Join 3,572 readers in helping fund MetaFilter (Hide)


I'm keeping these Windows closed, getting bars installed
May 25, 2011 9:35 AM   Subscribe

I got a new Windows machine. It's been a while since I used Windows (never Windows 7). What do I, as someone paranoid about viruses and malware, need to download and set up in order to be 99.99% sure that nothing untoward happens to my machine?

If you'd recommend installing both Avast and AVG, in addition to MSE, for example, I'd be happy to do it.

I'd like to think I'm pretty savvy about clicking email attachments and stuff like that. I'm not so crazy about NoScript, because a lot of times websites just won't load unless I allow exceptions, and I feel like I'm doing that for every website, which kind of defeats the purpose.

If there's a guide somewhere online, or a book, that goes into detail about this, that'd work great for me.
posted by Busoni to Technology (21 answers total) 33 users marked this as a favorite
 
Oh, and I plan on pretty much never using IE.
posted by Busoni at 9:36 AM on May 25, 2011


I'm pretty cavalier about my downloading/sketchy link clicking, and AVG (the no-frills free one, aggressively updated) has caught everything bad before it's happened. I also use AdBlock Plus on firefox, which stops all of that obnoxious trick-you-into-clicking stuff from popping up.

I'm on Vista, though; there might be other things to consider for Windows 7.
posted by phunniemee at 9:44 AM on May 25, 2011


Installing Microsoft Security Essentials and making sure Windows Update is set up to automatically install updates will get you 90% of the way there. Using a modern web browser like Chrome, Firefox, or (yes, even) IE9 will get you another 5%.

The rest is pretty much just Don't Be Stupid: Remember that installing things from the internet is like eating candy you got from a stranger. Sure, candy is delicious, but make sure you trust the source.
posted by The Lurkers Support Me in Email at 9:45 AM on May 25, 2011 [8 favorites]


I'm a big fan of Sandboxie. Set up anything that could be a malware vector (web browsers, media players, pdf readers, etc.) to run in a sandbox, and any changes made from that process won't be able to affect your overall system. Also, if you do end up downloading something sketchy that you still want to run, you can manually run it sandboxed.
posted by burnmp3s at 9:46 AM on May 25, 2011


Before saying you'll never use IE, have you tried IE9? I mean, they've gone a long way since 6, no need to knock it before you tried it.

MSE should be enough, it couldn't hurt now and then to run a Malwarebytes scan if that was your fancy.

Most importantly, keep up with Windows Updates and make sure you have a weekly virus scan set up.

If that isn't enough, you could always make a limited Standard User account and only use that. Microsoft has gone a long ways in locking down that environment to keep any mischief out.
posted by calm down at 9:49 AM on May 25, 2011


Seconding Microsoft Security Essentials. It's free, it's updated regularly and doesn't suffer from the bloat and cruddy performance that appear to plague products like McAfee. In my use, I've found it to be superior to things like AVG and Avast. If you're using MSE, you won't need the others.

I don't use IE, but that's largely because Chrome is just faster. If anyone besides you (in other words, less savvy tha you) is going to use your computer, I would probably set Chrome as the default browser just for the extra level of security.

Windows 7 is really a well-polished product that does a lot of things very well. Microsoft appears to have finally taken security seriously with MSE, and it shows in the product.
posted by DWRoelands at 9:57 AM on May 25, 2011


This is just anecdotal information, but my friends and colleagues who have gotten viruses over the past couple of years got them through malicious code injected into banner ads. I know you don't want to use NoScript, but it really is the best way I've found to handle this type of attack. It's a bit of a pain to unlock your regular sites at first (ie. MetaFilter!), but good security can require effort! (You'll block most ads and gross things like Facebook tracking you everywhere you go, too.)

At the very least run AdBlock and Chrome, which sandboxes the browser better than FF or IE. Otherwise, I just run the free AVG and make sure I keep Windows updated.
posted by jess at 10:00 AM on May 25, 2011


Microsoft Security Essentials should really be enough.
posted by KokuRyu at 10:07 AM on May 25, 2011


1. Microsoft Security Essentials for day-to-day security.
2. MalwareBytes for occasional scans and when you think something has gone wrong.
2a. Having a LiveCD on-hand is good in case something does go wrong.
3. EMET is a handy Microsoft utility which helps keep things secure against zero-day issues. (This is important as they are where the most things get past standard anti-malware programs)
4. Use Google Chrome.
5. Check Ninite, and if you have programs on that list, save an installer of them from there and run it on occasion to make sure that your other programs stay up-to-date.
6. Make sure you have Windows Update active. Auto-install, auto-download, or auto-notify; you can pick based on preference, but make sure you stay updated.
7. Don't disable User Account Control (UAC).

This is more than you technically *need*, but it should be a solid standard install set. The essential things to do are Microsoft Security Essentials, Chrome, Windows Update, and keeping UAC up.
posted by CrystalDave at 10:18 AM on May 25, 2011 [3 favorites]


DWRoelands: "Seconding Microsoft Security Essentials. It's free, it's updated regularly and doesn't suffer from the bloat and cruddy performance that appear to plague products like McAfee. In my use, I've found it to be superior to things like AVG and Avast. If you're using MSE, you won't need the others."

I wouldn't fully agree on this one. I've gotten hit with driveby shit in google images (yes, innocent image searches)... I have MSE.

One thing that seems to help me time and again is autoruns -- this isn't a preventive measure, however. It's an after the fact tool that helps you find out what piece of shit software is sneaking into your system and running automatically (it looks in the registry and other auto-starting places).

I also recommend malwarebytes as mentioned upthread.

I used to use Avast, but MSE seems much leaner. If you want a non-MS product, I'd recommend Avast over AVG or McAfee, because at least the last time I used it, it wasn't full of bloat (at least it was fairly lean compared to the others). But MSE is definitely pretty lean and easy to use.

Adblock and Flashblock are both essential as well. I've heard people swear by no-script, and I don't use it because I don't have patience for the headache of training it to do what I want. BUT...

If you are serious about security, and really want a stronger peace of mind, then I'd recommend that as well. It's just not my thing.
posted by symbioid at 10:39 AM on May 25, 2011


You don't need to run both Avast and AVG - one or other will do. Running two anti-virus programmes simultaneously can cause them to conflict with each other. I use Avast (free version) and am very happy with it.
posted by essexjan at 11:00 AM on May 25, 2011


Stop by the Mozilla Plugin Checker every once in a while (no matter which browser you use), and update accordingly.
posted by blue_beetle at 11:00 AM on May 25, 2011


Here's what I put on high-paranoia systems:
1. First rattle out of the box, a hosts file.

2. Second rattle, FF or Chrome with adblock and flashblock. No-script is too much of a pain in the butt, even for me. Can't stand it.

3. If you don't NEED it, don't install Java, period.

4. PDF-XChange or Sumatra for PDF's. Some will argue that Acrobat Reader X is more secure, but for me it's all about the speed and javascript disabled by default.

5. If you're still paranoid, install PeerBlock and have it run the virus and malware and ads lists. This will, at some point, prevent a site from loading for you. Simply disable it for as long as you need to.

6. I like AVG or Avast + MS Security Essentials as mentioned above.

7. For a non-infected system, you don't need Malware Bytes. If you want to lock it down, install SpyBot and let it install its resident protection, where it will ask you EVERY SINGLE TIME a system file is changed. A pain when installing software, but good for long-term protection.

8. Don't do stupid stuff. Don't open random email attachments, don't click on weird looking porn ads, and always remember that ALT+F4 is your friend. (When in doubt, don't click the X, click ctrl+f4 with the window in focus, because most of the time the X isn't an X.)

Blocking infection at IP level is about as safe as it gets. The PeerBlock step is overkill, but it's a good one. After install, right click the icon and choose "block http", or else it'll block everything BUT web traffic. Hosts + spybot + peerblock will protect you from almost everything, adblock and flashblock will get the rest. No-script is an unnecessary annoyance for me, but if you're going all out paranoid, go for it.

(Some will argue that Chrome is theoretically safer than FF, since Chrome runs every tab in its own virtual machine...whatever. I recently switched to Chrome, but not for this reason.)

If you want to be completely, absolutely paranoid, do all web browsing from inside Sandboxie as recommended above, and/or, if you REALLY want be be hardcore, install XP mode or get the VMware viewer and install the XP Mode image into it, and then do all your browsing and non-necessary work inside an actual virtual machine. With VMWare viewer you can't snapshot your current state, which is fun to do, as you can always just step back in time to a known safe configuration.
posted by TomMelee at 11:13 AM on May 25, 2011 [2 favorites]


Seconding what CrystalDave said. Symbioid is right that there is a lot of malware cruft in Google Images search now.

A couple other things:
* Use AdBlock Plus on Chrome (or Firefox if you'd rather use it instead). This will eliminate some of the drive-by banner ad issues Symbioid mentioned.
* Use Flashblock on Chrome or Firefox. This is much less intrusive (in my experience) than NoScript and provides some protection against Flash exploits, not to mention faster browsing.
* Download Secunia PSI, which detects *any* out of date software on your PC and notify you to update it. PSI is useful for the constant stream of Flash, Adobe Reader, Java and QuickTime security problems.
* Do not use two live scanning antivirus programs at the same time (like AVG and MSE). You will cause performance and system problems doing this. Installing MSE and (non-live sacanning) Malwarebytes is OK.
posted by cnc at 11:19 AM on May 25, 2011 [2 favorites]


TomMelee: "Here's what I put on high-paranoia systems:

7. For a non-infected system, you don't need Malware Bytes. If you want to lock it down, install SpyBot and let it install its resident protection, where it will ask you EVERY SINGLE TIME a system file is changed. A pain when installing software, but good for long-term protection.

8. Don't do stupid stuff. Don't open random email attachments, don't click on weird looking porn ads, and always remember that ALT+F4 is your friend. (When in doubt, don't click the X, click ctrl+f4 with the window in focus, because most of the time the X isn't an X.)
"

I've had shit get around the latest and greatest version of spybot, somehow. So I no longer use it, but it is a good idea. Maybe I did something wrong.

Secondly - I think the alt-f4 may be a keypoint I haven't thought of.

As someone said above, Java is also a danger. It's annoying to not have when you need it, but I've had shit happen through Java.
posted by symbioid at 11:49 AM on May 25, 2011


This is just anecdotal information, but my friends and colleagues who have gotten viruses over the past couple of years got them through malicious code injected into banner ads.

This has happened to me too in the last few months. I'd never gotten a computer virus until this started happening. I don't go to sketchy websites or download mystery attachments - I got a virus just from going to the MySpace music page of a band I like. I use Firefox, not IE. These viruses actually disable whatever anti-virus program you have running, including Microsoft Security Essentials, and then install themselves, so I think the only way to stop it is to prevent the script in the ad from running, which is something I need to figure out myself and will based on the advice in this thread.
posted by wondermouse at 1:25 PM on May 25, 2011


Enable Secure Log On.
posted by No Shmoobles at 2:12 PM on May 25, 2011


The thing that's kept me the safest personally is running as a non-admin with a strong password. So much easier to keep an eye on things when you have to be prompted to install/update anything.
posted by clerestory at 8:15 PM on May 25, 2011


Adblock Plus probably helps. So do (redirecting your mail to) GMail, which is a champion at filtering spam.

You might also like NoScript, but I've given up on that since it basically blocks every website you ever visit, and unblocking JavaScript every 10 minutes gets annoying really fast.
posted by Harry at 5:44 AM on May 26, 2011


I swear by NoScript. From some of the comments I'm not sure everyone realizes that you can make the per-site Javascript enabling permanent. So I've got all my frequently-visited sites set up, and I don't find myself having to muck with it that often.

As an added bonus, whenever I visited Gawker it looked broken.
posted by benito.strauss at 11:16 AM on May 26, 2011


I also use noscript with flashblock on firefox. When I use other people's computers I am always shocked at how ugly the internet is! Granted I have some difficulties - I have to use Chrome (my backup browser) to view Vimeo video that has been embedded. For some reason - even after enabling it on the embedding site it just won't load in firefox. But that is minor compared to living in an online environment with greater security and no in your face advertising. It probably helps that as a web dev I can figure out which script hosts to enable most of the time (it also makes me appreciate how awful a security decision for your users it is when you include 15 different hosts in one site).

More importantly though, setup a locked down guest account and never ever let other people use your account ever. EVER!. There is nothing worse for you, your computer and your friendships or relationship than having to ask "What did you do?" when a computer suddenly decides to drop everything and go for a walk in the park. You can't help but quickly become the bad cop in an interrogation scene as you contemplate the hours of probably fruitless system sleuthing ahead. It will make you seem like a real untrusting tight-ass with major paranoia issues but that is a small price for you to pay compared to the costs of a system meltdown followed by a relationship meltdown. Not to mention you can establish and maintain a right and expectation to privacy.
posted by srboisvert at 10:18 PM on June 21, 2011


« Older Help me find the new hometown ...   |  We have the holy trinity of ma... Newer »
This thread is closed to new comments.