securitydolphin

New Member
My security configuration is based around a few simple principles:
1) Keep the amount of applications used to a minimum while covering as much ground as possible and with little to no overhead.
2) The configuration must be as non-intrusive as possible and get out of your way until you encounter an issue.
3) It must be low maitenance and have minimal privacy concerns.

Point (1) is important as an overabundance of applications leads to security fatigue as well as overall incompetenance in understanding your own setup. In addition, it also increases the chances of human error and can also lead to a fragmented user experience. For example, utilizing COMODO Firewall, Avira Free Antivirus, Malwarebytes Anti-Exploit, Malwarebytes Anti-Malware, DNSCrypt, Secunia PSI, and other various applications is a strong setup, but the security fatigue you acquire from trying to maintain each part of your setup offsets the benefits you acquire from your "homegrown Security Suite". Vice-versa, having too few applications is also not recommended, as only utilizing one application leaves you too open to human error, as a simple mistake or impulse can compromise your system.

Point (2) is also important because I am not building my computer to be Fort Knox or to test it against a zoo of malware. I am using it to work safely and efficiently. For these reasons, I condone heavy Antiviruses or Suites like Kaspersy or Norton, as they consume a large amount of system resources. I also want my system to be as non-intrusive as possible. I don't want popups confirming that my computer is safe, and I only want popups when I open an unknown application or when I need to know what an application is attempting to do. Anything else is unneccesary.

Point (3) is the most important one; I don't want to maintain my suite. Obviously there has to be some user intervention, but I want my config to stay in the background and update itself, while I am doing what I need to do, which is work. Just as important is privacy. I want to use only software from reputable companies that have clearcut Privacy Policies as well as a proven track record. Hence, applications like 360 Total Security are not good by my criteria due to their awful track record and suspicious privacy policy.

----

Now that I have my mantra out of the way, here are my basic system specs:

Dell XPS 15 9550
Intel Core i5 (Quad-Core)
8GB RAM
Intel HD Integrated Graphics | NVIDIA Graphics

This is a high-end laptop primarily used for photo editing and gaming, both of which I do extensively. I also crawl the web frequently and sometimes venture into uncharted territory. Hence, I would consider myself a high-risk user.

----

So, let's talk about my actual security config, right xd?

This will be split into 3 parts to better understand my system:
1) The OS Layer (The operating system config, this is my last defense if the next 2 layers are compromised.)
2) The Browser Layer (The web browser is a huge attack vector, and is where I dedicate the most time defending. The majority of malware never get past this point.)
3) The Network Layer (Control of connections in and out of my computer; this is where I devote the least of my time to, as there is little configuration to be done in this area.)

Now then, let's start with (1).

----
The OS Layer
- Avast Premier (w/ (File Shield, Web Shield, Firewall, Secure DNS, Software Updater, and Sandbox enabled)
- Malwarebytes Anti-Malware Premium
- SpyShelter Premium

Avast Premier is my primary defense against viruses, and there is considerable overlap between it and the other layers; it is a staple line of defense in all 3. Avast has shown to have above-average virus detection and a strong featureset. I have it set to maximum heuristics as well as hardened mode enabled. Hardened mode is the equivalent to an anti-exe application, which is the reason I have it enabled.

Malwarebytes Anti-Malware Premium is my supplmentary anti-malware application that defends against 0-day attacks. It does not conflict with Avast and catches things that Avast does not.

Finally, SpyShelter Premium is used as an anti-spyware tool and HIPS / Sandbox. It is the only software on this list that requires constant user intervention, but it is usually unintrusive and after a few days of usage there are little to no popups that are not false positives. The featureset is incredibly robust and keyboard encryption is appreciated.
----
The Browser Layer
- SRWare Iron
a) uBlock Origin (w/ uBlock filters, Malvertising Filter List by Disconnect, Malware Domains List, Gnuzilla Privacy Blacklist) + uBlock Origin Websocket
b) Privacy Badger
c) HTTPS Everywhere
d) Popup Blocker Pro

SRWare Iron is my browser of choice, regardless of controversy. It is a strong browser that obviously has better privacy built-in compared to Chrome. Although it does not auto-update, the privacy improvement offsets the minor security hole.
- uBlock Origin is my adblocker of choice. It is a very efficient content blocker for stopping tracking and malvertising in its tracks. I utilize the lists above as they are the most streamlined; EasyList and EasyPrivacy are too heavy and have been subject to controversy after discovery of whitelisted advertising domains.
- Privacy Badger catches unknown hosts that uBlock does not catch. After a few weeks of usage Privacy Badger usually stops connections even before uBlock gets a chance to filter them.
- HTTPS Everywhere because SSL/TLS is not yet fully enforced and encrypting connections is important.
- Popup Blocker Pro for stopping annoying popups and redirections into various malware-infested websites. This is my first line of defense against Malware Domains before my Web Filtering kicks in.
----
The Networking Layer
- Malwarebytes Anti-Exploit Premium
- StevenBlack HOSTS

Malwarebytes Anti-Exploit Premium is a lightweight, non-intrusive tool that does what it says, and it required little configuration. I enabled everything and disabled telemtry for privacy reasons.

The StevenBlack HOSTS list is used to drop connections of common ad and tracking servers before they even connect. It is primarily for applications not web browsers but adds another layer in the browser that ultimately speeds up browsing much more than an adblocker alone.
----

The rest of my applications are irrelvant. CCleaner Profesional cleans system traces to preserve disk space and privacy, while Syncthing synchronizes with a remote folder on a home server running Arch Linux. To complete my setup, I have endpoint protection in the form of BitLocker encrypted with a passphrase generated using the diceware method as well as the recovery key stored on an encrypted Sandisk Extreme USB Drive. Finally, Prey Anti-Theft is used in case the device is stolen while the device is on and Bitlocker is unlocked.
 
Last edited:

Cats-4_Owners-2

Level 37
Trusted
Verified
securitydolphin, your narrative walkthrough brought us to the inside of your fortifications with straightforward explanations as to the software, and how they accomplish what you wish to be done which has also been a pure joy to behold!:)
Thank you for this most excellent and interesting ride that has brought out smiles of approval from us all!:D
 

securitydolphin

New Member
Any reason to disable Smartscreen?
SmartScreen has proven to be an extremely weak file reputation system, and more often than not, the level of protection you acquire from it at both the network and executable level is negligible in exchange for the potential privacy issues. In addition, there is a layer of redundancy as I utilize Avast's file reputation network at the executable level and uBlock Origin and the HOSTS file to block malware domains at the network level. These two systems are much more effective than Microsoft's SmartScreen while adding almost no overhead.

Microsoft's basic security offerings are not good enough for true security. Hence, I do not rely on anything built into the OS itself, as they are purely meant to give you baseline protection, not adequate security. UAC and the built-in Windows Firewall are exceptions to this, as they are sturdy lines of defense that actually work, hence why I keep those enabled and not Windows Defender or SmartScreen. Common Sense 2016 is not enough, especially when it comes to dealing with Exploit Kits and Ransomware that require little to no user intervention.
 

DJ Panda

Level 29
Verified
Although Smartscreen can be weak on some areas its like another built in line of diffence like UAC and I would highly recommend enabling it. Doing a system image backup and adding Zemana Anti-Malware for scanning are other good things to come to mind.
 
  • Like
Reactions: Cats-4_Owners-2