How to Secure a Home PC Against Malware: Updated

September 12, 2017  •  Leave a Comment

This is an update to my previous post, based upon changes in the market and the products.    I removed Malwarebytes v2 and CryptoPrevent v8. I added Microsoft Bitlocker drive encryption and OpenDNS Umbrella Prosumer.  I also added some additional Microsoft Windows 10 hardening actions.


There are now 8 Actions to secure a Windows 10 PC from malware, up from 6.  These 8 Actions will make a Windows 10 PC almost unhackable.



1. Browser (Isolation) Sandbox.  A browser sandbox, properly configured, prevents malware from downloading from your browser to your PC.  The best option for home users, by far, is paid Sandboxie.   Sandboxie needs to patch about one vulnerability per year, compared to hundreds of vulnerabilities per year for Firefox, Chrome, IE11, and Microsoft Edge browsers.   Configure Sandboxie to force Chrome and IE11 to run inside of Sandboxie.  $75 for 5 lifetime Sandboxie licenses


2. Antivirus (AV).  I recommend Webroot SecureAnywhere Antivirus.  It tests comparably to the best AVs tested by AV-Test, AV-Comparatives, MRG Effitas, PC Magazine, and NSS Labs.  However, it easily has the lowest (best) attack surface of any consumer AV, thus making it my AV of choice over other good performers.  Webroot is free if you have an Ally Bank savings account

  • Good Alternatives: Norton Security Deluxe (price varies, ~$40/year/5 PCs), Trend Micro Maximium Security (price varies, ~$40/year/5 PCs)

  • Avoid: Most of the rest.  Especially avoid any Chinese, Russian, or Eastern European AV, which may include hostile government backdoor trojans

  • Interesting Options Not Yet Tried: Cylance Protect (managed, which means the provider configures it).  $60/year/PC


3. On-Demand Malware Detection.  I use Sophos HitmanPro (free).  I no longer use Malwarebytes as they have sunset v2, and v3 is not very good.  I also use Norton Power Eraser (also free)  


4. Software Restriction Policy / Anti-Executable.  Blue Ridge Networks AppGuard is easily the best option here.  There have not yet been confirmed bypasses of (infections due to) AppGuard.  $30/year/PC


5. Operating System Hardening (free).  Microsoft Windows has a lot of native programs, settings, and functions that the average home user does not use nor need, and that make Windows (more) insecure.  I turn most of these off or disable them.  Hardening is a key way to improve email security if you use Microsoft Outlook.  Key hardening items:

  • Accounts: Work from a Standard User account.  Use an Administrator account only for software installations and updates.  Set User Account Control to "Always Notify"

  • App Installation Setting: Only install apps from the Windows Store (after all program installation is finished)
  • Microsoft Office: ActiveX Settings: Disable all controls w/o notification.  Macros: Disable with notification.   Block RTF files

  • Group Policy Objects (GPO): Disable AutoPlay/AutoRun, Desktop Gadgets, 16-Bit Apps, Application Compatibility Engine, Remote Desktop Connections, LLMNR, Remote Shell Access.  Turn off Live Tiles.  Force GPO Refresh

    • GPO can be edited in Windows 10 Pro, but not in Windows 10 Home

  • Windows Registry: Disable Windows Script Host, WPad (partial), Elevation for Unsigned Executables.  Mitigate DLL Hijacking.  Block Untrusted Fonts.  Outlook: Block 600 file extensions, Force OST Path, Hide OLE Objects

  • Computer Properties: Enable DEP

  • Windows Features: Disable Powershell 2.0 and SMB v1

  • Windows Firewall: Block Regsvr32.dll outbound

  • Network Adapters: Disable all services except IPv4 

  • DNS Setting: Set to OpenDNS -, for the PC's LAN and WLAN adapters 

  • Chronically Vulnerable Programs: Uninstall / never install Skype, Adobe Reader, Java, any Java-based programs, Microsoft Silverlight, and any Bittorrent clients.  If you don't really need it, don't install it

  • PDF Management: Force PDF files to open in Chrome, and force Chrome to run inside of Sandboxie

  • Other Hardening Steps: We have many additional hardening changes, but the ones outlined should be pretty good for most home users


6. Encryption.  Use Microsoft Bitlocker (free) to encrypt all data drives


7. DNS Security.  Use OpenDNS Umbrella Prosumer ($20 per year / 3 devices) to encrypt and enforce DNS.  This is primarily used for travel computers, to prevent Man-in-the-Middle attacks from compromised wi-fi hotspots


8. Patching.  Patch (update) all programs once per month



Each software program requires a good configuration.  Sandboxie and Blue Ridge Networks AppGuard, in particular, have complex configuration options. 


However, these eight actions, in combination, make it almost impossible for your PC to be hacked or to be infected.


I’ll cover home network (firewall and router) and Internet of Things (IOT) security in a future post.




PS: Don't buy Lenovo or other Chinese company PCs.  Buy Dell (preferred) or HP,  for which the Chinese government is less likely to be able to install malware at the factory.  In case you've not figured this out, the Chinese are not our friends.  They are our enemies 



No comments posted.