How to Make Windows as Secure as Possible | Antivirus Software

Windows is the most successfully attacked of all operating systems, on the one hand, because of its spread and on the other hand also because of its fundamental uncertainty lies. In this article, I would like to list and explain some measures with which Windows can be secured or used safely as far as possible. The post will be continuously updated when new measures are required, so you are welcome to bookmark it so that you can access it again quickly. The links in the article refer to earlier articles that shed light on the respective topic.

Antivirus Software

The most obvious protective measure for Windows is to install antivirus software. Most manufacturers offer at least three basic variants: a free version, a paid virus scanner, and a suite with various additional functions such as firewalls, browser plugins, etc.

One cannot make a basic recommendation as to which variant is preferable and which manufacturer offers the most powerful program. Current test reports incompetent specialist magazines should be used to make a decision. My overall opinion is:

·    In most cases, the free version is sufficient. The free versions of most programs receive signature updates less often (only once a day instead of, for example, every hour), but signatures are becoming less and less important. Nowadays, malware is only actively distributed for a few hours. It can take days, if not weeks, for the manufacturer of the anti-virus software to receive a sample of the malware, create a signature, and distribute it to the programs. Likely, the signature is already out of date, regardless of the update frequency with which it was distributed.
The two other important protective mechanisms of heuristics and behavioral recognition are increasingly being expanded in the free programs. Make sure that the free version also offers these two functionalities.

·       If you do want to purchase protection software, it is usually sufficient to buy a virus scanner. This may be updated more frequently and may contain more sophisticated heuristics and behavioral detection. This may give you a little more security.

·       I usually don't see a good reason to buy a suit that usually includes a personal firewall, browser plugins, and other additional programs. The browser plugins often work poorly, load the browser, and have little to no use. Personal firewalls are no more useful than the firewall already built into Windows, but very often confuse the user with messages that he does not understand.

Regardless of which variant you choose, you need to familiarize yourself with the messages of the program and its settings so that you can understand warnings and differentiate them from fake messages in the browser. If you don't know what a virus alert from your program looks like, it's easy to fall for a fake alert such as B. was placed as advertising on a website.

You should also set regular system scans and not just rely on the live scanner checking the currently open data.

In the case of a legitimate report: keep calm. If the program has found malware on a website or in the attachment to an email and reports it, then everything is fine. There is no need to panic. The system has been protected, it has not been infected.

If an infection succeeds, your virus scanner will usually not respond initially. Only when he is later able to recognize the infection through an update can he report, for example during a full system scan. He will then also offer suggested solutions, such as moving files to quarantine or deleting them. In any case, you should first google for the reported pest and find out what it does and how it can be eliminated.

Linux-based bootable DVDs or USB sticks can be very helpful, with which you start the computer instead of Windows and which use one or more virus scanners to check that Windows is not running. Since Windows is not running, the malicious programs are not active either, making them easier to identify and remove.

Settings in Windows Itself

Windows itself is not optimally configured in all cases and can also be adjusted too easily. Sensible safety functions are often switched off for convenience, for example.

The most important setting that you can and should change yourself is showing the file extensions. The article linked here explains how to do this. The fact that Windows hides known file extensions by default and thus unnecessarily obscures the type of a file is one of the main causes of successful malware infections that require user cooperation to install it.

User account control (also called UAC) is the program that reports to users with administrative rights as soon as they try to do something that Windows understands as an administrative action. Usually, you have to confirm a dialog with OK. Under no circumstances should you turn off User Account Control or lower its sensitivity. Do not get used to the Windows reflex (or get used to it again in a hurry) that leads to pressing OK on-screen messages without even trying to read and understand the message. If you don't understand a message, and especially if you don't expect to get one, "OK" is exactly the wrong answer.

Make sure that the Windows firewall is active unless you have bought a suite with your own firewall. You should also check other security settings regularly; the Windows Action Center will point out problems. Do not ignore these messages. You should also not ignore updated messages from Windows or other programs. Updates are important.

A system program that is unnecessary in many cases, but which can be used very well for attacks via scripts in e-mail attachments, is the Windows Script Host. For example, JavaScript normally only runs in the browser. However, if such a script is attached to an e-mail, a double-click on the script file starts the Windows Script Host, which then executes the script independently of the browser. The script can then reload malicious code from the Internet without having to use the browser.

For the vast majority of Windows users, this program is of no use and should therefore be deactivated.

Backups

Backing up your data on separate data carriers that are not permanently connected to the computer is life insurance for your data. You can defuse two threats in this way: sudden hard drive death, in which the hard drive itself simply gives up the ghost, and blackmail trojans, which encrypt your data and only release it again for a ransom.

The right backup strategy consists of a simple method of data protection that you can fully survey and understand and that will still be available to you in an emergency even months and years later. Backup software can be helpful, but too often I see that how it works is not understood, its error messages are not read, etc. A backup that did not take place or that cannot be restored is pointless. A simple manual copy of the data that is repeated regularly is often the easiest and most useful alternative.

Review your backup strategy regularly and don't let it slip.

Set up User Accounts Sensibly

One important measure that is unfortunately ignored by the vast majority of Windows users is to use different accounts for users. Most Windows installations only have a single user account, and this has administrative rights and does not have or require a password.

Until Windows XP, due to the limitations of the system and the lack of specifications for programmers, it was almost impossible to use it without an administrator account. However, since Vista, the situation has improved in this regard.

In a properly secured Windows installation, there should therefore be one or, if necessary, several accounts with administrative rights, but these should only be used for administrative tasks such as updates and software installation. For daily work, surfing, etc., there should be a separate user account for each computer user, which only has limited rights. If malware tries to establish itself on the computer while a restricted user account is active, this malware also only has limited options for the user. That may be enough for a blackmail trojan, but many malware methods to anchor themselves deep in the system then fail.

When a restricted user wants to perform an administrative task, Windows usually display a dialog in which the password of an administrative user must be entered to carry out the action. If such a dialog appears without an appropriate action having been started, you know that you should close this dialog and not enter the password.

The separation of users also has the pleasant side effect that browser histories, cookies, password managers, and many settings are available individually and only for the current user.

Source of Danger Browser

The browser is the program you use to view web pages. It is the window into the Internet and also the window through which a large part of the malware tries to penetrate. Browsers are therefore one of the programs that you should definitely keep up to date.

Internet Explorer is a special case because it is equipped with techniques that make it a particularly high-security risk. Don't use it. In particular, you should no longer use a version before Internet Explorer 11, as Microsoft no longer maintains it. Version 11 is said to be the last version of this browser, with which technologies like Active X, some of which have greater rights in the system than even administrators, are finally being buried. The Edge browser available in Windows 10 is not a cause for concern in this regard, even if it does not yet represent any serious competitor to Chrome or Firefox.

Using browsers other than Microsoft's is already an advantage in terms of speed and security. With extensions such as ad blockers, JavaScript blockers, etc. can also be provided here for additional security. Firefox also has the advantage of its own certificate management, which is not impressive if Windows are slipped with fake security certificates.

My personal recommendation is Firefox with the extensions AdBlockPlus and NoScript, although NoScript, in particular, has to be set correctly in order not to hinder the surfing experience in the long term.

Handling Emails

E-mails are currently being used again to a particularly large extent to distribute malware. You can't trust emails in principle. Aside from phishing attempts, there is a risk primarily from e-mail attachments that pretend to be a document, but in reality, are malware that tries to download malware from the Internet and install it on the system.

Don't trust email attachments. Don't believe emails asking you to pay, logging in to check security settings, etc., and the like. In the Security category of this page, you will find numerous examples of such emails, as well as in the Dangerous Emails gallery.

Avoiding Unsafe Software

Last but not least, as far as possible, you should avoid using software that is particularly exposed to the crossfire of attacks. The list isn't particularly long, check out whether you really need these programs:

·         Internet Explorer: This browser was mentioned above. It cannot be removed, but it can be ignored.

·       Microsoft Office: If you don't really need to use Microsoft Office specifically, there are plenty of free alternatives, such as Libre Office. Outlook can be replaced by Thunderbird. Like Internet Explorer, MS Office has deep roots and permissions in the operating system, and its macro programming is particularly prone to abuse. You should at least restrict this comprehensively if you do have to use this office suite.

·   Adobe Flash: a very popular target is the Flash plug-in for browsers. Fortunately, this technology is becoming increasingly obsolete. If possible, uninstall Flash. Only a few websites still need Flash for basic functions or even the entire display of the website, anyone who still operates such sites has missed the development of the last 5 years. Youtube and other portals now also use HTML 5 as standard and no longer use Flash.
Another advantage of not using Flash: Flash can use supercookies to track user information, which is much more powerful than normal cookies, but remain unnoticed by many, even if they otherwise value privacy and the like. Uninstalling Flash will also stop these supercookies.

·       Adobe Reader: The program for viewing PDFs remains popular, but it is far from the only program that can view PDFs. Since Adobe Reader is also often attacked, the use of an alternative such as Foxit Reader is already a step towards security.

·     Quicktime: This video display technology from Apple has recently been discontinued by Apple and contains serious security holes that are already being exploited to install malware. You should urgently remove Quicktime from your system if it exists. Like other application programs, it can also be uninstalled via the control panel.

·       Java: Java is a programming language that should not be confused with JavaScript. Java is useful, but if you aren't using applications that require Java, then you can do without Java. Since it has not been part of the Windows scope of delivery for a long time, you may not have it installed. If you do, but you don't need it, you can uninstall it in the Control Panel.

·     Windows: It comes as no surprise to regular readers of my blog that I advise against using Windows itself when there is no need to. Absolutely every other operating system is more secure. Not using Windows solves almost all of the security problems mentioned in this post in one fell swoop. As an Apple or Linux user, you can of course also become a victim of a phishing attack; but then the vulnerability is you, not your system.

If you implement all of this advice, you will achieve optimal, if not one hundred percent, protection of your Windows system. However, this does not relieve you of the responsibility to continue to be vigilant and to inform yourself as regularly as possible in the field of security. I hope that the contributions on this page will continue to provide you with valuable assistance.