Advice Request Worth Upgrading to Win 11 Pro for Security Reasons?

Please provide comments and solutions that are helpful to the author of this topic.

patrick85

Level 1
Thread author
Mar 13, 2022
12
That is the correct conclusion. Technical defenses can fail. And as I said, I fully expect my red team to be able to bypass Xcitium in the coming months.

There exists a security strategy to deal with this problem, and that is to deploy 'layers' of security. Once a layer is broken thru, there should exist yet another layer and thus the battle is not lost. As you have correctly learned, you cannot rely on a one layer complete protection. You additionally have SpyShelter currently that implements this strategy. If your cpu can handle it, add one more layer.

You mentioned the potential problem of encountering customization problems and too many security prompts. Sorry to say this, but it is best to maintain a 'steady state' configuration. When your list of applications don't change much, it is much easier to spot 'problems'. Attacks will stand out and you will be able to easily spot irregularities and know when to go on full alert. If you don't employ an EDR that gives alerts and choose the consumer Comodo, inspect the logs every day and you get the same visibility. Home users who are install happy are just taking on risks. You need to maintain a steady state or you will be wasting time, getting frustrated and making mistakes allowing things where you shouldn't. Separate your important private data from your work environment. Use a separate work machine which will never hold non work related programs and data. This is a procedural manual security control. Thus malware would not get onto the work machine. Your private machine can hold games, personal accounting things and whatever your risk appetite allows. Then you can adjust what security measures you need for each machine.

Another solution is to do regular penetration testing. Try to break thru things and bring out remediation in advance of the 'real big battle'. That's why we have red team hackers on staff. Small companies can do this too, as there are free lance pen testers for hire for as low as $40/hr (hacking expertise can vary) and you can state your budget hours. So you estimate how much time effort a real attacker will likely spend trying to attack you and your valuable data before giving up and going for easier prey and you set the budget hours for the pen test. Visa and Mastercard regulations actually mandate this. We do it more regularly than required. There is no reason why families can't do this too, set a small budget like 5 hrs and do it once a year. You will get a report showing where you ought to improve from an attacker's perspective.

I have a slightly different take on your avoidance of 'complete protection'. I avoid signature driven detection, and prefer solutions that apply the default deny principle. The idea is simple, whatever is not explicitly allowed is denied. This can be a in-use software vendors list, a 'white list' in any sort of rule set. It makes life simpler, you simply give it a small list of allowed things, and things that don't match up are blocked. Kaspersky, the anti-malware solution can be configured to behave this way. CyberLock, keeps a white list of the files currently on your drive. Xcitium auto-contains things not currently on your drive. These are all examples of security solutions that apply the default deny principle. Look into it.

If you suspect a RAT problem, then take steps to address the risk. Did BitDefender confirm that it was able to remove the Barbar malware? Brief google search reveals it is a RAT. Security is not complete until you at least Try to address it the best you can. To get to the root of the problem, you would have to consider the possibility that your hacker has returned. A RAT has to be deployed by someone. And as long as you don't remove his persistence mechanism, the hacker stays. I am not familiar enough with the many persistence mechanisms: registry hiding places where he can lodge himself and relaunch automatically whenever Windows reboots. You can research the Mitre Att&ck web site, look under Persistence, and it lists many techniques. If I knew those techniques by heart, there is a chance we can surgically remove him. So I'll just deal with the problem broadly. This maybe that your re-installation of Windows did not thoroughly get rid of him, so we can deal with problem the 'traditional' way - a thorough re-install of Windows. This should be done only after the forensics folks obtain their necessary disk images and ram images, or we lose valuable information, like the whole path of his attack, and how we can prevent a reoccurrence. But we don't have a forensics team handy. So we can't follow 'proper' incident response procedures. Constraints constraints. Or this maybe a new infection brought about by some new trojaned software install. Or this may simply be some hardware glitch. Take one possibility at a time and address it. Once you have got it covered, then move to the next. Until you eliminate the last possibility. I am a programmer by training, and this is the way problems are solved - you break down a problem into pieces and solve them one followed by the next. If one piece seems too big, break it down into sub tasks. It turns out like an organizational chart, main problem written at the top, then divided into pieces, and then further sub divided when necessary to break down complexity. Draw out the chart. Then it's just a matter of methodically doing the things required by each bottom most box. It takes whatever effort it takes; the risk Must be addressed. Big seemingly difficult problems can be solved with this method. Huge projects that span years are planned out this way.

Hacker returning: You say BitDefender scans the boot sector. That's all good, but do they have the right signature to match up to This hacker's tweaked tool and quarantine it. That's the key question. AV's are a technical defense, and they can fail. So switch to an administrative procedural defense. Before you start this step, do backup of all your data, browser bookmarks and passwords, plus all your program installers. Then download, burn and run Parted Magic's erase disk, before you re-install Windows. Just takes 15 mins longer than a regular Windows re-install and then you are assured. Hacker returning possibility eliminated. Sort of. We are missing data of his attack path, and he may be able to just repeat it. Then we might be going thru this again repeatedly.

Then you look at the second possibility which is that it might be a new infection brought about by some new trojaned software install. You just wiped the hdd and re-installed Windows, now check each of your installers' Properties > Signatures for OK signature and verify correct company name. If the complete signature checks out, then it guarantees that the installer is official and has not been tampered with. If it doesn't check out, delete it. Proceed to install all your software. 2nd possibility addressed.

Then you look at the last possibility which is a hardware screen problem. Things to do: run hardware diagnostics of the laptop, If an error is reported then send it to be repaired. Download latest display driver from hardware manufacturer web site; verifying signature; install them. Screen glitch possibility addressed with best effort. Nothing else left to do.

Big problem stated on the top of chart solved.

You should take this opportunity

Anyways, I am being long winded. For all I know, you may be a programmer. But your problem is not just deciding whether to purchase Windows or not. You have a security breach that is still on going.
Thank you, indeed the possibilities are endless and access to professional investigation is not as I'm not an expert on cybersecurity myself as well. I will do the reinstall definitely and will incorporate some new security solutions perhaps from your recommendations. Regarding the babar malware, bitdefender told me it was removed from my computer, I ran full system scan and it should all be OK, will probably have it investigated by them further, regarding the signature, which software will quarantee that the they will find malware like this by the signature ? I would guess likely none, also the description of bitdefender scans, boot sector scans included: Scanning for malware
 
  • Like
Reactions: simmerskool

Victor M

Level 8
Verified
Well-known
Oct 3, 2022
357
@patrick85 .
There is 1 thing that I forgot. Very important step in incident response. That is, containment, which is to contain the intrusion. The intruder can laterally move across to other computers in the network, so it is crucial to have the pc isolated. It is never too late to do this step. If your switch or router has the capability, create VLAN segments, then put all the other PCs into one VLAN, and the breached PC into it's own VLAN. Or, if you have 2 old routers lying around, apply the same idea: breached PC under it's own router and all other PCs under another. VLAN equipment is now very cheap, >$100 for an ethernet only router.

2nd thing you could do: use the opportunity to make an Still-Offline Already-Configured Windows drive image. You will need to pre-download a drive image backup program. And just before installing those programs which require an online-download-install process, (like most AV programs) make the drive image and keep it safe. This image is important to have, as you can safely use it to restore to make a clean environment. Since it is Still-Offline, it guarantees that the intruder is not present on it. And if you pre-configure Windows before you make the drive image, you save yourself from having to repeat those steps again. Optionally it makes for a network-wide/dept-wide standardized config due to Window's One Core architecture - Windows will adjust itself when you apply the image to another piece of hardware.

To have an Still-Offline windows install: at the 3rd setup reboot, press SHIFT-F10. A command prompt will appear, type "OOBE\BYPASSNRO". This will cause a reboot, then you will get the choice "I don't have internet". Then you can make local accounts instead of having to connect to MS to use an online account. After desktop appears, turn off WiFi.

The Barbar question is not important. It is ultimately just a tool. The important thing is that the intruder is present. And he can install other tools. Now that Barbar is removed, he will adapt. His next tool won't be so easy to find. Get rid of the bugger.
 
Last edited:

Can't Decide

Level 1
Dec 15, 2023
27
GPedit was the only reason I went from home to pro.
If you don't need GPedit (there are ways to get it on home but it was finnicky for me, sometimes it would work other times it wouldn't) and Bitlocker then Pro is not worth it.

PS you can disable the remote desktop thing.
I know this might not be a good idea to ask here since this thread is about OP question.

Just by disable the remote desktop thing can totally prevent remote desktop connection being hack? Or do you need to uninstall "Remote Desktop Connection" in Setting under Apps & Features?
 
  • Like
Reactions: simmerskool

n8chavez

Level 17
Well-known
Feb 26, 2021
805
I know this might not be a good idea to ask here since this thread is about OP question.

Just by disable the remote desktop thing can totally prevent remote desktop connection being hack? Or do you need to uninstall "Remote Desktop Connection" in Setting under Apps & Features?

If you want to be certain then just uninstall the feature . However, you can disable it, and block it with a firewall You'd do this if you might want to use it one day. There's a pretty good guide here.
 

Can't Decide

Level 1
Dec 15, 2023
27
If you want to be certain then just uninstall the feature . However, you can disable it, and block it with a firewall You'd do this if you might want to use it one day. There's a pretty good guide here.
Thank you, for the information & guide.
Yes. This is sufficient to disable it, but not an absolute prevention against a hack. Malware or a live attacker can reinstall remote desktop on your system and abuse it.


It cannot be removed through "Apps & Features." (at least not based upon a quick look on Win 11)

You can remove it from the Installed Apps menu under Settings:


If you can tolerate it remaining on your system, then you can also combine multiple ways (e.g. disable it under System, disable it in Windows Firewall, and terminate the service) to disable it:

Thank you, for the information & guide.
 
  • Love
Reactions: jceon

patrick85

Level 1
Thread author
Mar 13, 2022
12
@patrick85 .
There is 1 thing that I forgot. Very important step in incident response. That is, containment, which is to contain the intrusion. The intruder can laterally move across to other computers in the network, so it is crucial to have the pc isolated. It is never too late to do this step. If your switch or router has the capability, create VLAN segments, then put all the other PCs into one VLAN, and the breached PC into it's own VLAN. Or, if you have 2 old routers lying around, apply the same idea: breached PC under it's own router and all other PCs under another. VLAN equipment is now very cheap, >$100 for an ethernet only router.

2nd thing you could do: use the opportunity to make an Still-Offline Already-Configured Windows drive image. You will need to pre-download a drive image backup program. And just before installing those programs which require an online-download-install process, (like most AV programs) make the drive image and keep it safe. This image is important to have, as you can safely use it to restore to make a clean environment. Since it is Still-Offline, it guarantees that the intruder is not present on it. And if you pre-configure Windows before you make the drive image, you save yourself from having to repeat those steps again. Optionally it makes for a network-wide/dept-wide standardized config due to Window's One Core architecture - Windows will adjust itself when you apply the image to another piece of hardware.

To have an Still-Offline windows install: at the 3rd setup reboot, press SHIFT-F10. A command prompt will appear, type "OOBE\BYPASSNRO". This will cause a reboot, then you will get the choice "I don't have internet". Then you can make local accounts instead of having to connect to MS to use an online account. After desktop appears, turn off WiFi.

The Barbar question is not important. It is ultimately just a tool. The important thing is that the intruder is present. And he can install other tools. Now that Barbar is removed, he will adapt. His next tool won't be so easy to find. Get rid of the bugger.
Thank you I use guest wifi networks for each separate device, only my main device in question is ethernet connected through cable to a router.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top