How to Secure a Home PC Against Malware

January 10, 2017  •  Leave a Comment

 

How to Secure a PC Against Malware is today’s topic.  I’ll write about a variety of topics, not just photography, as part of this blog.  By secure, I mean REALLY secure.

 

I’m not a professional PC security expert, but I am probably the next best thing.  I'm confident that our PC security is better than 99.999% of home users.  I’ve read thousands of articles and posts on the topic, and I have used well over 20 different PC security programs.  I got into this about 3 years ago when I started seeing inexplicable browser redirects.  I began to worry about our PC and network security, due to the investment management that I do.  For the browser redirects, I never determined root cause, but I was able to rule out PC infection.  The redirects were due either to an infected router (unlikely; but it was replaced), or they were due to malvertising.  This caused me to greatly upgrade our home network and endpoint (aka, device) security.

 

So, today’s topic is how to secure a PC for home users.  Business cybersecurity is an altogether different ballgame.  To secure a home PC, it is useful know the most common modes of compromise, which are:

 

  • Browsing (malware can download and install without being seen)

  • Email

  • Infected USB devices (e.g. infected flash drives)

  • Infected routers and gateways

  • Downloaded programs that appear to be OK, but that also contain malware that silently installs

 

I’ve compiled what I have learned into these six actions to achieve outstanding home PC security:

 


 

1. Browser (Isolation) Sandbox.  A browser sandbox, properly configured, prevents malware from downloading from your browser to your PC.  The best option for home users, by far, is paid Sandboxie.   Sandboxie needs to patch about one vulnerability per year, compared to hundreds of vulnerabilities per year for Firefox, Chrome, IE11, and Microsoft Edge browsers.   Configure Sandboxie to force Chrome and IE11 to run inside of Sandboxie.  $75 for 5 lifetime Sandboxie licenses

 

2. Antivirus (AV).  I recommend Webroot SecureAnywhere Antivirus.  It tests comparably to the best AVs tested by AV-Test, AV-Comparatives, MRG Effitas, PC Magazine, and NSS Labs.  However, it easily has the lowest (best) attack surface of any consumer AV, thus making it my AV of choice over other good performers.  Webroot is free if you have an Ally Bank savings account

  • Good Alternatives: Norton Security Deluxe (price varies, ~$40/year/5 PCs), Trend Micro Maximium Security (price varies, ~$40/year/5 PCs)

  • Avoid: Most of the rest.  Especially avoid any Chinese, Russian, or Eastern European AV, which may include hostile government backdoor trojans

  • Interesting Options Not Yet Tried: Cylance Protect (managed, which means the provider configures it).  $60/year/PC

 

3. On-Demand Malware Detection.  I use Malwarebytes Anti-Malware v2 (free), which is no longer available.  Malwarebytes 3 (free or paid) is available, but there have been a lot of problem reports for v3, so you might want to wait until it improves.  I also like Norton Power Eraser (free) and Sophos HitmanPro (also free)

 

4. Software Restriction Policy / Anti-Executable.  Blue Ridge Networks AppGuard is easily the best option here.  There have not yet been confirmed bypasses of (infections due to) AppGuard.  $30/year/PC

 

5. Operating System Hardening (free).  Microsoft Windows has a lot of native programs, settings, and functions that the average home user does not use nor need, and that make Windows (more) insecure.  I turn most of these off or disable them.  Hardening is a key way to improve email security if you use Microsoft Outlook.  Key hardening items:

  • Accounts: Work from a Standard User account.  Use an Administrator account only for software installations and updates.  Set User Account Control to "Always Notify"

  • Microsoft Office: ActiveX Settings: Disable all controls w/o notification.  Macros: Disable with notification.   Block RTF files

  • Group Policy Objects (GPO): Disable AutoPlay/AutoRun, Desktop Gadgets, 16-Bit Apps, Application Compatibility, OneDrive, LLMNR, Live Tiles.  Force GPO refresh

    • GPO can be edited in Windows 10 Pro, but not in Windows 10 Home

  • Windows Registry: Mitigate DLL Hijacking, Disable Windows Script Host, Force Outlook OST/PST Folder, Block 600+ Outlook File Extensions (my personal list), Hide Outlook OLE Objects, Block Untrusted Fonts, Disable WPAD (partial)

  • Computer Properties: Enable DEP

  • Windows Features: Disable Powershell 2.0 and SMB v1

  • Windows Firewall: Block Regsvr32.dll outbound

  • Network Adapters: Disable all services except IPv4 

  • DNS Setting: Set to OpenDNS - 208.67.222.222, 208.67.220.220 for the PC's LAN and WLAN adapters 

  • Chronically Vulnerable Programs: Uninstall / never install Skype, Adobe Reader, Java, any Java-based programs, Microsoft Silverlight, and any Bittorrent clients.  If you don't really need it, don't install it

  • PDF Management: Force PDF files to open in Chrome, and force Chrome to run inside of Sandboxie

  • Other Hardening Steps: We have many additional hardening changes, but the ones outlined should be pretty good for most home users

 

6. Patching.  Patch (update) all programs once per month

 


 

I do not bother with anti-exploit software like Microsoft EMET (now deprecated; easily bypassed by malware), Malwarebytes Anti-Exploit or HitmanPro Alert.  I have used all three in the past.  My belief is that they will not add significant incremental security to the above list.

 

Each software program requires a good configuration.  Sandboxie and Blue Ridge Networks AppGuard, in particular, have complex configuration options. 

 

However, these six actions, in combination, make it almost impossible for your PC to be hacked or to be infected.

 

I’ll cover edge (firewall and router) and Internet of Things (IOT) security in a future post.

 

Jeff

 

PS: Don't buy Lenovo or other Chinese company PCs.  Buy Dell (preferred) or HP,  for which the Chinese government is less likely to be able to install malware at the factory.


Comments

No comments posted.
Loading...