Keep Running Windows 7 Safely for Years to Come

[Cybertooth]

As Windows 7 approaches the expected end of monthly security patching next January, Windows 7 users who have hesitated to switch to Windows 10 face the critical choice of whether to accept Microsoft’s newest operating system; to switch to an altogether different platform such as Linux, Mac, or Chrome OS; or to look for a way to protect their favorite OS into 2020 and beyond.

In my case, I have decided to implement a multi-layered defense strategy which, I am confident, will make it possible to use Windows 7 without worries while I continue the slow transition to Linux (Kubuntu). The defensive layers include, in no particular order:

* Resident anti-virus software. My main Windows 7 machine is currently on BitDefender Free, but there are many other good free and paid AV solutions out there.

* Resident anti-exploit software. Several choices are available, such as Malwarebytes Anti-Exploit (MBAE) and Microsoft’s own EMET, but I use HitmanPro.Alert as it also offers keystroke encryption.

* On-demand scanners to catch any baddies that might have gotten past the main defenders. I cycle a variety of free scanners including Malwarebytes Anti-Malware Free (MBAM), Sophos Virus Removal Tool, F-Secure Online Scanner, Norton Power Eraser, and ESET Online Scanner. (Once again, there are others, free and paid.) At least occasionally, run the rootkit scanning feature, if available (usually requires a reboot).

* Use a Web traffic-filtering browser extension such as Norton Safe Web or Bitdefender TrafficLight, and/or a security-oriented public DNS resolver such as Quad9, for your Web browsing.

* Keep your router firmware updated, if possible, and consider increasing the router’s hardware firewall settings (it may come set to a medium level that’s less hassle, but offers lower protection). Learn how to block websites and URLs at the router.

* Use a software firewall that will explicitly ask your permission when new programs try to access the Internet for any reason. Over time, you will train the firewall to allow trusted programs and the number of notifications will fall to just new (and possibly unknown) programs. ZoneAlarm Free Firewall is set to ask you “out of the box.”

* Keep your browsers (plus their extensions/plugins) and other programs updated.

* Use ad-blocking extensions on your browsers, as malvertising is one of the main sources of infection nowadays. My main choice for this is uBlock Origin, although I’ve also used Ghostery.

* Change your Windows account from the default administrator account to a standard user account, which has fewer rights to install software and make changes to the system. (You will have to enter a password to do those sorts of things.) This prevents malware from exploiting your administrator status to make changes behind your back, and research suggests that this one measure alone prevents upward of 90% of attacks.

* Use an extensive Hosts file to stop your computer from being led to sites that serve up malware. I also use it to block Facebook, which some researchers claim follows you around the Web even if you don’t have a Facebook account. You can obtain ample Hosts files from here or here.

* Additional protections: I have installed OSArmor by NoVirusThanks and have had a good experience with it. The program, over time, builds a whitelist of programs that you have approved to run on your PC. I am also considering BlackFog Privacy and VoodooShield as useful, supplemental layers of defense; reports on the security community Wilders Security indicates a high degree of compatibility and satisfaction for both of these products.

* I am evaluating 0patch, by Acros Security. This is a service that injects on-the-fly patches to software that no longer receives updates from its vendor. I am currently using it on a Vista test machine and have experienced no problems, although I’m not sure yet how useful it might be as it has rarely kicked in to do its thing. For a more thorough test, I may need to install 0patch on my main Vista PC, but for now at least I’ve determined that it doesn’t make Vista crash or slow down. When Windows 7 goes EOS, 0patch could conceivably fill in for the bulk of security patches that Win7 will not receive.

* Finally, back up the PC (data and programs) regularly. If all else fails and you get infected, you will then have a reasonably current copy of your computer that you can install over the infected system. There are numerous image backup solutions out there; I use the free version of Macrium Reflect.

* * * * *
You might think that there is considerable overlap in the kinds of protection offered by the above set of measures. And you would be right: the defenses feature a moat, trenches, walls, minefields, sentries, snipers, archers, machine-gun nests, early-warning systems, Patriot missiles, deflector shields, and an escape tunnel. I have deliberately built redundancy into the strategy, so that whatever one misses another one will stop. I’ve neither experienced nor heard of any incompatibilities affecting computer usability. (The only caution is to avoid using multiple resident AV programs at the same time, for example BitDefender and Kaspersky.)

Is this paranoid? No more so than the folks who tell us that you must patch right now or you’re doomed, or that you must upgrade to Windows 10 when Win7 goes EOS or you’re doomed.

With this combination of defensive measures, I have every confidence that my Win7 box will remain well protected for as long as I care to use it. So long as security vendors continue to support Windows 7, and Win7 browsers continue to load websites, I don’t see any great impediment to keeping this Windows 7 system connected to the Internet for the foreseeable future.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Total of 29 users thanked author for this post. Here are last 20 listed.

MrToad28, Lori, Melvin, Spiral, Nibbled To Death By Ducks, FakeNinja, Chessie, Geo, Moonbear, Kaj4strom, DrRon, Steve, OscarCP, LHiggins, The Surfing Pensioner, Pierre77, anita.yk, Charlie, David F, LH

[anonymous]

On the assumption that you/we are most likely to have problems when browsing online, you could also consider running your browser in a sandbox (most of the time).

I have long used Sandboxie for this and there was an introductory guide on the gHacks site recently if you are interested: https://www.ghacks.net/2019/10/29/how-to-use-sandboxie-for-browsing-downloading-and-installing-programs/

You will need to run your browser outside the sandbox occasionally to pick up and keep browser updates and any extension updates. I normally use Firebox and have its update setting to inform me when there is an update, but not to actually download and update, so that I can update after leaving the sandbox. I also have uBlockOrigin (uBO) automatic updates switched off, but start Firefox and manually update uBO every few days. For convenience I allow bookmarks saved in the sandbox to be retained on leaving the sandbox. I run Thunderbird for e-mail in a similar way.

I have no experience using Sandboxie to try out programs as the article suggests.

My only slight doubt mentioning Sandboxie is that after several changes of ownership its future development is unclear (see https://www.ghacks.net/2019/09/10/sandbox-program-sandboxie-is-now-freeware-soon-open-source/ ), particularly as I believe that Sophos itself is/may be changing ownership.

Some security products e.g. Comodo have their own sandbox features.

HTH. Garbo.

4 users thanked author for this post.

Spiral, Kranium, wdburt1, Cybertooth

[Cybertooth]

Thanks, Garbo. I have to admit that I haven’t given sandboxing a lot of thought. Maybe my logic is flawed, but the way I see it is that whatever I’m doing in the sandbox, sooner or later I’ll be saving or printing something, which means it has to come out of the sandbox (right?) and if that’s infected then it will try to attack my computer at that point anyway. I do a lot of saving of Web articles to PDF, so it’s not an unusual scenario for me.

Probably I don’t have an adequate understanding of sandboxing technology, but the above logic (for what it’s worth) is the reason I haven’t looked at it very hard.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

[anonymous]

A more complete guide, and what was my tutorial to Sandboxie when I started with it, can be found at: https://www.techsupportalert.com/content/introduction-and-quick-guide-sandboxie.htm

It is true that you will want some downloaded files and data printed to PDF files to be recovered out of the sandbox, but you are in control of what these are. I download to the “Downloads” folder and always print (using CutePDF) to this folder (even if I’ll move the PDF file later). I have Sandboxie immediately prompt me whenever something is “downloaded” in this way so I can immediately decide what to do with it (recover/leave/delete) before I forget what I’ve been doing (at the end of session). Other stuff downloaded beyond what I have explicitly downloaded can be seen and filtered out before reaching the real PC. On exit anything left is deleted. (You can overwrite whatever is deleted for a more secure deletion e.g. using Sysinternals “sdelete”.)

Other changes the webpage may try to make to the system do not get outside of the sandbox unless you have allowed it in the settings. Beyond the default settings I have allowed bookmarks to be added/deleted, but this is a compromise. There are lists of possibilities for common programs in the settings.

I have been using it since 2013, so I no longer really think about it 🙂

HTH. Garbo.

 

1 user thanked author for this post.

Cybertooth

[Cybertooth]

That does look like it would make a valuable addition to post-EOS Windows 7 computing. It’s a little work, but surely not more than using a standard Windows account instead of an administrator account.

I knew that Sophos might be bought by another company, but I didn’t know that Sophos had bought Sandboxie.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

[AlexEiffel]

I don’t think the biggest threat is the pdfs you download.

Sandboxing would be useful to help prevent some unrecognized threats, 0-days, drive-by downloads that automatically infect a vulnerable system without needing you to download anything. Fileless malware is a tricky one and sandboxing could add a layer of protection that would supplement what you already have. The anti-exploit is already a great step-up, but sandboxing is another useful tool to your arsenal that brings a different type of protection.

I use Firefox to read downloaded pdfs most of the time when it works, so it reduces the risk of being infected by some malware that would need some of Adobe’s capabilities or vulnerabilities to be triggered. Another little step to reduce the risk of being infected. Firefox could have different vulnerabilities of course, but the capabilities are limited and it is probably not the first target for pdf injected malware.

1 user thanked author for this post.

Cybertooth

[JohnW]

On the topic of browsing being the biggest risk, I have found that the comprehensive filter lists in uBlock Origin seem to be effective in preventing me from accidentally connecting to potentially dodgy website domains, when clicking on links in web pages or emails.

So that appears to be an excellent protection layer for keeping away from the scripted type of attacks lurking in some website code.

As a backup layer for that, anti-exploit software would be good idea for stopping an attack that was able to gain access to your system, and hopefully prevent encryption or exfiltration of your data before the damage is done.

And finally, making disk images that you can easily restore your PC from, if necessary, is a very effective way to remove a malware infestation. And get your encrypted data back.

5 users thanked author for this post.

Myst, Steve, alphacharlie, Charlie, Cybertooth

[Cybertooth]

+1

And as a bonus, aside from uBlock Origin serving as one of the layers of defense, ever since installing it my Web page loads have gotten a lot faster, as the pages aren’t weighted down by flashing ads, autoplay videos, and assorted other bandwidth hogs.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

3 users thanked author for this post.

Steve, Charlie, JohnW

[Ascaris]

Cybertooth wrote:

And as a bonus, aside from uBlock Origin serving as one of the layers of defense, ever since installing it my Web page loads have gotten a lot faster, as the pages aren’t weighted down by flashing ads, autoplay videos, and assorted other bandwidth hogs.

Not only that, but in a quick ‘n’ dirty test I ran some time ago, using uBlock Origin cut the RAM use in half on the same group of pages, and that’s really saying something.  The RAM consumed by the ads was greater than that of the actual content in the pages and the program code of the browser combined.

Group "L" (KDE Neon User Edition 5.18.4).

1 user thanked author for this post.

Cybertooth

[Charlie]

It seems you can’t get just the Malwarebytes Anti-Exploit alone.  I went to the website in the link and the Anti-Exploit has now been built into the Malwarebytes Anti-Malware program.  I’ve got Ublock Origin running in Firefox 70.0.1 and I’m not bothered by much.

Win 7 Still Alive, x64, Intel i3-2120 3.3GHz, Linux Mint 19.1

[JohnW]

It’s available here as a rolling beta standalone (has been this way for several years now):

https://forums.malwarebytes.com/topic/205865-malwarebytes-anti-exploit-113-build-125-released-nov-11-2019/

This is a full Beta version with premium features available to Free users.

 

4 users thanked author for this post.

LHiggins, Charlie, anita.yk, Cybertooth

[LHiggins]

JohnW wrote:

It’s available here as a rolling beta standalone (has been this way for several years now): https://forums.malwarebytes.com/topic/205865-malwarebytes-anti-exploit-113-build-125-released-nov-11-2019/ This is a full Beta version with premium features available to Free users.

I have tried downloading this several times and can’t seem to get it working on my Win 7 laptop. Maybe I’m missing something, but I click the download link and it downloads the installer exe. When I click on that, it looks like it starts to work – asks me if I want to install it, and then nothing – no hard drive activity, nothing. I’ve let it go for a few minutes, but it never seems to install.

Any suggestions on how to install it??

Thanks!

[JohnW]

Can’t imagine what’s blocking the installer. I just downloaded the latest “mbae-setup-1.13.1.127.exe” from that link, and the installer executed without any issues on my Win 7 Pro x64 machine.

Did you click through the Windows UAC prompts to the license agreement, etc.?

[LHiggins]

Hi John,

It never got that far – I did get to the UAC prompt, but no user agreement. I did download a trial version of Malwarebytes last week – the trial is up tomorrow. Maybe that is what is causing it not to work?

It was this one: Malwarebytes Anti-Exploit 1.13 Build 127 released – Dec 5, 2019

And the installer was only a small file – not sure exactly now, but not much. Maybe 2mb? So that isn’t the whole program, right?

I’m back in Mint now, but I will give it another try when I boot back into Windows. I also have my Win 7 desktop – I can try it there to see if it works.

Kind of strange behavior though…each time I clicked on the installer, it would give me the UAC prompt, start spinning and then nothing. I finally had to get into the Task Manager to delete the process there – but that seemed like it was tied to the browser, not to any actual program.

Thanks!

 

[JohnW]

Malwarebytes Premium (or Premium trial) includes the Anti-Exploit module. It’s possible the MBAE installer sees that and does not continue, because it is already installed.

There are two things you could try.

1. Let the trial expire and then run the MBAE installer again.
2. Or force the trial to expire by going to the account details tab under “settings” (the gear icon) in the app and ending the Premium trial.

Keep the free version of MBAM installed after the trial, as it is a good on-demand scanner for free.

1 user thanked author for this post.

LHiggins

[LHiggins]

JohnW wrote:

It’s possible the MBAE installer sees that and does not continue, because it is already installed.

Yes, that sounds like maybe that is what is happening.

JohnW wrote:

There are two things you could try. Let the trial expire and then run the MBAE installer again. Or force the trial to expire by going to the account details tab under “settings” (the gear icon) in the app and ending the Premium trial.

I think that the trial does expire tomorrow, so I’ll check and try it again. And I do plan to keep the free version after the trial – I really wasn’t planning on downloading the trial to begin with, but that is what downloaded.

Thanks for the ideas and help!

[Cybertooth]

Cybertooth wrote:

* Additional protections: I have installed OSArmor by NoVirusThanks and have had a good experience with it. The program, over time, builds a whitelist of programs that you have approved to run on your PC. I am also considering BlackFog Privacy and VoodooShield as useful, supplemental layers of defense; reports on the security community Wilders Security indicates a high degree of compatibility and satisfaction for both of these products.

Since the time I wrote that paragraph, I have installed VoodooShield to get a sense of how effective and practical it is to use. I have no complaints with its effectiveness, as it asks me to either “block” or “allow” any processes that it doesn’t know about. Think of it as an enhanced User Account Control system where you get to decide if the process is something you wanted and expected (i.e. the installer for a program you just bought), or–alternatively– if it seems to have popped up out of the blue.

That said, VoodooShield is not the easiest piece of software to use in the world. Trying to create “rules” for programs is reminiscent of the arcane and convoluted rule sets for firewalls, something that I wouldn’t touch with a 10-foot pole. Just set it on “Autopilot,” leave the settings at default value, and life will be much simpler.

Next step is to evaluate BlackFog Privacy.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

[Microfix]

hmm, just came across this very interesting article by Martin Brinkmann over on Ghacks

Someone discovered a way to enable Extended Security Updates on all machines running Microsoft’s Windows 7 operating system…

Win7 Pro x86/x64 | Win8.1 Pro x64 | Linux Hybrids x86/x64 |

2 users thanked author for this post.

Myst, Cybertooth

[Cybertooth]

Wow, this development is certainly worth watching! From that Ghacks post:

The developers plan already to extend support to Windows Vista and to support the POSReady 7 SKU which will receive security updates until 2024.

Over the last couple of years, I’d read around the Web people wondering if there might be a POSReady version of Windows 7 as there is for XP. This is the first time I’ve seen such a version referred to as an actual fact and not just a hope.

I would even be willing to pay Microsoft a reasonable fee for these continued patches for my Home editions (but not $200 or $100 a year, forget it!).

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

Myst

[OscarCP]

MS is requiring that those users (not “Enterprise”) that want to extend the service beyond next month, must have installed the November S&Q Rollup. I can’t think of any reason that one needs to have that installed to qualify for extended support, when I have been getting the Windows 7 patches from MS, as Group B, and doing just fine that way, with no need to install the rollups. I think I smell a rat, but maybe it is just an olfactory hallucination?

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[Susan Bradley]

As I understand it, these add a MAK/additional license ability hook.

Susan Bradley Patch Lady

[OscarCP]

Dear Susan, Patch Lady: Do you mean to say that having the November Rollup installed allows a Multiple Activation Key to be installed? Is that the whole reason?

Having a MAK, it seems to me, should be just an option. Particularly for someone like me, who dislikes rollups, among other reasons, because I have noticed that, usually, there are more complaints from those in Group A that install them than from those in Group B that don’t. There are some attendible reasons for this being so, they are just not persuasive enough to make me change my mind.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[jabeattyauditor]

OscarCP wrote:

Having a MAK, it seems to me, should be just an option.

It IS just an option – unless, of course, you want to enable ESU on a particular PC or server.

[OscarCP]

jbeattyauditor: “It IS just an option – unless, of course, you want to enable ESU on a particular PC or server.”

Not entirely an option, as far as I am concerned, because it is tied to having to install the November  S&Q Rollup, which is not optional. And that is my point.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

1 user thanked author for this post.

Kranium

[Pierre77]

JohnW wrote:

Malwarebytes Premium (or Premium trial) includes the Anti-Exploit module. It’s possible the MBAE installer sees that and does not continue, because it is already installed.

There are two things you could try.

1. Let the trial expire and then run the MBAE installer again.
2. Or force the trial to expire by going to the account details tab under “settings” (the gear icon) in the app and ending the Premium trial.

Keep the free version of MBAM installed after the trial, as it is a good on-demand scanner for free.

 

Yes, that is the way to go. I have MBAM Free and MBAE installed on 2 PCs. There is a catch which means when MalwareBytes update their main engine you will have a choice to run another trial for 14 days. The update also removes MBAE, so after the trial expires you will have to install MBAE again. My main PC has a paid version of MBAM installed. Hope this helps.

• This reply was modified 3 months, 3 weeks ago by Pierre77. Reason: TYPO

2 users thanked author for this post.

LHiggins, JohnW

[JohnW]

You are correct, based on my experience,updating MBAM removes the MBAE beta.

But you can re-install it.

1 user thanked author for this post.

LHiggins

[Pierre77]

JohnW wrote:

You are correct, based on my experience,updating MBAM removes the MBAE beta.

But you can re-install it.

FYI Malwarebytes also have Browser Guard for Firefox and Chrome available. It will also run on the new development of Microsoft new Chrome Browser. I have it running on one PC without a problem.

1 user thanked author for this post.

LHiggins

[Cybertooth]

* Additional protections: I have installed OSArmor by NoVirusThanks and have had a good experience with it. The program, over time, builds a whitelist of programs that you have approved to run on your PC. I am also considering BlackFog Privacy and VoodooShield as useful, supplemental layers of defense; reports on the security community Wilders Security indicates a high degree of compatibility and satisfaction for both of these products.

Since the time I wrote that paragraph in the opening post, I have additionally installed BlackFog Privacy. It seems to work well. The only cautions are that 1) BFP tends to be aggressive with its blocking of what it considers “fake news” sites (even if you have unchecked that item in the UI), although it’s easy to whitelist something you do want that they’d rather you didn’t see; and 2) it’s probably a good idea to go through the settings for potentially unwanted cleanup actions upon closing a browser.

Apart from these cautions, BlackFog Privacy looks like an excellent product, as far as I can tell. I have seen very few Web ads of any sort since installing this program.

Here is a screenshot of the settings UI:

By default, BFP blocks “egress traffic” to China, North Korea, Russia, and Ukraine (“geofencing”). You can uncheck any or all of these, and instead, if you prefer, block connections to Burkina Faso, Fiji, Greenland, and/or Liechtenstein among hundreds of other countries/territories.

Do note that this is a paid product. (I’m nearing the end of a 30-day trial.) But then, bear in mind that the objective is to keep our EOS Windows 7 systems safe going forward, and that may be worth something to you.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Attachments:

You must be logged in to access attached files.

[OscarCP]

I imagine those products Cybertooth has installed for detecting dodgy Web sites are one way and perhaps the only way of dealing with this widespread problem. But they have, in general, two important drawbacks that are worth noting:

(1) When they incorrectly either block or advise to avoid a site that is actually OK and belongs to some legitimate organization or merchant, the poor organization or merchant can become seriously victimized without the possibility of defending itself, himself, or herself in court, as it were. This I have seen happen and learned just how pitiful, loud and numerous the complaints of the innocent victims can be!

(2) If, again by mistake or by some small and harmless irregularity, a site with some much needed information that one is desperately looking for gets vetoed by the defensive software, one may either never, or not soon enough, be able to find that information somewhere else.

One can always white list a site, of course, if one (a) knows enough about it already to decide to do so, or (b) somehow can sense both its existence and its URL before discovering it during a Web search — not a very likely proposition, I should think.

So one must be aware that there are not just pros, but also cons with this as with anything else.

 

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[Cybertooth]

Yes indeed. This is a wise caveat.

The function of blocking certain websites is also performed by many (most?) antivirus applications, as well as by (at least) some DNS resolvers such as Quad9. There are also browser add-ons that perform a similar function, in that they warn you about sites instead of outright blocking you from reaching them. In my own experience, the AVs Norton Security and BitDefender have blocked sites that were actually safe.

Nothing’s perfect. Each of us has to weigh the drawbacks of possible false positives against the benefits of stopping real bad guys, and decide which choice is more desirable–or, perhaps, less undesirable. Don’t necessarily install everything I listed up there, I’m just presenting my own security cocktail. 🙂

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

[Paul T]

And then there are sites that become active exploiters but the “protection software” does not yet recognize this and lets you connect…

cheers, Paul

[Cybertooth]

Yep, that’s the reason for a multi-layered strategy: if one line of defense fails (in this case, the website rater), then other lines come into action (the anti-exploit, behavior blocker, firewall, or anti-executable).

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

• This reply was modified 2 months, 3 weeks ago by Cybertooth.

[OscarCP]

I would include as a potential problem also those sites one white listed and then, without one’s knowing, became infected. I suppose that all one can do is to setup one’s defenses, keeping in mind their potential pitfalls, so as not to be too trusty of their reliability — and hope for the best. The Web is becoming more and more like a guerilla war fought mainly with ambushes, surprise attacks and manipulative propaganda. So one has no better choice than to rise to the occasion, facing the situation as such. (Too bad for me I am too laid back to fight such war with all I’ve got.)

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[Cybertooth]

That’s another situation where the other lines of defense (those that combat the actual attacks, as opposed to globally allowing/blocking a website) should spring into action. On my list, this function would be served (depending on the nature of the attack) by the AV, the anti-exploit, the software firewall, OSArmor, and/or VoodooShield. They don’t care from what website the attack is coming, only that it’s taking place and needs to be stopped. (Actually, the last three may not even care if it could be an attack; what they do largely is to tell you that a new process is running and ask you if you want to let it run, giving you the chance to kill it).

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

OscarCP

[jabeattyauditor]

Just wondering – after you stack all of these defensive products on an aging Windows 7 PC, what percentage of the CPU will you have left to use for actual work?

Is there ever a point where the cure is more of a problem than the disease?

[Cybertooth]

Process Explorer shows the security processes that are running on my Windows 7 PC (including some others that I didn’t list in the original post) to be using a total of 0.75 percent of CPU cycles. This will of course spike up occasionally when, for example, BitDefender searches for and installs virus definition updates; but we know that will happen once in a while regardless of what AV or which OS we’re using.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

[wdburt1]

I am about five days into researching and implementing steps to harden my Win7 computers against attack.  I knew from the start that @Cybertooth‘s initial post here, and the comments that followed, would be worth revisiting.  Now that I am wrapping up, and my head is swimming with this stuff, I am a bit surprised to find that I basically came back to what @Cybertooth has proposed.  Hats off to you.

On the internet-facing computer:

• I will shortly replace the router with a Pepwave Surf SOHO Mk3, which I plan to configure as recommended by Michael Horowitz’s “Router Security” web page.  Being able to have more control over what the router is doing is a long-sought goal.
• I will replace the modem with a Netgear CM500 (this is more about performance than security–that and eliminating the bright flashing lights at night.)
• I already use Firefox with UBlock Origin and NoScript; and Brave, which I understand incorporates something like UBlock Origin.  I haven’t figured out how to add NoScript or equivalent to Brave.
• I have created a password-protected Admin user account and demoted the existing one to Standard (and wondered why I didn’t do this on both machines long ago).
• I will add either Microsoft EMET or HitmanPro.Alert.
• I already have Bitdefender and a “proactive” scanner, Heimdal Thor Foresight.
• I will try Voodooshield and see if it works for me.
• Windows Firewall is on the job, but I need to revisit how it’s configured.

I am not planning to get into sandboxing right now, but might in time.  I’m interested in 0patch or any other third-party service that can supply security patches, but need to learn more.  As for backups, I have had that covered for awhile now.

A lot of the list above is also being applied to the non-internet computer.

Thanks again for bringing the subject into focus.

4 users thanked author for this post.

LHiggins, Myst, Cybertooth, Microfix

[Ascaris]

wdburt1 wrote:

I already use Firefox with UBlock Origin and NoScript; and Brave, which I understand incorporates something like UBlock Origin. I haven’t figured out how to add NoScript or equivalent to Brave.

Raymond Hill, the developer of uBlock Origin, also offers uMatrix, which offers all of the functionality of NoScript (and even greater granularity), and is available for Firefox and Chrome (which would work with Brave).  The display is information-dense and is a little bewildering at first, but once you begin to use it, you see it makes perfect sense, and I like the UI more than that of NoScript (classic addon edition).  I’d recommend that for Chromium-based browsers, and you may also want to use it in Firefox.  I was happy with NoScript, but when I started experimenting with Chromium recently, I wanted as much of an apples-to-apples comparison as possible, so I used NoScript.  After I got used to it, I wanted it in Firefox too!

Group "L" (KDE Neon User Edition 5.18.4).

3 users thanked author for this post.

Myst, JohnW, wdburt1

[Ascaris]

Ascaris wrote:

I was happy with NoScript, but when I started experimenting with Chromium recently, I wanted as much of an apples-to-apples comparison as possible, so I used NoScript. After I got used to it, I wanted it in Firefox too!

I’m sure it’s obvious given the context, but the second instance of NoScript should be “uMatrix.”

Group "L" (KDE Neon User Edition 5.18.4).

[JohnW]

I was a long time fan and user of NoScript, but since I bounced between Firefox and Chrome, I wanted the same extensions in both browsers. So I started using uBlock Origin and uMatrix.

NoScript is a fine program, but I eventually decided that uMatrix worked better for me. I eventually preferred that it would allow 1st party scripts, images, etc. to run by default, which generally allows the page to render (unbroken), but still blocks (potentially untrusted) 3rd party elements by default.

1 user thanked author for this post.

Ascaris

[anonymous]

If you find the uMatrix UI too “bewildering” and are familiar with uBlockOrigin (uBO), then it is possible to run uBO in “Medium Mode” (less “bewildering, but with less “granularity”?).

According to the uBO site, Medium Mode is “roughly similar to running AdblockPlus with many filter lists + NoScript with 1st party scripts/frames automatically whitelisted.” – see https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode

I use this in Firefox, although comparing my filter lists I have a few more selected than the 6 listed at the link above. For example as a past user of the Disconnect add-on I remember selecting the Disconnect lists in uBO.

There is also a “Disable Javascript” (by default) option in the uBO Settings. Javascript can be re-enabled on a temporary basis using the lower right corner setting in the uBO main drop-down. (I usually run Firefox inside a Sandboxie sandbox, so for me such tweaks are usually temporary anyway.)

From memory (I haven’t checked while writing this) in Palemoon which uses an older version of uBO or a fork of an older version of uBO, this “Disable Javascript” option is not present there. Again from memory “Medium Mode” is available in Palemoon.

I don’t have any Chromium based browser, so I don’t know if it works the same with any of those (Chrome, Vivaldi etc).

HTH. Garbo.

PS: uBO also has a “HardMode” if you want to tighten up even more (and a “Nightmare Mode” – I haven’t checked this). There are links to these on the right hand side of the link above.

 

1 user thanked author for this post.

Ascaris

[wdburt1]

After more than a week of working on it (off and on), this is where I have landed:

• Router–The Pepwave router has arrived but is not yet installed.  I’m still using the old Netgear R6250.  Installing the Pepwave with the right settings is the last big task.
• Software firewall–I installed ZoneAlarm Free thinking, per some erroneous Internet advice, that it would disable Windows Firewall.  It didn’t, and while the two engaged in a fistfight for priority the computer bogged down and froze a few times.  ZoneAlarm recommends disabling Windows Firewall, and at least in one place Microsoft also recommends against running competing firewalls.  Further research turned up a school of thought that Windows Defender is highly competitive with third-party firewalls.  The one problem Cybertooth mentioned above is that it does not ask permission when new programs try to go online; and in fact it is set by default to allow outbound connections.  But potentially this can be resolved by adding a lightweight little piece of freeware, Windows Firewall Notifier.  Once Windows Firewall was disabled, ZoneAlarm Free worked quietly in the background, but if Windows Firewall was a viable option, it seemed better to use it rather than have a disabled, built-in piece of software waiting to be abused.  My first attempt to uninstall ZoneAlarm Free did not go well, leaving it still present in Control Panel > Programs and Features and six of its services still present in msconfig.  An uninstall .exe file buried deep in the program did the trick, though.
• User accounts–I converted the existing Administrator-level account to Standard (fewer privileges) and created a new password-protected Admin account for use when needed.  One thing I learned is that each account will have its own desktop, which means that opening the new Admin account means leaving behind the familiar desktop, GUI, etc.  But I also learned that it really isn’t a problem, because when the need for Admin privileges arises and the dialog box pops up asking for the password, the Admin account opens in the background and I am still looking at the familiar desktop.  I don’t have to jump into the other desktop unless I deliberately open it.
• AV program–Bitdefender Antivirus Plus was already installed.
• Anti-exploit program–The hardest part here was to sort out what constitutes an anti-exploit program.  Definitions vary and there is a lot of overlap among programs.  I already had Heimdal Security in place and decided to stay with it for now.
• Hosts file–I downloaded the hosts file supplied by mvps.org.  Down in the fine print on that web site is the warning that a host file larger than 135 KB will usually cause the computer to slow down.  The one I downloaded was 405 KB, and the computer hard drive began to rev up and down unpredictably, which obviously was not acceptable.  The fine print goes on to recommend unchecking DNS Client in msconfig > Services.  DNS Client is required for Network Discovery, used in Home and Work networks.  If you uncheck it you are basically deciding to call your network a Public network.  That was OK with me, because somewhat counterintuitively a Public Network is the most secure setting.  Disabling DNS Client put an end to the roaring hard drive.
• Hosts file, Part 2–I found online some text that could be cut and pasted into the Hosts file to block Facebook.  It worked great!  While I plan to continued installing Hosts file updates periodically issued by mvps.org, it’s good to know that I can edit the file if I have the correct text to insert.  It’s just a .txt file, after all.
• Whitelisting programs–Cybertooth included OSArmor in this group.  I am not sure that’s what I would call it, but I liked what I saw and installed it.  I also installed VoodooShield and so far it has operated without inconvenience.
• On-demand malware remover–I downloaded and saved Norton Power Eraser.  The other options are all available online when needed and for the most part are not designed to be permanently installed.
• Browsers–I already had Firefox (with NoScript, among other plugins) and Brave.  Just having two separate browsers for distinct uses provides a level of protection, I think.
• Web traffic-filtering browser extension and DNS resolver–I added Bitdefender Traffic Light to Firefox and installed the Quad 9 DNS resolver.  So far, I have been unable to figure out how to keep the Internet computer from changing the DNS address back to what it was before.  I’m thinking that the router may be doing it, and when I change the router we’ll see what happens.
• Ad-blocker–I already had uBlockOrigin in Firefox.  Brave supposedly includes similar software.
• Backups–I already have a “rule of three” backup plan in effect using Macrium Reflect and a well-known online provider.

The computer runs quietly and smoothly, with no sign of slowdown.  What the mvps.org web site says is probably right: Changes to the Hosts file lighten the workload, offsetting the burden of the additional software.

I drew up the foregoing list to better understand the layering of defenses mentioned by Cybertooth and the extent (if any) to which they might conflict.  In practice, so far, I don’t see much conflict, actually, although at times it seems a bit like having competing fire companies rushing to the scene.

 

• This reply was modified 2 months, 2 weeks ago by wdburt1.

2 users thanked author for this post.

Steve, Cybertooth

[Cybertooth]

@wdburt1, thanks a bunch for the extensive and detailed reporting on your experience! <thumbs up>

About what kind of software to call OSArmor, some of these programs do defy clear-cut categorization and “whitelisting” may indeed not be the best term for it.

I have a question for you. You reported that your DNS resolver keeps getting set back to what it was before. You also wrote that you’re using Heimdal Security as part of your protection strategy. The DNS address that you keep getting put back to, does it begin with 127.7 ?

If it does, then Heimdal Security may be the reason. Here’s a note in a whitepaper by Heimdal (see p. 30, just before section 5.19 starts):

*in order for the Heimdal Traffic Filtering option to work properly, Heimdal should be able to set its own DNS address (127.7.7.3), that’s why the client should have the DNS address set on automatic.

This should be OK: Heimdal is performing the same DNS security function for which I’d suggested Quad9 as a possibility.

Thanks again for the rundown, I learned a lot!

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

wdburt1

[wdburt1]

@Cybertooth, thanks for the good suggestion.  The DNS that it keeps reverting to is indeed 127.7.7.X, where X varies between 3 and 5.  I installed Quad 9 on the right hand (non-internet) computer as well, and on that machine the Quad 9 DNS address is stable.

I guess maybe I can uninstall Quad 9 on the internet computer.

 

1 user thanked author for this post.

Cybertooth

[wdburt1]

Edit: No need to uninstall Quad 9.  Just let the computer find the DNS address automatically, as Heimdal requires.  (Quad 9 “installation” consists merely of entering their DNS address.)

1 user thanked author for this post.

Cybertooth

[wdburt1]

I installed Windows Firewall Notifier a couple of days ago.  It generated a lot of notifications that it was blocking various installed programs, and it didn’t seem to be “learning” anything when told to Allow.  I disabled it until this morning, when I tried again.  Same story.

As mentioned previously, WFN does not install, but runs from an .exe file in a saved folder.   Supposedly it also creates a Scheduled Task that springs to life when needed.  It “uninstalls” by opening the program and disabling notifications regarding outbound connections to the web, after which the program folder supposedly can be deleted in its entirety.  In case that doesn’t work, there is a separate .cmd file that can be used to disable the program.  None of that worked for me, though at various points I saw various confirming messages mixed with error messages.  This software is still beta and acts like it.  All I can say is that I think I disabled it.  I never did see evidence of a scheduled task.

In hope of finding a Windows Firewall add-on that would “learn” what rules to apply, I installed Windows Firewall Control, which is a product of Binisoft but also carries the Malwarebytes label.  This one installs in the traditional manner and has a more useful interface and setup options, including a learning mode, which automatically creates “allow” rules for digitally signed programs and displays notifications only for unsigned programs.  When you get a notification, the choices are more clearly explained.  After a few initial notifications, things have settled down and are running normally.  The plan will be to run it in learning mode awhile, then shift to the stricter “display notifications” mode, which displays a notification whenever an outbound connection is blocked, except for user-specified exceptions.

So the end result is that I continue to use Windows Firewall with a nifty little add-on that improves the interface.

 

1 user thanked author for this post.

Cybertooth

[LHiggins]

I have a question about adding a NoScript-type extension to my Opera browser. I am currently running Opera 66.0.3515.36 and after reading though this discussion, think that adding a such an extension might be a good idea. Has anyone had any experience with one they call SafeScript? It is an extension for Opera. Or is there an Opera version of one of the others that might be recommended?

Also as an update regarding 0patch…

wdburt1 wrote:

I’m interested in 0patch or any other third-party service that can supply security patches, but need to learn more.

…some of those interested in 0patch may have seen Woody’s reference to it in his recent article in Computer World about it.

To add to that, I did email Mitja at 0patch to ask when the Win 7 EOS patches would be available from 0patch. His reply – also in the CW article was:

“Post-EOS micropatches will become available as we become aware of vulnerabilities that: (1) affect Windows 7 / Server 2008 R2, (2) pose a high risk (see Which vulnerabilities does 0patch provide micropatches for?), and (3) we have a proof-of-concept or exploit for it so we can analyze it. Having access to the patched code (from Extended Security Updates) will help a lot but will not suffice to compensate for #3.

That said, we expect the first micropatches will be issued sometime after the February Patch Tuesday, after we have reviewed what was patched in Windows 7 ESU, and whether any other vulns might affect Windows 7 / Windows Server 2008 R2. It may happen though that there will be no Win7/Srv2008 micropatches in any particular month based on the above-described criteria.”

As to getting the January patches, Mitja also said:

” It is sub-optimal to use 0patch for Windows 7 security micropatches if you don’t have all official Windows 7 updated applied.”

Still sorting through my other options for protecting my Win 7 laptop. Thanks for so much great advice.

3 users thanked author for this post.

Kaj4strom, wdburt1, Cybertooth

[LHiggins]

LHiggins wrote:

I have a question about adding a NoScript-type extension to my Opera browser. I am currently running Opera 66.0.3515.36 and after reading though this discussion, think that adding a such an extension might be a good idea. Has anyone had any experience with one they call SafeScript? It is an extension for Opera. Or is there an Opera version of one of the others that might be recommended?

As a follow-up to my own question – after reading the warning about Opera, I have just gone ahead and switched over to Firefox, so I’ll look into those extensions for FF.

1 user thanked author for this post.

Cybertooth

[Microfix]

@wdburt1, as for the firewall, if you use the Windows Firewall there is a small utility which may be of help I recently assisted a member and done a quick walkthrough on WPD for Win 8.1 and this also applies for Win 7 Have been using this for a few years on Win7/8 to good effect

Win7 Pro x86/x64 | Win8.1 Pro x64 | Linux Hybrids x86/x64 |

1 user thanked author for this post.

wdburt1

[Moonbear]

@Cybertooth

Thank you for linking to the Host file lists, I’m looking at using the lists from someonewhocares.org but I’m stuck on one thing.

Do I simply copy and paste the parts of the lists I want into the Host file or is there another step?

[Cybertooth]

@moonbear, here’s a brief set of instructions for editing the Hosts file. But I would add some points to that write-up:

You are right to suspect that it’s not as simple as just copying and pasting the lists you want into the file. There are three tricks–

1. As a precaution, before doing anything else, make a copy of the current Hosts file and add something to the copy’s name, for example “Hostsbackup” or anything that you’ll remember. That way, if anything goes wrong with your file editing, you can always put things back the way they were by renaming that file back to “Hosts” (note that the file has no filename extension).
2. You need to open the Hosts file by first launching the program you’ll be using to edit the file (for example, Notepad) , making sure to right-click on it in order to run the program as an administrator. Then you open the Hosts file from within that program.
3. When you’re done, make sure in the “Save As” area that there is NO filename extension associated with the file you are about to save. Otherwise, you’re liable to end up with a file named (for example) “Hosts.txt”, which will not replace your current Hosts file.

Give it a try and let us know how things go!

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

Steve, Moonbear

[Moonbear]

I’ll be testing this out this evening.

I have one more question.

How do I get the parts of the lists I want from someonewhocares.org?

Do I copy & paste the list entries from the site into a text file and then add that into the Hosts file or do I need to download something?

[Cybertooth]

What I would do is to copy the desired parts right off the webpage and paste them to the Hosts file. For instance, you could place your mouse pointer at the beginning of the line that reads

#<localhost>

and then press the Control, Shift, and End keys in succession while keeping the previous one(s) pressed. You will end up with all three keys pressed at the same time. This will select everything down from that point in that long file. The selected text will be highlighted on your screen, probably in white since that webpage is dark.

Now you can let go of the Ctrl-Shift-End keys. You will probably see the bottom of the webpage. If not, then use the scroll bar off the right edge of your browser window to reach the bottom of the webpage. (If you use the mouse to scroll down, the highlighting may disappear and you’ll have to start the process over again.) The last line that’s highlighted gives a time and date. Press your Shift key (only) and, while keeping it pressed, hit the Up arrow on your keyboard to un-highlight the lines to just above the line that reads

#<Windows10>

…unless you want to keep those Acknowledgments in your Hosts file  🙂  as well as the Windows 10-related addresses.

If you only want to add a certain portion of Dan Pollock’s list to your Hosts file (say, the hijack sites section), then simply highlight the desired portion by dragging the left mouse button over that section, then proceed as in my next paragraph.

Now you can copy the highlighted text by using Ctrl-C, change the focus on your screen to the Hosts file that you opened in Notepad, go to the end of the file, and press Ctrl-V to paste the copied text into the Hosts file.

Once you’re satisfied that you’ve made the changes you want and that they were done correctly, you can save the Hosts file as described in my previous post.

You can add listings from additional Hosts file maintainers, although some people may warn you that an excessively long Hosts file could impact your PC’s performance. (I am not sure of that one way or the other, but am mentioning it here just in case.)

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

[Moonbear]

This may be a silly question, but does it matter if I copy and paste with the mouse instead of the keyboard?

Also while I’m thinking about it, how would I know if I had messed up with editing the host file?

(I haven’t done anything yet, just doting t’s & crossing i’s before I begin.)

[Cybertooth]

No, as long as the text you want to copy has been successfully highlighted, it doesn’t matter how you select it.

Other than the filename extension being incorrect, there’s not much to go wrong with when editing the Hosts file. Just make sure that every line starts either with a “#” (for lines that are merely comments) or with one of the numerical dummy addresses (127.0.0.1 or 0.0.0.0).

If you wish, after saving the Hosts file you can test the effectiveness of what you did by trying to reach one of the sites that you have banned. (I have Facebook.com in my Hosts file, and it’s nice to see a “can’t connect to Facebook” error when I try it.) However, be aware that this could be risky if you do the test with an out-and-out malware site!

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

[Moonbear]

Thank you very much for the clarification. I have Cerebral Palsy which in my case means I can’t really use my right hand so whenever I see “use multiple keys to do X” it leads nothing but frustration.

I will report back with my results soon.

 

1 user thanked author for this post.

Cybertooth

[Moonbear]

I added everything I wanted but when I clicked save as I got a warning that the encoding was wrong, what do I do now?

[Cybertooth]

This was a new experience for me, too. I use Spybot’s Hosts file with manually typed additions, so I’d never run across that issue before.

The error that you ran into, does it look like this:

If this is what you’re getting, then try changing the character encoding when you save the file. This choice will be near the bottom edge of the Save dialog:

The screenshot didn’t include it, but in the drop-down menu off the bottom edge there will be three other choices. Select “Unicode” (nothing more) and save the file. (Please note that I’m using a test text file here, so other settings that you see in the screenshot will differ from yours.)

As a test, I would suggest adding a known site (that you never visit) to the Hosts file, such as facebook.com, then saving the file and trying to visit Facebook. If you can’t get to the site, then you know that the Unicode file save worked. If you’re OK with Facebook, then you can go back into the Hosts file and remove facebook.com from your list.

Others reading this who may be more familiar with the nuances of ANSI vs. Unicode encoding, are invited to provide more details. Shouldn’t this be a hurdle that’s addressed on Dan Pollock’s page?

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Attachments:

You must be logged in to access attached files.

1 user thanked author for this post.

Moonbear

[Moonbear]

That’s the exact error I was getting.

Before I replied, I tried something:

Howtogeek has a tutorial on editing the hosts file where they also use facebook as an example. I copied & pasted their example and changed the 0.0.0.0 to 127.0.0.1 then instead of clicking save as I just clicked save.

It seems to have worked as when I tried to reach Facebook.com, Chrome threw up a

this site can’t be reached screen with err_connection_refused. (I have it sitting in another tab as I type this.)

• This reply was modified 2 months, 2 weeks ago by Moonbear.

1 user thanked author for this post.

Cybertooth

[Geo]

Security Now 744 VPN-geddon Denied   In this episode of Security Now , Steve Gibson mentions about the Win7 hobbyists already hacked the win 7  extended updates and the link to their forum.  The cat and mouse begins.

2 users thanked author for this post.

Steve, Cybertooth

[Alex5723]

Geo wrote:

Security Now 744 VPN-geddon Denied   In this episode of Security Now , Steve Gibson mentions about the Win7 hobbyists already hacked the win 7  extended updates and the link to their forum.  The cat and mouse begins.

Someone found a way to bypass Windows 7 Extended Security Updates checks

https://www.ghacks.net/2019/12/07/someone-found-a-way-to-bypass-windows-7-extended-security-updates-checks/

[Cybertooth]

For better or worse, viewing that MDL thread now requires getting an account there and signing in.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

[Kranium]

Cybertooth wrote:

For better or worse, viewing that MDL thread now requires getting an account there and signing in.

 

For better. That thread is now overflowing with the same questions over and over and over again. Terrible to sift thru for actual relevant info & updates. This will help, albeit not enough.

Group B for WIN7 w/ ESU, plus trying out Linux builds in dual boot.

1 user thanked author for this post.

Cybertooth

[Moonbear]

@Cybertooth

Should I add the someonewhocares.org #<localhost> portion into my host file?

What does it do?

Once I figured out how to make the host file save this morning, I went back and added everything I wanted but I skipped the localhost portion in case it was part of why the file wouldn’t save correctly last night.

[Cybertooth]

Yes, you should definitely add the <localhost> section to your Hosts file.

I’m no expert on computer networking, but if I have it right, then this section is what prevents your browser from actually reaching the websites you want to block. For example, assuming that you have included that section in the Hosts file, then when you set facebook.com to 127.0.0.1, essentially what you’re doing is to tell your browser to look for facebook.com on your PC (“localhost”), which of course it won’t find and give you that “can’t connect to facebook.com” message.

For some additional information, see this page, especially the “Site Blocking” section, and this Wikipedia entry.

Networking connoisseurs are welcome to correct or expand on my explanation!

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

Moonbear

[Moonbear]

Thanks, I’ll do that right now.

[jabeattyauditor]

The localhost section isn’t needed; 127.0.0.1 *is* localhost.

The entry mentioned above has a comment tag (#) before localhost which means the OS won’t even see the word.

Your hosts file needs nothing other than the IP address followed by the site you wish to associate with it. (You can use this to provide fixed IP links to other systems on your LAN, btw, and avoid using SMB1 in the process.)

1 user thanked author for this post.

Cybertooth

[Cybertooth]

What I understood by the question @moonbear posed, was that he was referring to the entire section labeled #<localhost>, i.e.:

#<localhost>
127.0.0.1	localhost
127.0.0.1	localhost.localdomain
255.255.255.255	broadcasthost
::1		localhost
127.0.0.1	local
::1		ip6-localhost ip6-loopback
fe00::0		ip6-localnet
ff00::0		ip6-mcastprefix
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
ff02::3		ip6-allhosts
#fe80::1%lo0	localhost
#</localhost>

Wouldn’t at least some of this need to be included, so that the blocking takes place as desired?

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

Moonbear

[Moonbear]

So should I delete this section completely?

#<localhost>
127.0.0.1	localhost
127.0.0.1	localhost.localdomain
255.255.255.255	broadcasthost
::1		localhost
127.0.0.1	local
::1		ip6-localhost ip6-loopback
fe00::0		ip6-localnet
ff00::0		ip6-mcastprefix
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters
ff02::3		ip6-allhosts
#fe80::1%lo0	localhost
#</localhost>
Or just the #<localhost> and #</localhost> and leave the rest?

[Cybertooth]

There’s a technical discussion of this issue here.

Personally, I would leave the contents of the section intact as we see it in your post. But the two “#” lines that you specified are merely comment lines, markers for convenience to indicate where that section begins and ends; as @jabeattyauditor suggested, you can delete those two “#” lines and be just fine.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

jabeattyauditor, Moonbear

[Moonbear]

Cheers, I’ll do just that.

[Moonbear]

I had a weird thought in regards to the # lines.

Wouldn’t it also be a good idea to delete the ones at the beginning and ending of the sections of the list for the things that are meant to blocked as well?

Or do those not matter?

[PKCano]

The comment lines designated by # serve the purpose of documentation. If you open the file a month (year) from now, it helps you to know what’s being done.

Don’t know if you’ve ever done programming, or particularly tried to read someone else’s code, but it is very hard to follow the flow of things without the commented documentation. I have always left comments in the code when programming. Six months later, it would be a nightmare for me to follow my own logic without them. And Heaven help anyone else trying to wade through the murk.

3 users thanked author for this post.

Steve, Moonbear, Cybertooth

[Moonbear]

Ok, that makes sense.

I’ll leave them alone, it was just a brainstorm.

[OscarCP]

PK: “Six months later, it would be a nightmare for me to follow my own logic without them. And Heaven help anyone else trying to wade through the murk.”

Well said and so very true! I often have trouble figuring out my own code a few months after writing it, even with comments, and prefer not to think what it would be like if I had left those out. Particularly when it is more than a few hundred lines, with multiple loops, branching points, nested “if… then” structures, etc.

Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

[TaskForce141]

Another security tactic, for Home users who lack the application whitelisting abilities of Applocker in Win 7 Professional:

Use the Parental Controls applet in the Win 7 Control Panel for application whitelisting.

Select the user account you want to apply Parental Controls to, and then select the installed programs you wish to allow access to.  To simplify things, I picked ‘All’ (I did an all-files anti-virus scan beforehand to ensure a clean baseline).

Caveats:  some, but not all, programs that auto-update themselves may start complaining or not work at all.  I only saw this with the desktop software for Napster/Rhapsody music streamer.

 

2 users thanked author for this post.

Cybertooth, wdburt1

[Gnutopian]

I have to agree that the paranoia about patching is a bit over-done, but not getting anymore security patches is concerning. The main threat for casual “home” PC users is through their browser. I use Firefox with NoScript, uBlock Origin, and a number of other protective extensions. And have used the hosts file modifications, and the malware-filtering DNS, for years.

But I am considering some of these other options that you have listed. What is using OSArmor like? Does it prompt for every little thing you run at first? Does it have a “config file” that you can copy to another system? Or does every system have to build up a unique profile through usage?

You mention EMET. Have you actually installed it? Does it have any known compatibility problems with common applications?

• This reply was modified 2 months, 2 weeks ago by PKCano.
• This reply was modified 2 months, 2 weeks ago by Gnutopian.

[Cybertooth]

OSArmor isn’t hard to use. Although it has a lot of sophisticated elements to it (many of them too sophisticated for me 🙂 ), you can use it at default settings and have a good experience. However, on those few occasions there’s been an alert, I’ve jumped out of my chair, as the warning sound is pretty creepy. In my mind it evokes an image of some evil crow. If you still use Adobe Flash on IE11, when updating it I recommend temporarily disabling OSA (you can right-click on its Notification Area icon) to avoid this scare.

Here are a couple of screenshots of the OSArmor GUI showing a sampling of its protections:

I’ve been using this program for more than three months now, and the alerts have been few and far-between.

Now regarding EMET, I don’t have it installed on my Windows 7 PC since I use HitmanPro.Alert on it, but I do have installed on a Vista machine and on my Windows 8 laptop. As with OSArmor, you can make your experience with it as simple or as complicated as you like; I tend to leave EMET set to default values. The only time it’s given me grief was at first when I tried to launch a browser (I think it was IE11) and it couldn’t due to one of EMET’s protections. It was so long ago that I can’t remember the exact details, but I do remember that the solution was to switch off “EAF+” protection for the problem application.

As with any new software that we’re trying, the Web is our friend when it comes to researching problems as they arise. 🙂 One very good, ongoing discussion for OSArmor that I monitor takes place at Wilders Security.

Good luck, and let us know how EMET and/or OSArmor work out for you!

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

• This reply was modified 2 months, 2 weeks ago by Cybertooth.
• This reply was modified 2 months, 2 weeks ago by Cybertooth.

Attachments:

You must be logged in to access attached files.

1 user thanked author for this post.

Gnutopian

[Gnutopian]

Wow, the “third-party” security world is much bigger than I realized. All those acronyms for various other utilities in the Wilders Security thread are confusing. Is there a list of these programs and their acronyms/abbreviations somewhere? 🙂 Long thread, too. It took quite a while to develop OSArmor to the point where it is now. I hope it is stable going forward.

Adobe Flash had become so notorious that I dropped it from my own systems more than a year ago. It will be discontinued by the end of this year, as I recall. Since Chrome has a built-in version, it’s not completely absent from my systems, but I leave it disabled even in Chrome.

I think it will be a while before I make the leap and install some of these things, though. There are many confusing issues, like possible changes in how I use my computers, possible conflicts among the various add-ons, and trust. Annoying that MS isn’t trustworthy themselves… just the OS creator, so we’ve had to trust them by more-or-less default even as they ramped up the “telemetry”. But it still makes me nervous to have to install third-party software at the “ring 0” level.

[Bluetrix]

Gnutopian wrote:

Wow, the “third-party” security world is much bigger than I realized.

Yes it is. You have to keep an eye open though. Some sites purport to offer a free security check, when in fact they are just collecting your personal information. One way is to offer you a security check but to see the results of the testing requires that you to fill out a form so they can email the report to you. False positives is one way they “scare” you into a purchase and/or gather your personal info. Free isn’t always a bad thing, just be aware.

You can do an internet search on the site you might want to use and see what people have to say about it. Another is to check out vetted sites from a trusted source.

This is just one of many sites that vet such “free scans”.

https://staysafeonline.org/stay-safe-online/free-online-security-checkups-tools/

Stay safe out there.

2 users thanked author for this post.

LHiggins, wdburt1

[Pierre77]

Hope this helps @Gnutopian

https://www.webopedia.com/

[Cybertooth]

I just discovered this site by a well known security company to test your PC’s defenses, and tried it on my Windows 7 machine. It looks like the steps taken to fortify the computer (as detailed in the original post above) are working:

“Check” it out! 🙂

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

• This reply was modified 1 month, 2 weeks ago by Cybertooth.
• This reply was modified 1 month, 2 weeks ago by Cybertooth.
• This reply was modified 1 month, 2 weeks ago by Cybertooth. Reason: removed note about image not displaying

Attachments:

You must be logged in to access attached files.

[jabeattyauditor]

Cybertooth wrote:

I just discovered this site by a well known security company

Run by the folks at Check Point.

Edit for content.
Please follow the –Lounge Rules– no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

1 user thanked author for this post.

Cybertooth

[Melvin]

Thanks for the recommendation to protect a Windows 7 PC.  It’s a nice “belt and suspenders” approach.

About the webpage to check one’s own security (posted 15 Feb), the webpage’s domain is using non-secure http. That seems unusual for a security check.  Isn’t that susceptible to a man-in-the-middle attack? But I agree the main vendor is well regarded. And, their domain’s webpages are secure http.

Win 7 Pro 64-bit, Office 2010.
Nethermost of the technically literate.

1 user thanked author for this post.

Cybertooth

[Cybertooth]

Isn’t that susceptible to a man-in-the-middle attack?

That’s a good question, the answer to which I’m not qualified to give!

By the way, I should have specified in my post about the Check Point test that the results shown are for the “Endpoint” check. (The Network check is selected by default when you open the page, so you have to click on the Endpoint option to change it.)

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

[Paul T]

It’s possible the checks require non-encrypted comms.

cheers, Paul

1 user thanked author for this post.

Cybertooth

[Cybertooth]

Cybertooth wrote:

Use a software firewall that will explicitly ask your permission when new programs try to access the Internet for any reason. Over time, you will train the firewall to allow trusted programs and the number of notifications will fall to just new (and possibly unknown) programs. ZoneAlarm Free Firewall is set to ask you “out of the box.”

Since the time I wrote that paragraph, I have installed ZoneAlarm Free Firewall on my main Windows 7 PC (previously, I had used it on a Windows 10 test system, an XP machine, and–going way back–a Windows 98 system).

Everything is working together well: no incompatibilities have been observed between ZA and the rest of the security measures on that computer.

If you install ZoneAlarm’s firewall, be aware that there will be an initial “training” period during which you will be getting a lot of notifications from ZA, asking for your permission to allow or block programs as you launch them and they attempt to access the Internet. You can tell ZA to remember your choices, so once these are set (you may need to do them each a couple of times) the distraction factor will diminish greatly.

This means that it’s especially important to be sure that your PC is malware-free as you give ZoneAlarm the green light to allow programs onto the ‘Net. If you have already implemented many of the other measures described in the original post above, then you should be fine: just make sure to actually look at the name of the program that ZA is reporting, in case it’s something unfamiliar and unwanted. Otherwise, prior to installing ZA you may want to run malware scans with your main AV and one or two of the secondary scanners, preferably including an offline scan.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Attachments:

You must be logged in to access attached files.

2 users thanked author for this post.

wdburt1, Elly

[southieguy]

I hope this question is not off this topic, and if it is would one of the Lounge monitors please move it to where it should go.

Also, please be patient with me: I’m an 80-year-old, non-techie.

I am running, and want to keep running, W7 SP1 as long as possible.

I also run the Pro (paid for) version of Macrium Reflect; and religiously back up my system and data.

After that verbose lead-in, here’s my question:

If I bought a refurbished laptop that had Windows 8.1 on it, could I re-image/restore my current Windows system and data to that (formerly) Windows 8.1 machine?

If that’s possible, would some kind soul lay out the steps (for dummies) to do that?

Thank you,

Southie-Guy (formerly known as Dick-Y)

 

1 user thanked author for this post.

Melvin

[PKCano]

If you have a legal copy of Win8.1 on that machine, it is good till 2023. I would keep it, as it will be more secure than Win7 in the next three years. You will continue to get Windows Updates.

Download free Open Shell (formerly Classic shell). It will avoid the Metro desktop and make Win8.1 look/act like Win7. I have used this on all my Win8.1 and Win10 machines.

4 users thanked author for this post.

wdburt1, Ascaris, Melvin, southieguy

[Cybertooth]

Depending on how comfortable you are with removing and replacing internal drives on your laptop, you might consider taking out the Windows 8.1 drive from it and putting in a brand-new drive onto which you would image your Windows 7 installation. That way, you wouldn’t have to reinstall your programs.

In my experience, chances are there will be some minor temporary glitches as Windows adjusts itself to the different hardware. A more important potential drawback of this route, however, is that Windows might decide that this is not a legitimate installation because it would be a second use of the same license. In that case, you may need to contact Microsoft to explain the reason for the change (usually an automated process).

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

southieguy

[PKCano]

If the Win7 is an OEM machine, the image onto another laptop would not be legal.

1 user thanked author for this post.

Cybertooth

[southieguy]

Thanks PKCano:

My laptop is a Dell Inspiron.

Dick-Y

 

 

[PKCano]

OEM licenses are only legal on the machine they were originally installed on.
RETAIL licenses (if you bought the OS separate from the machine) can be moved from one machine to another, providing you uninstall it from one before installing it on the other one.

[southieguy]

Wouldn’t you know . . .

My Dell laptop came with W10, with the ability to deprecate (Dell’s fancy word, not mine) it to Windows 7, which I did on 1st getting it.

Dick-Y

[southieguy]

Thank you.  Ignorance showing:  If I stay with 8.1, won’t I have to reinstall all my existing software (like Reflect, Malwarebytes, etc.)?

Dick-Y

[PKCano]

You will have to install the third-party software on the Win8.1, yes. You shouldn’t have any problem with it running on Win8.1

You can copy your data to the Win8.1 machine from the the Win7 machine.
Keep the Win7 machine as is in case you have a problem.
Be sure to make an image of the Win8.1 as you got it, and again after you finish adding programs and data.

2 users thanked author for this post.

OscarCP, southieguy

[Ascaris]

I’m a UI purist who considers Win2k to have had the gold standard of MS UIs, but Win 8.1 (with Classic Shell, a custom theme, Old New Explorer, 7+ Taskbar Tweaker, and other such things) was even acceptable to a contrarian like me.  It was the last Windows that was ever a “main” OS for me before I completed my migration to Linux. I’d certainly use that in lieu of 7 if I was still using Windows.

Group "L" (KDE Neon User Edition 5.18.4).

1 user thanked author for this post.

southieguy

[Paul T]

Or restore your data from backup – good opportunity to test. (After you’ve backed up the machine of course.)

cheers, Paul

1 user thanked author for this post.

southieguy

[southieguy]

Thanks everybody for all your helpful responses.  I have ordered a laptop with Windows 8.1.

One more question, if I may:

On my current W7 SP1 system, I have 2 partitions, so that my data is on the 2nd one.

Before transitioning to the new laptop, would it be better to go to a 1-partition system so that I can image that 1 partition that would now have everything together (i.e., my data too after moving it)?

Said another way, what would be the best way to transition to the new laptop with all my data now resident under Windows 8.1?

Thank you,

Dick-Y

[PKCano]

A full disk image images the boot sector and all the partitions, not just the OS partition. So if you have to restore the disk, you have all that you need.

Given that, it does not matter if your data is on a separate partition b/c it would also be included.

[Cybertooth]

@southieguy, if you wish merely to copy the data off your Windows 7 system onto the new Windows 8.1 laptop, then you might want to (1) image the Win7 data partition, (2) create a data partition on the Win8.1 drive, and then (3) copy the data from the imaged Win7 data partition over to the Win8.1 data partition.

If you have a way to get the two drives to communicate with each other, then you could skip step (1) above. There’s no special reason to image the old Windows 7 drive, except as a backup in case something gets royally messed up in the process.

In either case, there is the possibility that some of your data on the Win8.1 drive will be unusable until you install the software that’s associated with it onto your new Windows 8.1 system.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

southieguy

[southieguy]

More display of confusion/ignorance on my part:

On my current W7 SP1 system with the 2nd partition (a data partition) I have files like Pictures, Documents, etc. that “normally” reside on the OS side of the ledger.

After creating the 2nd data partition on the new laptop with W8.1, do I have to do anything special after restoring my W7 Macrium Reflect data image to the W8.1 partition?

Thanks for your continuing help,

Southieguy (aka Dick-Y)

[Paul T]

You need to redirect all your folders before restoring so Windows doesn’t junk the stuff you just restored.

Or not use a 2nd partition.

cheers, Paul

1 user thanked author for this post.

southieguy

[southieguy]

Paul T:

Thanks for the helpful response.  I’m glad I thought to ask that question.

I’m going to go back to a single partition

Dick-Y

[Paul T]

You definitely want an SSD in that machine.
No need to have a 2nd partition as you can back up the data independently of the disk image.

cheers, Paul

1 user thanked author for this post.

southieguy

[Ascaris]

southieguy wrote:

On my current W7 SP1 system, I have 2 partitions, so that my data is on the 2nd one.

I always set my systems up this way.  Having separate partitions for data and system files means that if you need to restore the system setup, you don’t need to worry about whether you’ve managed to back up any personal data files that may have changed since the last system image, and the restore process will be much faster.  It allows you just to restore what’s needed rather than nuking everything from orbit and starting over.

Before transitioning to the new laptop, would it be better to go to a 1-partition system so that I can image that 1 partition that would now have everything together (i.e., my data too after moving it)?

I don’t think that would really help anything.  As PKCano said, an image can contain any number of partitions within itself, so there’s no need to put it on one partition to image it all at once.  Depending on how you have things set up, it may only be necessary to image the data partition, since the system partition will be a new OS, and you’ll be installing things anew into that.  If some of the data is still on the system partition, you could either copy that to the data partition prior to imaging, to make it a simple one-step restore, or you could image the whole thing and restore the bits of data that are on the system partition on a file-by-file basis.

Said another way, what would be the best way to transition to the new laptop with all my data now resident under Windows 8.1?

If it were me, I’d make sure all the data you want to keep is on the data partition, image that, then use the backup software (whatever one you’re using) to restore that image to the new laptop, then point any shell folder references to that as necessary.  Be sure not to overwrite the existing system partition, of course!  If there is an existing, available partition already there, you can use that (change the size first if needed), or you can create a new one.  The backup software probably will have that capability itself, without having to use anything else.

Group "L" (KDE Neon User Edition 5.18.4).

3 users thanked author for this post.

Cybertooth, southieguy, Elly

[southieguy]

Me again . . . and I’m sorry.  I feel like I’ve hijacked this thread, but I don’t know where my request for help with this whole question of migrating to a new laptop with Windows 8.1 from my W7.1 SP 1 dying laptop should go.

On the current laptop, I run Firefox and a Hotmail account that long ago M’Soft migrated to, I guess, Outlook.com.

My question has to do with how do I ensure I don’t lose any of my saved emails or anything else I need to be able to log on and use my Hotmail account on the new machine?

As always, thank you all for your help,

Southieguy (Dick-Y)

 

[Elly]

@SouthieGuy-

Just for future reference- Windows 8.1 support forum.

But your question is really about e-mail. Your Hotmail account is an on-line service, although that might not be immediately apparent if you are using a particular e-mail client. If I’m following the Hotmail to Outlook saga correctly, you should be able to log into your account from your browser, at Outlook.com.

Several years ago, Hotmail.com and Live.com were rebranded as Outlook.com. You can sign in to Outlook.com with your Hotmail email address and password

You can test this on your new machine, just to be sure.

As to saving your e-mails… How have you been saving them until now? Are they all on Outlook.com, or saved locally? In what format? E-mail saved locally from Outlook tends to be in a proprietary format.

Personally, I like using Thunderbird as my e-mail client. I have enough tabs open in my browser, as it is. I can access multiple e-mail addresses, all in one place. I then set up local folders to save to, organized by year, with appropriate sub-folders. Those are then backed up when I back up my computer. Archiving is not the same as saving locally… and remember it takes 3 copies to really be backed up. Once you figure it out, it is easy to save your Thunderbird profile, and e-mails, and even move them from one computer to another, as necessary.

A whole thread could be done on e-mail formats, and the best way to save your e-mail long term. As someone who has hung in there from Hotmail to the current Outlook, you might want to investigate what options there might be, especially if you have a large amount.

Hope you enjoy Windows 8.1!

Non-techy Win 10 Pro and Linux Mint experimenter

4 users thanked author for this post.

jburk07, wdburt1, southieguy, Cybertooth

[Paul T]

Do you use an email client or via your browser?
If it’s browser you don’t need to do anything.
If it’s a client you need to work out how you’ve set up the client. IMAP means very little work, POP3 may mean you have to copy mails from machine to machine.

cheers, Paul

1 user thanked author for this post.

southieguy

[southieguy]

I log in from Firefox.  While answering this question, holding my mouse’s pointer over where I sign in , I see https://login.live.com/login.srf?wa= . . .followed by lots of what look like macro parameters.

I think that means. Paul T, that I don’t have to do anything except sign in to Firefox on Windows 8.1.  Yes??

Thanks,

Southieguy

1 user thanked author for this post.

Elly

[Paul T]

Yes.
You are only using the browser so all mail is stored on the server.

cheers, Paul

1 user thanked author for this post.

southieguy

[southieguy]

Thank you, Paul T!!!

Your helpful answers have taken a big concern off my shoulders.

What a blessing to have such a community to turn to for technical help.

 

May everybody here and all our loved ones be kept safe from the coronavirus.

Southieguy

[Cybertooth]

@rmeijer reported here on a 2019 Australian white paper which offers methods for hardening Windows 7 security.

Most of the suggestions pertain to the Enterprise or Ultimate editions, and if you have either of these (especially in a local network setting) the paper could come in very handy. Windows 7 Home and Pro users will be able to apply a few of the ideas, though–see page 11 for Data Execution Prevention; page 17 for SEHOP; and page 45 for WPAD.

I’ll let you know if I run into any difficulties as a result of making the above changes.

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

wdburt1, Pierre77

[Author]

Posts