Arequire

Level 23
Verified
Content Creator
I've been given permission to setup the security for my grandmother's new laptop and I had a question about how malware could infect her system:

If I were to have Avast running in aggressive hardened mode (basic anti-exe but it's got a big whitelist and requires little user interaction) and I were to disable Windows Script Host, Powershell and Command Prompt via the registry, what else would malware be able to use to allow itself to infect her system and how would I go about disabling it?
I also plan to disable AutoRun and Macros/ActiveX/OLEs in Microsoft Office.

I also have doubts if this is the right way to secure her. I don't use system hardening myself partly due to laziness and partly due to confidence in my own habits and software (although I could be persuaded to harden my system if it wouldn't have an impact on my day-to-day computing needs). I tend to stay away from most vectors of malware delivery and if malware does somehow find its way onto my system either Avast's sigs will catch it or Comodo Firewall will block its execution. I can't say the same for her though.

Would love to get your answers and opinions.

Edit: She refuses to use an ad blocker for whatever reason. Tried to convince her otherwise but she's steadfast.
 
Last edited:

brod56

Level 15
Verified
In that case Hard Configurator comes handy (disable Powershell, wscript executables).
Tweaking the browser with a strict uBlock Origin (check this guide) will also help to avoid further damages with happy clickers :)
I personally wouldnt use Avast Hardened Mode though.
 
  • Like
Reactions: Rengar

Handsome Recluse

Level 20
Verified
uBlock Origin/Adguard generally have robust anti-adblock but if those don't work, then maybe add Ghostery/Privacy Badger/Avast Online Security/about:config Turn on Tracking Protection instead.
 
  • Like
Reactions: brod56

Arequire

Level 23
Verified
Content Creator
Set her up with "Alternate DNS"... that will help with the ads.
Didn't think about blocking them at DNS level. I assume it would still trigger anti-adblock messages though.

In that case Hard Configurator comes handy (disable Powershell, wscript executables).
I was planning on doing it manually but I guess I could do it with a dedicated tool. Would save time.

Tweaking the browser with a strict uBlock Origin (check this guide) will also help to avoid further damages with happy clickers
I'd want to make it as user friendly as possible so I'd probably keep uBlock at either default settings or put it in very easy mode to avoid any page breakages.
 
  • Like
Reactions: brod56

DJ Panda

Level 29
Verified
If your gramma doesn't want an adblocker she doesn't need one. No need to force it on her. Make sure Windows Defender or Avast (a favorite of mine.) Then your fine. The best thing to do is make sure she uses a less exploit able browser like Chrome. :)
 

RVS2

Level 2
I've been given permission to setup the security for my grandmother's new laptop and I had a question about how malware could infect her system:

If I were to have Avast running in aggressive hardened mode (basic anti-exe but it's got a big whitelist and requires little user interaction) and I were to disable Windows Script Host, Powershell and Command Prompt via the registry, what else would malware be able to use to allow itself to infect her system and how would I go about disabling it?
I also plan to disable AutoRun and Macros/ActiveX/OLEs in Microsoft Office.

I also have doubts if this is the right way to secure her. I don't use system hardening myself partly due to laziness and partly due to confidence in my own habits and software (although I could be persuaded to harden my system if it wouldn't have an impact on my day-to-day computing needs). I tend to stay away from most vectors of malware delivery and if malware does somehow find its way onto my system either Avast's sigs will catch it or Comodo Firewall will block its execution. I can't say the same for her though.

Would love to get your answers and opinions.

Edit: She refuses to use an ad blocker for whatever reason. Tried to convince her otherwise but she's steadfast.
Use adguard adblocker with the "harmless ads" feature on. It's not called harmless ads but similar. Do enable the important filters.
Adblocking is more important for new computer users.

Put Comodo firewall exactly to CruelSister's settings. You can find her youtube video on it.
Any good AV like Panda,Avast,Bitdefender will do. Remember to minimize bloat of avast. But use bitdefender given it's little interference and general bothering
 
Last edited:
  • Like
Reactions: Winter Soldier

Winter Soldier

Level 25
The main purpose is to protect her computer from malware.
I think an alternative approach:
security setup is essential and Avast can be a good choice but the streets of the malware are endless.
So she could also use Sandboxie (if she isn't using Edge ) to virtualize the browsing session by enabling the auto deletion of the sandbox at the browser closing.
Very important is to provide for a good disaster recovery plan with OS images stored on external HDD.
 

shmu26

Level 82
Verified
Trusted
Content Creator
1 Make sure she uses a browser with good protection, such as Google Chrome or Edge. Install the HTTPS Everywhere extension. Install the Avira or Bitdefender TrafficLight extension (it is not adblocking, it only blocks malicious URLs).

2 Set up the default PDF reader to be something other than Adobe Reader -- it is the most targeted. Sumatra and Edge are particularly safe. Also set up the default apps for viewing pics and videos to be something safe.

3 Be forewarned that disabling cmd.exe can be problematic. Some software and processes might not run correctly. Some Windows troubleshooters will not complete tasks. Some program installers or uninstallers might not work, especially the ones for big, heavy suites.
 

RVS2

Level 2
1 Make sure she uses a browser with good protection, such as Google Chrome or Edge.
2 Set up the default PDF reader to be something other than Adobe Reader -- it is the most targeted. Sumatra and Edge are particularly safe. Also set up the default software for viewing pics to be something safe.
3 Be forewarned that disabling cmd.exe can be problematic. Some software and processes might not run correctly. Some Windows troubleshooters will not complete tasks. Some program installers or uninstallers might not work, especially the ones for big, heavy suites.
Yeah disabling in the name of security isn't optimal for beginner level people. You'll be getting many calls to fix the computer.
 
  • Like
Reactions: shmu26

Arequire

Level 23
Verified
Content Creator
If your gramma doesn't want an adblocker she doesn't need one. No need to force it on her.
Yeah, I won't force it on her if she really doesn't want one. Isn't my laptop after all.

Malwarebytes Anti-Malware is the best protection i have ever come across.
Definitely ain't mine. Nowadays I'd only ever use it to remove PUPs. Wouldn't bother with it when it comes to removing malware.

Put Comodo firewall exactly to CruelSister's settings. You can find her youtube video on it.
Requires way too much user interaction and she'd have no idea what to do when the firewall blocks network access to something or the sandbox isolates something.

Very important is to provide for a good disaster recovery plan with OS images stored on external HDD.
Definitely would make an image backup after I'd set it all up. I'd make sure she has all her important data backed up too.

3 Be forewarned that disabling cmd.exe can be problematic. Some software and processes might not run correctly. Some Windows troubleshooters will not complete tasks. Some program installers or uninstallers might not work, especially the ones for big, heavy suites.
Yeah disabling in the name of security isn't optimal for beginner level people. You'll be getting many calls to fix the computer.
Wasn't aware it might cause problems. I've used a system in the past for a couple of months where it was disabled and I never ran into any problems myself. Probably best I just keep it enabled then.
 
  • Like
Reactions: Winter Soldier

shmu26

Level 82
Verified
Trusted
Content Creator
Wasn't aware it might cause problems. I've used a system in the past for a couple of months where it was disabled and I never ran into any problems myself. Probably best I just keep it enabled then.
You won't get any calls for help if you disable wscript, cscript, powershell, powershell_ISE (there are two of each on a x64 system). So that is a good move.

The only risk is with cmd.exe (also with this, there are two of them). If you are lucky, she won't see any problems, but you can't be sure.
 

Arequire

Level 23
Verified
Content Creator
You won't get any calls for help if you disable wscript, cscript, powershell, powershell_ISE
Those I definitely plan on disabling. I probably should disable them on my system as well to be honest. I don't have anything installed that uses them as far as I'm aware.
 
  • Like
Reactions: DJ Panda

shmu26

Level 82
Verified
Trusted
Content Creator
Those I definitely plan on disabling. I probably should disable them on my system as well to be honest. I don't have anything installed that uses them as far as I'm aware.
Disabling powershell by registry has an easy and well-known bypass. It's still better than nothing, though.
 
D

Deleted member 178

SUA + UAC max as a minimum, then add Shadow Defender; explain her how it works , set it to shadow mode at boot; job done.

Also, for the noobest of the noob, if she doesn't do online banking and doesn't have sensitive files , restore the system once a month could be simpler :D
 

jamescv7

Level 61
Verified
Trusted
1) Make it Limited Account rather Local/admin, to ensure none of any scripts or executable to proceed since it needs administrator approval.

2) Avast Free is fine on most cases and Hardening Mode will be capable on different infection attack.

3) Virtualization will be the best thing here which mentioned on the post regarding on Sandboxie, ensure fix configuration.

Sometimes we need to steer away from complication process; focus on the main point which is to protect in all aspect. Let the program do the rest. ;)
 

Spawn

Administrator
Verified
Staff member
uBlock Origin/Adguard generally have robust anti-adblock but if those don't work, then maybe add Ghostery/Privacy Badger/Avast Online Security/about:config Turn on Tracking Protection instead.
You don't want to add to many extensions, as they may break sites or are confusing to use ie. Privacy Badger.