This is an update to my previous post, based upon changes in the market and the products. I removed Malwarebytes v2 and CryptoPrevent v8. I added Microsoft Bitlocker drive encryption and OpenDNS Umbrella Prosumer. I also added some additional Microsoft Windows 10 hardening actions.
There are now 8 Actions to secure a Windows 10 PC from malware, up from 6. These 8 Actions will make a Windows 10 PC almost unhackable.
1. Browser (Isolation) Sandbox. A browser sandbox, properly configured, prevents malware from downloading from your browser to your PC. The best option for home users, by far, is paid Sandboxie. Sandboxie needs to patch about one vulnerability per year, compared to hundreds of vulnerabilities per year for Firefox, Chrome, IE11, and Microsoft Edge browsers. Configure Sandboxie to force Chrome and IE11 to run inside of Sandboxie. $75 for 5 lifetime Sandboxie licenses
Good Alternatives: Authentic8 Silo ($10/month/PC)
Avoid: Most of the rest. Especially avoid Comodo
Side Note: I used to use the enterprise version of Sandboxie, which is X by Invincea, and was impressed by that. X by Invincea is no longer available to small business users, however. Another excellent enterprise (-only) product is Bromium Endpoint Protection
2. Antivirus (AV). I recommend Webroot SecureAnywhere Antivirus. It tests comparably to the best AVs tested by AV-Test, AV-Comparatives, MRG Effitas, PC Magazine, and NSS Labs. However, it easily has the lowest (best) attack surface of any consumer AV, thus making it my AV of choice over other good performers. Webroot is free if you have an Ally Bank savings account
Avoid: Most of the rest. Especially avoid any Chinese, Russian, or Eastern European AV, which may include hostile government backdoor trojans
Interesting Options Not Yet Tried: Cylance Protect (managed, which means the provider configures it). $60/year/PC
Good Alternative: Zemana AntiMalware
Good Alternatives: Windows Software Restriction Policy (free; Windows 10 Pro only; complex to set-up). I no longer use CryptoPrevent for some PCs because it has proven to be not that effective
Avoid: VoodooShield (too much interaction required), and most of the rest
5. Operating System Hardening (free). Microsoft Windows has a lot of native programs, settings, and functions that the average home user does not use nor need, and that make Windows (more) insecure. I turn most of these off or disable them. Hardening is a key way to improve email security if you use Microsoft Outlook. Key hardening items:
Accounts: Work from a Standard User account. Use an Administrator account only for software installations and updates. Set User Account Control to "Always Notify"
Microsoft Office: ActiveX Settings: Disable all controls w/o notification. Macros: Disable with notification. Block RTF files
Group Policy Objects (GPO): Disable AutoPlay/AutoRun, Desktop Gadgets, 16-Bit Apps, Application Compatibility Engine, Remote Desktop Connections, LLMNR, Remote Shell Access. Turn off Live Tiles. Force GPO Refresh
GPO can be edited in Windows 10 Pro, but not in Windows 10 Home
Windows Registry: Disable Windows Script Host, WPad (partial), Elevation for Unsigned Executables. Mitigate DLL Hijacking. Block Untrusted Fonts. Outlook: Block 600 file extensions, Force OST Path, Hide OLE Objects
Computer Properties: Enable DEP
Windows Features: Disable Powershell 2.0 and SMB v1
Windows Firewall: Block Regsvr32.dll outbound
Network Adapters: Disable all services except IPv4
DNS Setting: Set to OpenDNS - 220.127.116.11, 18.104.22.168 for the PC's LAN and WLAN adapters
Chronically Vulnerable Programs: Uninstall / never install Skype, Adobe Reader, Java, any Java-based programs, Microsoft Silverlight, and any Bittorrent clients. If you don't really need it, don't install it
PDF Management: Force PDF files to open in Chrome, and force Chrome to run inside of Sandboxie
Other Hardening Steps: We have many additional hardening changes, but the ones outlined should be pretty good for most home users
6. Encryption. Use Microsoft Bitlocker (free) to encrypt all data drives
7. DNS Security. Use OpenDNS Umbrella Prosumer ($20 per year / 3 devices) to encrypt and enforce DNS. This is primarily used for travel computers, to prevent Man-in-the-Middle attacks from compromised wi-fi hotspots
8. Patching. Patch (update) all programs once per month
However, these eight actions, in combination, make it almost impossible for your PC to be hacked or to be infected.
I’ll cover home network (firewall and router) and Internet of Things (IOT) security in a future post.
PS: Don't buy Lenovo or other Chinese company PCs. Buy Dell (preferred) or HP, for which the Chinese government is less likely to be able to install malware at the factory. In case you've not figured this out, the Chinese are not our friends. They are our enemies