Products to compare
Symantec Endpoint Protection
Windows 10 Defender
Compare
Usability
Performance and System Impact
Computer protection (Antivirus engine, Heuristic engine)
Internet protection (Web Guard, Anti-Phishing, Antispam, Browser extension)
Proactive protection (Behavior blocker, HIPS, Sandbox)
Ransomware protection
Banking & Payments protection

Gandalf_The_Grey

Level 23
Verified
I just downloaded Hard_Configurator. Should I discontinue use of ConfigureDefender or do they work well together?
They work (very well) together. Configure Defender is also a separate module installed with Hard Configurator:

Hard_Configurator01.png
There is a lot of information and great help available in this thread:
 

pvsurfer

Level 1
That does it, I've decided to stay with WD and I will ignore my customer's suggestion to replace it with SEP/SEPC. Of course I also plan to learn how to use Hard_Configurator!

I want to express my gratitude to everyone here who helped me with this decision. You guys (and this forum) are great.
 

Dave Russo

Level 10
Verified
Hi everyone,

I have my tiny (1-person) home-business on a PC running Windows Pro x64 with Windows Defender enabled using Configure_Defender's 'High' setting and I backup my system to an external drive every day using Macrium Reflect.

One of my customers (who works in IT) advises me to switch from Windows Defender to Symantec Endpoint Protection, claiming it is a far superior 'anti-threat' system. So I've come here to get opinions/suggestions from MT's security-savvy forum members. Should I switch?
I am also using Symantec Endpoint Protection,with SecureAplus{registered as anti-virus clicked off to allow it to work with other anti-virus programs}What I would like to know is if you have tweaked settings ? Firewall traffic settings,has option to 1.Block all traffic until firewall starts and after firewall stops 2.Enable Net Bios protection 3 Allow token ring traffic 4 Enable denial of service detection, None of these are on my default settings and would appreciate any advice you or others might have about this. Thanks for your post
 

MacDefender

Level 4
Verified
Wow, that is enlightening and really 'hits home' - i.e., Ring Doorbell and guests (relatives) using my WiFi password!!! What can I do to be more secure in that regard?
Oops I missed this! Some things you can do:

(1) move untrusted “internet of things” devices onto the guest network, away from anything you trust. Ring Doorbells, smart plugs, even smart TVs — its only a matter of time before smart TV’s go from just spying on your network for advertising to getting compromised and cryptolocking your NAS.
(2) Some neat enterprise access points support “DPSK”, which basically looks like a normal PSK network but the network accepts multiple passwords. By giving each client their own PSK you can track what key users are using to get on your network and revoke any necessary keys.
(3) most importantly keep an eye on your network for guests you don’t recognize. Some firewalls like ESET seem to have this function. The Fing app (for iOS or Android, the Android one is more powerful) is another good way to inventory your network. Your router might have some helpful features too.
 

pvsurfer

Level 1
I am also using Symantec Endpoint Protection,with SecureAplus{registered as anti-virus clicked off to allow it to work with other anti-virus programs}What I would like to know is if you have tweaked settings ? Firewall traffic settings,has option to 1.Block all traffic until firewall starts and after firewall stops 2.Enable Net Bios protection 3 Allow token ring traffic 4 Enable denial of service detection, None of these are on my default settings and would appreciate any advice you or others might have about this. Thanks for your post
I believe you misunderstood my OP. I'm using WD, not SEP. I came here to find out if switching from WD to SEP was in my best interests (and the answer was a resounding 'No').
 

pvsurfer

Level 1
If you do choose to look into SEP, I would suggest looking at SEPC (the cloud variant). Same protection technology but the licensing fee is less confusing and more palatable.
That's no longer under consideration. ;)

@pvsurfer If you have Windows 10 pro or enterprise, I highly suggest you to use GPO to lock your employees machines, you can setup a common tight policy.
If not H_C is your best friend.
Understood, and I'll rely on H_C with C_D. ;)
 

shmu26

Level 83
Verified
Trusted
Content Creator
and Chrome for browsing the internet
Good choice.
But no matter what browser you use, you still need to be careful that your credit card and/or passwords won't get skimmed, due to the website itself being compromised. If the website itself is compromised, your browser can't protect you once you type sensitive info into a web page. Just sayin'. This is really a different topic, and there are threads about it.
 

Lenny_Linux

Level 5
@pvsurfer best and easiest way to improve security would be to follow @Umbra advice to learn to use Software Restriction Policy or use Hard_configurator to use SRP with a default settings.

As an intermediate (or first) step you could use H_C with Windows_Security profile, according to developer of H_C

AndyFul said:
ConfigureDefender MAX Profile is extremely good for detecting/blocking EXE samples and can be used safely with the H_C profile: Windows_10_MT_Windows_Security_hardening.
This setup uses Windows Defender to block unknown programs (exe's with poor reputation) and Software Restriction Policies to block file formats with code (e.g. scripts). So you leave the block/allow decisions over to Microsoft.
 

Andy Ful

Level 51
Verified
Trusted
Content Creator
...
This setup uses Windows Defender to block unknown programs (exe's with poor reputation) and Software Restriction Policies to block file formats with code (e.g. scripts). So you leave the block/allow decisions over to Microsoft.
Yes, this is the most important part which could be done also with WD (MAX) + SysHardener (tweaked) + RunBySmartScreen.:giggle:
H_C can extend this protection via SRP to many other unsafe file types and prevent command-line access (blocking shortcuts, etc.). Furthermore, SRP allows whitelisting which is more suitable for semi-advanced users (but not for average users).
 

blackice

Level 14
Verified
Nope, if the site is compromised, Netcraft or BDTL will do nothing. They detect fraudulent/malicious sites, not legit one being compromised. They don't check the code, they just are blacklister.
This is the truth. The nice thing about credit cards, at least in the US, is you aren’t liable for fraudulent charges as long as you address them in a timely fashion. So, your best defense is stick to trusted sites, and check your transactions a few times a month.
 

notabot

Level 15
That’s generally fine to do. The things to keep in mind with WPA2-PSK are:

(1) any device that connects to your network is saving a copy of your pass phrase. That means if any of them get compromised, it will allow an attacker to know how to join your network. One popular recent example was the Ring Doorbell. If an attacker steals your doorbell they can take it apart and recover your Wi-Fi password.
(2)Thanks to modern GPUs,brute forcing PSKs isn’t actually super hard. Takes on the order of a few days to do depending on how strong your password Is. It’s recommended to rotate often and use a strong PSK even though it’s a pain to type in.
(3) don’t enable 802.11r if your AP supports it. Enabling 802.11r results in being vulnerable to KRACK which basically can allow someone else on your network instantly.
Isn't 802.11r needed to create a wifi mesh (needed in order to have seamless hoping from wireless endpoint to a different endpoint) ? Does KRACK also work with 802.11k ?
 
Last edited:

MacDefender

Level 4
Verified
Isn't 802.11r needed to create a wifi mesh (needed in order to have seamless hoping from wireless endpoint to a different endpoint) ? Does KRACK also work with 802.11k ?
Not at all. 802.11r is not required for fast enough (4 packets dropped) BSS switching. 802.11k is separate and it is more useful for mesh networking since it allows APs to report to clients what other APs are nearby. Otherwise it takes about a second for your client to scan for nearby APs.

There's no such thing as truly seamless roaming with wifi anyway because clients can only talk and listen on a single channel at a time. At some point it needs to make the decision it wants to move APs and at that point it will stop listening to the old access point.