showcase
Victor M
Victor M

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top