Defending Windows: DIY Security Without Antivirus Software

I believe you’re quite familiar with the issues surrounding antivirus software. For me, the critical point is the privacy risks. These are clearly outlined in any antivirus user agreement, whether it’s the default Windows Defender or the more well-known paid solutions.

Additionally, it’s well-known that antivirus software does not provide a 100% guarantee of protection. Therefore, even if you don’t plan on giving it up, having extra layers of security is always beneficial.

Important warning: Some of the tools discussed in this article make deep modifications to Windows and won’t alert you if you make a mistake. Incorrect use can easily harm your system. However, in the hands of a professional, these utilities become powerful weapons against vulnerabilities.

Optimizing Windows for Security

It’s important to understand that a virus is just a program that runs within the operating system. Therefore, the first step in combating a virus is to properly configure your environment.

The first step is to create a user account with limited privileges. Yes, everyone has read and heard a million times not to use the administrator account for everyday tasks, including in Windows, yet for some reason, people persist in doing so.

If you want to manage without antivirus software, make it a habit to create a standard user account immediately after installing the OS and drivers. This will thwart any malware that can’t elevate privileges. And, of course, keeping your system updated with the latest patches is a given — even small children know that.

When operating on behalf of a user, you also gain some protection for system files and settings against unauthorized changes. If a virus or other malicious entity tries to alter system files, it will encounter access restrictions.

Next, you need to reduce your attack surface as much as possible.

Even if you’ve applied the latest patches, you still can’t be certain that there are no vulnerabilities in the OS components or software. Zero-day bugs do exist, and there are plenty of stories where they came as a surprise to a vast number of users.

If there’s a component or service you’re not using, go ahead and disable it. Don’t use OneDrive? Delete it! Microsoft Edge? Get rid of it too! No printer? Disable the print service. Windows comes loaded with a ton of software and services you’ll never use. So, let’s take a scalpel and cut out all the unnecessary stuff.

You can remove files both from within the system itself and directly from the installation image. This way, you won’t have to repeat the same actions if you ever need to reinstall the system. Personally, I prefer to combine these two methods.

MSMG Toolkit

Despite having a somewhat outdated interface, MSMG Toolkit is a highly useful tool for creating custom Windows builds. It allows you to remove a lot of unnecessary (and sometimes necessary) components, including pre-installed software and telemetry. You can also, for instance, disable hardware compatibility checks when installing Windows 11.

MSMG Toolkit allows you to add certain components like DirectX, Visual C++ Redistributable Runtimes, and more. The cool thing is that this work is done on the installer image level, resulting in an .iso file. You can then burn it onto a USB drive and install an upgraded version of Windows for yourself (or a lucky recipient).

AutoSettings

AutoSettings is a script available on the forum.ru-board.com, created by users westlife and LeX333666. Since it’s a PowerShell script, you can read through it thoroughly to ensure there’s nothing harmful. However, it’s packed with useful features. If MSMG Toolkit couldn’t configure certain settings, AutoSettings will definitely finish the job.

The script comes with presets that allow you to fine-tune its actions in detail. Additionally, there is an interface where you can see what features are currently enabled or disabled in the system.

If you noticed the screenshot, you saw a warning that Windows 11 is not supported. However, it seems that the author simply hasn’t explored all the features of the latest Windows version, and some new settings haven’t been implemented yet. But the ones that are available work perfectly! Additionally, you can modify the script’s code and add any settings you want by yourself.

Firewall

Let’s move on to network security. Everyone knows that Windows has a built-in firewall. Many people have a biased opinion about it, but it’s actually quite decent, especially if configured properly.

Third-party firewalls often come with HIPS (Host-based Intrusion Prevention System), a feature that protects the firewall itself from interference by other programs, including malicious ones. Windows also has mechanisms that monitor the integrity of system components. However, it’s essential to understand that this is not the same as a traditional HIPS.

When it comes to further configuring the standard firewall, the tool Malwarebytes Windows Firewall Control will come in handy.

This is simply a convenient control panel for the built-in Windows Firewall. How do you configure it yourself? First and foremost, I completely block all incoming connections. Then, I delete all firewall rules and enable alerts for any network interaction. If a program or OS component wants to access the internet, Windows Firewall Control will inform you, and you can decide what to do. If a stealer somehow gets onto your machine, it won’t be able to connect to its command server to send stolen data back to its operators.

One downside of the utility is its closed source code. However, if you’re feeling paranoid, you can install Windows Firewall Control, configure all the settings, and then uninstall it. All the rules you created will remain on the system, as long as you decline the offer to revert everything back to the defaults.

Configuring UEFI

Don’t forget about bootkits, and a small adjustment to the UEFI can help defend against them. Here’s what you absolutely need to do to protect it.

Firstly, it’s important to regularly update your UEFI. Unfortunately, this is a weak point in device security: new vulnerabilities are frequently discovered in UEFI, and old ones aren’t always patched promptly.

Secondly, I recommend disabling Secure Boot. This feature verifies the signature of loaded EFI modules to ensure they haven’t been tampered with by an attacker. Though it seems like it should enhance security, vulnerabilities are often found within the mechanism itself.

Supplementary Software

Obviously, just tweaking the settings of an operating system won’t be enough. We will still need third-party software, either to enhance security or to ensure it.

Librewolf

A browser is a critical application when it comes to security and privacy. It can be targeted for tracking or attacks through exploit kits and scripts. That’s why it’s important to carefully choose your browser and its plugins.

I was quite impressed by a Firefox fork called Librewolf. It removes the code responsible for telemetry, centralized updates, and other features that might undermine privacy. However, you can still install all the plugins available in the standard Firefox directory.

Here is a basic set of plugins I recommend installing to make your browser more resistant to manipulation attempts:

• Noscript – used to block JavaScript.
• uBlock Origin – blocks ads, trackers, and harmful elements on websites.
• Firefox Multi-Account Containers – allows you to open each tab in a separate, isolated container.

All the plugins are open-source, so you don’t have to worry about your data being leaked.

I get that choosing a browser is a topic that sparks endless debates. If you’re a fan of Chromium-based browsers, there are options for you, like Ungoogled Chromium.

Sandboxie

We often face a dilemma: should we launch a new application out of curiosity, or is it better not to for security reasons? Sandboxie eliminates this choice. It allows you to create isolated environments to run potentially vulnerable or dangerous applications. Virtualization occurs at the filter driver level, providing decent protection, especially if you follow the recommendation to operate under a user account.

The app is paid, but there are also free features that might be sufficient. The Sandboxie code is completely open and available on GitHub.

You can always run programs like your browser and PDF reader in Sandboxie. This way, if there’s a vulnerability that hasn’t been patched by the developer yet, you’re still protected. Additionally, it’s a good idea to open unknown applications and any suspicious but interesting files downloaded from the darker corners of the internet with Sandboxie as well.

It would be even better to set up an automatic cleanup for the isolated environment. Once the programs running in it are closed, it can reset all changes. This also enhances your privacy: for example, if you use a browser in this mode, cookies will be much less effective in tracking you.

Portable Application Versions

Installing applications often requires administrative privileges, which increases the risk of compromise, especially when downloading software from unknown sources. To minimize this risk, though not eliminate it completely, one can use portable versions of programs. These do not require installation, and even if they contain malicious functionality, a virus would not spread far within the system. Additionally, a properly configured firewall will prevent any data from leaking out.

ESET Sysinspector

This is a good tool for monitoring the components installed on your system. How does ESET SysInspector differ from an antivirus? It doesn’t require installation, doesn’t integrate into your system, and isn’t always running in the background. Its functionality is straightforward: you launch it, check if there are any signs of unwanted intruders in Windows, and then you close it.

This is definitely better than being constantly monitored by a traditional antivirus program. Moreover, ESET Sysinspector doesn’t require an internet connection to function, so it won’t steal any data. However, there’s a downside: the application’s source code is not open.

Key Takeaways

By following the tips in this article, you can effectively protect yourself from various attacks. For the most part, you can achieve this using the built-in features of Windows and a small set of open-source programs, none of which will run continuously on your system. Naturally, this approach can and should be expanded and tailored to suit your needs and preferences.