How to Secure a PC Against Malware is today’s topic. I’ll write about a variety of topics, not just photography, as part of this blog. By secure, I mean REALLY secure.
I’m not a professional PC security expert, but I am probably the next best thing. I'm confident that our PC security is better than 99.999% of home users. I’ve read thousands of articles and posts on the topic, and I have used well over 20 different PC security programs. I got into this about 3 years ago when I started seeing inexplicable browser redirects. I began to worry about our PC and network security, due to the investment management that I do. For the browser redirects, I never determined root cause, but I was able to rule out PC infection. The redirects were due either to an infected router (unlikely; but it was replaced), or they were due to malvertising. This caused me to greatly upgrade our home network and endpoint (aka, device) security.
So, today’s topic is how to secure a PC for home users. Business cybersecurity is an altogether different ballgame. To secure a home PC, it is useful know the most common modes of compromise, which are:
Browsing (malware can download and install without being seen)
Infected USB devices (e.g. infected flash drives)
Infected routers and gateways
Downloaded programs that appear to be OK, but that also contain malware that silently installs
I’ve compiled what I have learned into these six actions to achieve outstanding home PC security:
1. Browser (Isolation) Sandbox. A browser sandbox, properly configured, prevents malware from downloading from your browser to your PC. The best option for home users, by far, is paid Sandboxie. Sandboxie needs to patch about one vulnerability per year, compared to hundreds of vulnerabilities per year for Firefox, Chrome, IE11, and Microsoft Edge browsers. Configure Sandboxie to force Chrome and IE11 to run inside of Sandboxie. $75 for 5 lifetime Sandboxie licenses
Good Alternatives: Authentic8 Silo ($10/month/PC)
Avoid: Most of the rest. Especially avoid Comodo
Side Note: I used to use the enterprise version of Sandboxie, which is X by Invincea, and was impressed by that. X by Invincea is no longer available to small business users, however. Another excellent enterprise (-only) product is Bromium Endpoint Protection
2. Antivirus (AV). I recommend Webroot SecureAnywhere Antivirus. It tests comparably to the best AVs tested by AV-Test, AV-Comparatives, MRG Effitas, PC Magazine, and NSS Labs. However, it easily has the lowest (best) attack surface of any consumer AV, thus making it my AV of choice over other good performers. Webroot is free if you have an Ally Bank savings account
Avoid: Most of the rest. Especially avoid any Chinese, Russian, or Eastern European AV, which may include hostile government backdoor trojans
Interesting Options Not Yet Tried: Cylance Protect (managed, which means the provider configures it). $60/year/PC
3. On-Demand Malware Detection. I use Malwarebytes Anti-Malware v2 (free), which is no longer available. Malwarebytes 3 (free or paid) is available, but there have been a lot of problem reports for v3, so you might want to wait until it improves. I also like Norton Power Eraser (free) and Sophos HitmanPro (also free)
Good Alternative: Zemana AntiMalware
Avoid: VoodooShield (too much interaction required), and most of the rest
5. Operating System Hardening (free). Microsoft Windows has a lot of native programs, settings, and functions that the average home user does not use nor need, and that make Windows (more) insecure. I turn most of these off or disable them. Hardening is a key way to improve email security if you use Microsoft Outlook. Key hardening items:
Accounts: Work from a Standard User account. Use an Administrator account only for software installations and updates. Set User Account Control to "Always Notify"
Microsoft Office: ActiveX Settings: Disable all controls w/o notification. Macros: Disable with notification. Block RTF files
Group Policy Objects (GPO): Disable AutoPlay/AutoRun, Desktop Gadgets, 16-Bit Apps, Application Compatibility, OneDrive, LLMNR, Live Tiles. Force GPO refresh
GPO can be edited in Windows 10 Pro, but not in Windows 10 Home
Windows Registry: Mitigate DLL Hijacking, Disable Windows Script Host, Force Outlook OST/PST Folder, Block 600+ Outlook File Extensions (my personal list), Hide Outlook OLE Objects, Block Untrusted Fonts, Disable WPAD (partial)
Computer Properties: Enable DEP
Windows Features: Disable Powershell 2.0 and SMB v1
Windows Firewall: Block Regsvr32.dll outbound
Network Adapters: Disable all services except IPv4
DNS Setting: Set to OpenDNS - 126.96.36.199, 188.8.131.52 for the PC's LAN and WLAN adapters
Chronically Vulnerable Programs: Uninstall / never install Skype, Adobe Reader, Java, any Java-based programs, Microsoft Silverlight, and any Bittorrent clients. If you don't really need it, don't install it
PDF Management: Force PDF files to open in Chrome, and force Chrome to run inside of Sandboxie
Other Hardening Steps: We have many additional hardening changes, but the ones outlined should be pretty good for most home users
6. Patching. Patch (update) all programs once per month
I do not bother with anti-exploit software like Microsoft EMET (now deprecated; easily bypassed by malware), Malwarebytes Anti-Exploit or HitmanPro Alert. I have used all three in the past. My belief is that they will not add significant incremental security to the above list.
However, these six actions, in combination, make it almost impossible for your PC to be hacked or to be infected.
I’ll cover edge (firewall and router) and Internet of Things (IOT) security in a future post.