Advice Request WD + ConfigureDefender set HIGH + OSA: A Match Made in Heaven?

[SearchLight]

Hello everyone,
After recently updating my W10 to the latest v2004, I decided to try what many here have said all along, that if you want to go light and free with WD you can't go wrong now that is has more matured. Less software conflicts, too.

For good measure I used Andy Ful's ConfigureDefender set to HIGH and matched WD with OSArmor. To my Browsers, I added BD Traffic Light, UbO, and DeCentraleyes. I am trying Iridium Browser as I type this post.

Is there anything else that I am missing to add? I came across a post that says Andy Ful created a more simplified Windows 10 System Hardener that I was think about using that as icing on the cake.

Finally, many here are VoodooShield afficionados so I was wondering if using this instead of OSA would provide better protection?

Thanks for all the advice in the past, now, and in the future.

 

[ErzCrz]

Hello everyone,
After recently updating my W10 to the latest v2004, I decided to try what many here have said all along, that if you want to go light and free with WD you can't go wrong now that is has more matured. Less software conflicts, too.

For good measure I used Andy Ful's ConfigureDefender set to HIGH and matched WD with OSArmor. To my Browsers, I added BD Traffic Light, UbO, and DeCentraleyes. I am trying Iridium Browser as I type this post.

Is there anything else that I am missing to add? I came across a post that says Andy Ful created a more simplified Windows 10 System Hardener that I was think about using that as icing on the cake.

Finally, many here are VoodooShield afficionados so I was wondering if using this instead of OSA would provide better protection?

Thanks for all the advice in the past, now, and in the future.

Looks like a pretty good setup though I'd use Hard_Configurator which includes ConfigureDefender and FirewallHardening instead of OSA. Just a simpler straight forward approach with better protection and without the need for 3rd party software protecting your system.

Using UBO in medium mode or default?

 

[SearchLight]

UBO in default. Tried configuring medium last time I used it, probably will go back.

 

[ErzCrz]

UBO in default. Tried configuring medium last time I used it, probably will go back.

Cool. I use a modified setup to Medium Mode (see my tweaks here which provide still good protection but far less maintenance than the default medium mode by having noop rules for my regularly used TLDs and My Filters blocks of abused ones etc. ) SECURITY: Complete - ErzCrz Simple Strong Protection I hardly ever have to go and unblock something with my normal browsing.

 

[SearchLight]

Cool. I use a modified setup to Medium Mode (see my tweaks here which provide still good protection but far less maintenance than the default medium mode by having noop rules for my regularly used TLDs and My Filters blocks of abused ones etc. ) SECURITY: Complete - ErzCrz Simple Strong Protection I hardly ever have to go and unblock something with my normal browsing.

I will take a look, thanks for the suggestion.

 

[Moonhorse]

If youre ready to subscribe to OSA soon as it becomes paid (?) youre fine, but otherwise i would just go voodooshield + wd + configuredefender

I dont bother installing anything anymore, just running windows defender on default settings ..probably just going for wisevector only

 

[SearchLight]

Thought about it and removed OSA because it is moving to shareware and I don't want to pay if other software does the same for free.

Instead, I Installed Andy Ful's Simple Windows Hardening.

Followed his comments and added his RunBySmartScreen which he mentions helps with Zero Day.

So now my main defenses are WD supplemented by ConfigureDender(setHIGH) + SWH + RBSS.

I feel as if I should be adding something else, maybe not? Would any of you add anything else?

Thanks

 

[Back3]

I'm on W10 v 2004. My basic setup is WD with Configure Defender set to HIGH. I also have Andy Ful's Simple Windows Hardening but only use the Windows Hardening part. For the last ten days, I had added Voodooshield Free. Very good piece of software. But I had a small slowdown when surfing. I'm now experimenting with Appcheck Anti-Ransomware Free. Very, very light. You really forget it.
But I will surely try OSA: the developper said there will be a 30-days trial version. Read that on Wilders.

 

[SearchLight]

I came across some other postings here that mention a software called WiseVector that for now is free, that several of the gurus here seem to like for being effective and light: WiseVector StopX | AI-Driven Malware Detection

So I decided to do WD(ConfigDefHIGH) + Wise Vector. I am also using Andy Ful's SWH. I am thinking of adding Windows Firewall Hardening but am afraid that it might affect the communication of some my legit internet programs.

Has anyone used the Firewall Hardening, and did it cause internet connection slowdowns or problems?

Otherwise after trial and error, I think this combo is about as light and as effective as one can get. Agree?

Thanks for any, and all suggestions. I greatly appreciate them.

 

[plat]

I use FirewallHardening. It applies block rules related to various legitimate Windows processes. Things like Powershell.ise, lsass and telnet should never be making outbound calls to any port at any time. For third-party software rules plus those of Windows processes, you could consider something like a front-end or full-fledged firewall utility (TinyWall, etc) instead.

The FWH interface has a logging feature you can enable if you want, to study any effects. But again, I don't think H_C bothers with anything non-Window-related. Never had an issue with it, myself.

For OSArmor and SysHardener, I'm less gung-ho about them now that Windows 2004 is out. The developer should be making some statements about subscription costs and changelogs so that one can make informed decisions. Until then, I've removed NVT products myself.

 

[South Park]

I came across some other postings here that mention a software called WiseVector that for now is free, that several of the gurus here seem to like for being effective and light: WiseVector StopX | AI-Driven Malware Detection

So I decided to do WD(ConfigDefHIGH) + Wise Vector. I am also using Andy Ful's SWH. I am thinking of adding Windows Firewall Hardening but am afraid that it might affect the communication of some my legit internet programs.

Has anyone used the Firewall Hardening, and did it cause internet connection slowdowns or problems?

Otherwise after trial and error, I think this combo is about as light and as effective as one can get. Agree?

Thanks for any, and all suggestions. I greatly appreciate them.

I've had no problem using Andy Ful's Firewall Hardening at the default settings. I also have the FW set to block ALL inbound connections when using public WiFi (which is a setting in the Windows security center, not H_C) and have had no problems with it.

 

[South Park]

Thought about it and removed OSA because it is moving to shareware and I don't want to pay if other software does the same for free.

Instead, I Installed Andy Ful's Simple Windows Hardening.

Followed his comments and added his RunBySmartScreen which he mentions helps with Zero Day.

So now my main defenses are WD supplemented by ConfigureDender(setHIGH) + SWH + RBSS.

I feel as if I should be adding something else, maybe not? Would any of you add anything else?

Thanks

I don't think anything else is needed for a normal home user. It's a good setup

 

[oldschool]

@SearchLight you might want to post a security configuration thread as this will make it easier to solicit, recieve and discuss setup suggestions, etc.

 

[Marana]

My answer to the question asked in the thread title would be: "If combined with Hard_Configurator, Yes. Amen!"

I think that WD with ConfigureDefender HIGH + Hard_Configurator provides robust basic security, and OSArmor can be used to provide some finer granularity to supplement that.

For example, in general I want to prohibit the execution of PowerShell scripts (even at the elevated level), but I have some PorwerShell scripts that I use in my backups, so I use OSArmor along with its whitelist capabilities to implement that.

 

[SeriousHoax]

For example, in general I want to prohibit the execution of PowerShell scripts (even at the elevated level), but I have some PorwerShell scripts that I use in my backups, so I use OSArmor along with its whitelist capabilities to implement that.

Btw, Hard_Configurator has whitelist feature too. Whitelist by path and hash.

 

[Marana]

Yes, it does. But "Block PowerShell Scripts" seems to ignore whitelisting - or at least "Whitelist by path / Folder" which is what I tried in H_C.

But OSArmor whitelisting seems to observe its Exclusions configuration (which btw has also a capability to use regular expressions, which in turn helps to keep the whitelists short and specific)

 

[ErzCrz]

Just remembered that if your running OSA and H_C together I think you have to turn off a couple of things in OSA to prevent incompatibility. I think it was in this topic: Using OS_Armor and Hard_Configurator together

 

[Marana]

Actually I have run OSA with default real-time protections for some years already, first along with SSRP and last 8-9 months along with H_C.

I have made a more personal configuration in H_C and in ConfigureDefender, but as far as I can remember, even those were mainly because I also use Microsoft Security Baseline for Windows (that I have also amended somewhat, partly due to compatibility with ConfigureDefender, partly due to my more strict security requirements and partly due to my requirements for smooth user experience... ).

So after all it is a multiform optimization problem, and I guess that what's best for one, might not be best for someone else...

 

[Andy Ful]

@Marana,
In the H_C Recommended Settings the PowerShell scripts are blocked not by SRP, but by Windows Policy, so they cannot be whitelisted. This is the best solution for most users, but not for people who want to use scripts.
In your case, you have a simple solution:
Remove this policy by setting <Block PowerShell Scripts> = OFF. Set PowerShell ExecutionPolicy to Unrestricted by running the command in PowerShell with Admin rights:
set-ExecutionPolicy Unrestricted
Next, you can block powershell.exe and powershell_ise.exe by using <Block Sponsors>.

In this way, the PowerShell Interpreter will be blocked, except when you will run PowerShell with Admin rights.

Edit.
There is also another solution when you need to run the PowerShell scripts with standard privileges and use whitelisting, but this is rarely needed.

 

[Marana]

@Andy Ful,
Thank you, I always appreciate your kind and useful hints!

However I have noticed that I do not seem to have any need for running PowerShell Scripts, even at elevated integrity levels, except a few backup scripts of mine. For this reason I have come to the conclusion to use OSA to first block PowerShell scripts globally and then selectively whitelist only my backup scripts. This seems to be serving my needs pretty well (well, at least so far... ).

But as I mentioned, what is best for one, may not be the best solution for someone else.