Defending Windows: DIY Security Without Antivirus Software

Date: 19/07/2025

If you want to protect yourself from viruses, you need antivirus software, right? Not necessarily. Antivirus programs have several drawbacks, so if you’re willing to think and act wisely, you can minimize the risk of infection on your own. All it takes is following some digital hygiene practices and making a few important system adjustments. That’s exactly what we’ll discuss.

I believe you’re quite familiar with the issues surrounding antivirus software. For me, the critical point is the privacy risks. These are clearly outlined in any antivirus user agreement, whether it’s the default Windows Defender or the more well-known paid solutions.

Additionally, it’s well-known that antivirus software does not provide a 100% guarantee of protection. Therefore, even if you don’t plan on giving it up, having extra layers of security is always beneficial.

Important warning: Some of the tools discussed in this article make deep modifications to Windows and won’t alert you if you make a mistake. Incorrect use can easily harm your system. However, in the hands of a professional, these utilities become powerful weapons against vulnerabilities.

Optimizing Windows for Security

It’s important to understand that a virus is just a program that runs within the operating system. Therefore, the first step in combating a virus is to properly configure your environment.

The first step is to create a user account with limited privileges. Yes, everyone has read and heard a million times not to use the administrator account for everyday tasks, including in Windows, yet for some reason, people persist in doing so.

If you want to manage without antivirus software, make it a habit to create a standard user account immediately after installing the OS and drivers. This will thwart any malware that can’t elevate privileges. And, of course, keeping your system updated with the latest patches is a given — even small children know that.

When operating on behalf of a user, you also gain some protection for system files and settings against unauthorized changes. If a virus or other malicious entity tries to alter system files, it will encounter access restrictions.

Next, you need to reduce your attack surface as much as possible.

info

In cybersecurity, the attack surface refers to the sum total of all vulnerabilities and methods through which an attacker might try to breach a system. The more potential vulnerabilities there are, the larger the attack surface becomes.

Even if you’ve applied the latest patches, you still can’t be certain that there are no vulnerabilities in the OS components or software. Zero-day bugs do exist, and there are plenty of stories where they came as a surprise to a vast number of users.

If there’s a component or service you’re not using, go ahead and disable it. Don’t use OneDrive? Delete it! Microsoft Edge? Get rid of it too! No printer? Disable the print service. Windows comes loaded with a ton of software and services you’ll never use. So, let’s take a scalpel and cut out all the unnecessary stuff.

You can remove files both from within the system itself and directly from the installation image. This way, you won’t have to repeat the same actions if you ever need to reinstall the system. Personally, I prefer to combine these two methods.

MSMG Toolkit

Despite having a somewhat outdated interface, MSMG Toolkit is a highly useful tool for creating custom Windows builds. It allows you to remove a lot of unnecessary (and sometimes necessary) components, including pre-installed software and telemetry. You can also, for instance, disable hardware compatibility checks when installing Windows 11.

MSMG Toolkit
MSMG Toolkit

MSMG Toolkit allows you to add certain components like DirectX, Visual C++ Redistributable Runtimes, and more. The cool thing is that this work is done on the installer image level, resulting in an .iso file. You can then burn it onto a USB drive and install an upgraded version of Windows for yourself (or a lucky recipient).

AutoSettings

AutoSettings is a script available on the forum.ru-board.com, created by users westlife and LeX333666. Since it’s a PowerShell script, you can read through it thoroughly to ensure there’s nothing harmful. However, it’s packed with useful features. If MSMG Toolkit couldn’t configure certain settings, AutoSettings will definitely finish the job.

AutoSettings
AutoSettings

The script comes with presets that allow you to fine-tune its actions in detail. Additionally, there is an interface where you can see what features are currently enabled or disabled in the system.

If you noticed the screenshot, you saw a warning that Windows 11 is not supported. However, it seems that the author simply hasn’t explored all the features of the latest Windows version, and some new settings haven’t been implemented yet. But the ones that are available work perfectly! Additionally, you can modify the script’s code and add any settings you want by yourself.

Firewall

Let’s move on to network security. Everyone knows that Windows has a built-in firewall. Many people have a biased opinion about it, but it’s actually quite decent, especially if configured properly.

Third-party firewalls often come with HIPS (Host-based Intrusion Prevention System), a feature that protects the firewall itself from interference by other programs, including malicious ones. Windows also has mechanisms that monitor the integrity of system components. However, it’s essential to understand that this is not the same as a traditional HIPS.

Third-Party Firewalls

Why not use third-party firewalls? It’s the same old paranoia that holds me back. You’re adding something new to your system, and now you have to trust yet another company.

You might argue that there’s the open-source Portmaster, which doesn’t raise concerns. But have you noticed that it doesn’t have an offline installer? The community has been waiting for the developers to provide a standard installer that doesn’t make server requests, but such an option is still unavailable.

I find it strange and I’m hesitant to use Portmaster for now. Besides, it has performance issues on high-speed connections.

When it comes to further configuring the standard firewall, the tool Malwarebytes Windows Firewall Control will come in handy.

Windows Firewall Control
Windows Firewall Control

This is simply a convenient control panel for the built-in Windows Firewall. How do you configure it yourself? First and foremost, I completely block all incoming connections. Then, I delete all firewall rules and enable alerts for any network interaction. If a program or OS component wants to access the internet, Windows Firewall Control will inform you, and you can decide what to do. If a stealer somehow gets onto your machine, it won’t be able to connect to its command server to send stolen data back to its operators.

One downside of the utility is its closed source code. However, if you’re feeling paranoid, you can install Windows Firewall Control, configure all the settings, and then uninstall it. All the rules you created will remain on the system, as long as you decline the offer to revert everything back to the defaults.

Configuring UEFI

Don’t forget about bootkits, and a small adjustment to the UEFI can help defend against them. Here’s what you absolutely need to do to protect it.

Firstly, it’s important to regularly update your UEFI. Unfortunately, this is a weak point in device security: new vulnerabilities are frequently discovered in UEFI, and old ones aren’t always patched promptly.

Secondly, I recommend disabling Secure Boot. This feature verifies the signature of loaded EFI modules to ensure they haven’t been tampered with by an attacker. Though it seems like it should enhance security, vulnerabilities are often found within the mechanism itself.

Supplementary Software

Obviously, just tweaking the settings of an operating system won’t be enough. We will still need third-party software, either to enhance security or to ensure it.

Librewolf

A browser is a critical application when it comes to security and privacy. It can be targeted for tracking or attacks through exploit kits and scripts. That’s why it’s important to carefully choose your browser and its plugins.

I was quite impressed by a Firefox fork called Librewolf. It removes the code responsible for telemetry, centralized updates, and other features that might undermine privacy. However, you can still install all the plugins available in the standard Firefox directory.

Here is a basic set of plugins I recommend installing to make your browser more resistant to manipulation attempts:

All the plugins are open-source, so you don’t have to worry about your data being leaked.

I get that choosing a browser is a topic that sparks endless debates. If you’re a fan of Chromium-based browsers, there are options for you, like Ungoogled Chromium.

Sandboxie

We often face a dilemma: should we launch a new application out of curiosity, or is it better not to for security reasons? Sandboxie eliminates this choice. It allows you to create isolated environments to run potentially vulnerable or dangerous applications. Virtualization occurs at the filter driver level, providing decent protection, especially if you follow the recommendation to operate under a user account.

The app is paid, but there are also free features that might be sufficient. The Sandboxie code is completely open and available on GitHub.

You can always run programs like your browser and PDF reader in Sandboxie. This way, if there’s a vulnerability that hasn’t been patched by the developer yet, you’re still protected. Additionally, it’s a good idea to open unknown applications and any suspicious but interesting files downloaded from the darker corners of the internet with Sandboxie as well.

It would be even better to set up an automatic cleanup for the isolated environment. Once the programs running in it are closed, it can reset all changes. This also enhances your privacy: for example, if you use a browser in this mode, cookies will be much less effective in tracking you.

Portable Application Versions

Installing applications often requires administrative privileges, which increases the risk of compromise, especially when downloading software from unknown sources. To minimize this risk, though not eliminate it completely, one can use portable versions of programs. These do not require installation, and even if they contain malicious functionality, a virus would not spread far within the system. Additionally, a properly configured firewall will prevent any data from leaking out.

ESET Sysinspector

This is a good tool for monitoring the components installed on your system. How does ESET SysInspector differ from an antivirus? It doesn’t require installation, doesn’t integrate into your system, and isn’t always running in the background. Its functionality is straightforward: you launch it, check if there are any signs of unwanted intruders in Windows, and then you close it.

This is definitely better than being constantly monitored by a traditional antivirus program. Moreover, ESET Sysinspector doesn’t require an internet connection to function, so it won’t steal any data. However, there’s a downside: the application’s source code is not open.

Key Takeaways

By following the tips in this article, you can effectively protect yourself from various attacks. For the most part, you can achieve this using the built-in features of Windows and a small set of open-source programs, none of which will run continuously on your system. Naturally, this approach can and should be expanded and tailored to suit your needs and preferences.

Related posts:
2022.01.13 — Bug in Laravel. Disassembling an exploit that allows RCE in a popular PHP framework

Bad news: the Ignition library shipped with the Laravel PHP web framework contains a vulnerability. The bug enables unauthorized users to execute arbitrary code. This article examines…

Full article →
2023.07.07 — VERY bad flash drive. BadUSB attack in detail

BadUSB attacks are efficient and deadly. This article explains how to deliver such an attack, describes in detail the preparation of a malicious flash drive required for it,…

Full article →
2022.04.04 — Fastest shot. Optimizing Blind SQL injection

Being employed with BI.ZONE, I have to exploit Blind SQL injection vulnerabilities on a regular basis. In fact, I encounter Blind-based cases even more frequently…

Full article →
2022.04.04 — Elephants and their vulnerabilities. Most epic CVEs in PostgreSQL

Once a quarter, PostgreSQL publishes minor releases containing vulnerabilities. Sometimes, such bugs make it possible to make an unprivileged user a local king superuser. To fix them,…

Full article →
2022.06.01 — Quarrel on the heap. Heap exploitation on a vulnerable SOAP server in Linux

This paper discusses a challenging CTF-like task. Your goal is to get remote code execution on a SOAP server. All exploitation primitives are involved with…

Full article →
2022.06.01 — Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols

The magic and charm of dynamic routing protocols can be deceptive: admins trust them implicitly and often forget to properly configure security systems embedded in these protocols. In this…

Full article →
2022.06.01 — Cybercrime story. Analyzing Plaso timelines with Timesketch

When you investigate an incident, it's critical to establish the exact time of the attack and method used to compromise the system. This enables you to track the entire chain of operations…

Full article →
2023.02.21 — Herpaderping and Ghosting. Two new ways to hide processes from antiviruses

The primary objective of virus writers (as well as pentesters and Red Team members) is to hide their payloads from antiviruses and avoid their detection. Various…

Full article →
2023.07.07 — Evil Ethernet. BadUSB-ETH attack in detail

If you have a chance to plug a specially crafted device to a USB port of the target computer, you can completely intercept its traffic, collect cookies…

Full article →
2022.06.01 — F#ck AMSI! How to bypass Antimalware Scan Interface and infect Windows

Is the phrase "This script contains malicious content and has been blocked by your antivirus software" familiar to you? It's generated by Antimalware Scan Interface…

Full article →