Windows security

Last modified:

Virus scanners

Antivirus software doesn't necessarily make your computer more secure. Often antivirus programs themselves can be exploited by hackers, and those vulnabilities are usually publicly available. Many security experts say that you likely won't need a virus scanners, nor VPNs. Most major browsers have built-in security.

Often the real threats come from zero-days or malware which isn't well-known to the public yet. It is a constant battle between hackers and security professionals. Most antivirus software is reactive, and increases the attack surface. Great hackers are smart enough to bypass virus scanners, but malware that has been around for a while can get caught.

While I do recommend that you leave Windows Defender on, I advice against investing in another antivirus. Unless you use something like CrowdStrike, which I do not like since it is similar to having no privacy. Many threats are not relevant for people who use common sense, but your average user is not an expert and will make a bad decision. Microsoft invests much in Windows Defender, and it is very competent according to experts.

Windows Defender uses too much CPU

Windows Defend may consume much CPU, but there is a simple fix for that. The CPU load can still be higher than what you set. Although it will try to stay below it during scheduled scans. Other scans do not follow this restriction.

This PowerShell code can be used to set the average scan CPU load factor.

# https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2019-ps#-scanavgcpuloadfactor
Set-MpPreference -ScanAvgCPULoadFactor 15 # default is 50% cpu

Common sense

Even many tech-savvy people do not use always use common sense, and accidents happen.

  • Use official websites or package managers.
  • Install (security) updates.
  • Piracy and clean-up programs often do more harm than good.
  • Use UAC, but only if you have it configured correctly.
  • Do not mindlessly ignore what the virus scanner finds.
  • Read scripts before you run them.
  • Consider using a password manager.
  • Do not install games with kernel-level anti-cheat systems.

For tweakers and tech enthusiasts

While optimization scripts may promise performance enhancements, they often disable security features. Exercise caution and read the scripts you will execute, as they can often do more harm than good. The same goes for clean-up software.

For piracy enthusiasts

Prioritize well-trusted sources and repackers to minimize the risks. It's advisable to only pirate on devices which do not contain sensitive data. Be aware that executing the pirated software may release the malware, so putting pirated software on another device can always be a risk.

For gaming enthusiasts

Games with kernel-level anti-cheat create a huge attack area. Running something at kernel-level means that it runs with higher priveleges than an administrator, and it always runs at startup. Such "games" can access anything when your computer is on. The game does not have to be running. If an attacker finds a way to attack the anti-cheat software then they have access to everything. This has happened before. Always check if the game uses kernel-level anti-cheat, or use a separate machine without sensitive data for gaming.

User Account Control

The User Account Control (UAC) pop-ups are often seen as an inconvenience. It is understandable that people turn it off, but it is there for security. Great programs should take it into account, and won't throw the pop-up every time. Programs shouldn't need admin every time.

A UAC prompt to make changes to UAC.

UAC becomes redundant if the logged-in account is already an admin account. It is best used on the maximum setting, as using another setting defeats the purpose of UAC. It is in general a bad idea to login with an admin account. Use "run as" for programs which require admin instead. UAC only has effect if you do not mindlessy click "yes" when a suspicious program throws the pop-up.

UAC uses a secure desktop, thus no one should be able to interupt it with software. If something malicious requests admin permission in the background you will be able to stop it by clicking "no". This can be a very effective tool. A lot of users have been hacked because they used an account with admin rights, without additional UAC security. It is common.

Blocking malicious sites

Ad blocking has an additional benefit, as it protects you from dangerous sites. The ad blocker "uBlock Origin" has a good reputation. I would recommend using that one.

You can setup your DNS to something which blocks ads, and well-known malicious sites. I use NextDNS for this since it is free. AdGuard seems great if you are ok with paying for such a service. These kinds of services often do a better job than ad blockers, but using both won't hurt.

# NextDNS is available on winget
winget install -e --id NextDNS.NextDNS.Desktop
# Open https://nextdns.io/ to configure it after the install

Windows hardening

Using "User Account Control", and blocking malicious sites will help you with the majority of cases, but some people may want to go a step further.

I wouldn't recommend running such tools if you aren't tech-savvy. Your security will be tight, but it could be too tight if you are not aware of what you applied. Maybe someone can help you to set it up. There are devices which come with Windows in S-mode. That is secure, but does not provide much functionality.

An obsession with security may harm your productivity. I would prefer a balanced approach as my " Digital privacy obsessions" article suggests.

Harden Windows Security

"Harden Windows Security" made by HotCakeX is a great way to enhance your security. It follows officially supported methods unlike the majority for scripts. The downside is that you require Windows Pro to run it.

Harden Windows Security

How to make the right choice - Harden Windows Security

Simple Windows Hardening

"Simple Windows Hardening" is a similar tool, but it does work on other Windows versions as well.

Hard Configurator

Networking

I only use internet during the weekends. This does mean that I can not be attacked through the internet during the weekdays. Although I do this to minimize escapism. Paranoid people may want to consider it for security reasons.

I use following PowerShell script to do that.

# Network-Blocker.ps1
# Friday is drawing class, so not much time for internet anyways
$DaysToBlock = @("Monday", "Tuesday", "Wednesday", "Thursday")

If ((Get-Date | Select DayOfWeek).DayOfWeek -in $DaysToBlock) {
   Disable-NetAdapter -Name "*" -Confirm:$False
} Else {
   Enable-NetAdapter -Name "*" -Confirm:$False
}

It is possible to execute it on startup by running the following PowerShell code:

# $env:Temp gave me a shortened incorrect path, so I use the dotnet variant
$NetworkBlockerPath = "$env:UserProfile\Documents\PowerShell\Functions\Network-Blocker.ps1"
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Network-Blocker" -Value "$NetworkBlockerPath" -ExecutionPolicy Unrestricted -WindowStyle Hidden >> `"$([System.IO.Path]::GetTempPath())StartupLog.txt`""

Share

Diaspora X Facebook LinkedIn

Donate