|
MS-DEFCON 2:
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it.
|
-
Keep Running Windows 7 Safely for Years to Come
Posted on Comment on the AskWoody Lounge- This topic has 132 replies, 27 voices, and was last updated 1 month, 3 weeks ago.
Viewing 39 reply threads-
-
As Windows 7 approaches the expected end of monthly security patching next January, Windows 7 users who have hesitated to switch to Windows 10 face the critical choice of whether to accept Microsoft’s newest operating system; to switch to an altogether different platform such as Linux, Mac, or Chrome OS; or to look for a way to protect their favorite OS into 2020 and beyond.
In my case, I have decided to implement a multi-layered defense strategy which, I am confident, will make it possible to use Windows 7 without worries while I continue the slow transition to Linux (Kubuntu). The defensive layers include, in no particular order:
* Resident anti-virus software. My main Windows 7 machine is currently on BitDefender Free, but there are many other good free and paid AV solutions out there.
* Resident anti-exploit software. Several choices are available, such as Malwarebytes Anti-Exploit (MBAE) and Microsoft’s own EMET, but I use HitmanPro.Alert as it also offers keystroke encryption.
* On-demand scanners to catch any baddies that might have gotten past the main defenders. I cycle a variety of free scanners including Malwarebytes Anti-Malware Free (MBAM), Sophos Virus Removal Tool, F-Secure Online Scanner, Norton Power Eraser, and ESET Online Scanner. (Once again, there are others, free and paid.) At least occasionally, run the rootkit scanning feature, if available (usually requires a reboot).
* Use a Web traffic-filtering browser extension such as Norton Safe Web or Bitdefender TrafficLight, and/or a security-oriented public DNS resolver such as Quad9, for your Web browsing.
* Keep your router firmware updated, if possible, and consider increasing the router’s hardware firewall settings (it may come set to a medium level that’s less hassle, but offers lower protection). Learn how to block websites and URLs at the router.
* Use a software firewall that will explicitly ask your permission when new programs try to access the Internet for any reason. Over time, you will train the firewall to allow trusted programs and the number of notifications will fall to just new (and possibly unknown) programs. ZoneAlarm Free Firewall is set to ask you “out of the box.”
* Keep your browsers (plus their extensions/plugins) and other programs updated.
* Use ad-blocking extensions on your browsers, as malvertising is one of the main sources of infection nowadays. My main choice for this is uBlock Origin, although I’ve also used Ghostery.
* Change your Windows account from the default administrator account to a standard user account, which has fewer rights to install software and make changes to the system. (You will have to enter a password to do those sorts of things.) This prevents malware from exploiting your administrator status to make changes behind your back, and research suggests that this one measure alone prevents upward of 90% of attacks.
* Use an extensive Hosts file to stop your computer from being led to sites that serve up malware. I also use it to block Facebook, which some researchers claim follows you around the Web even if you don’t have a Facebook account. You can obtain ample Hosts files from here or here.
* Additional protections: I have installed OSArmor by NoVirusThanks and have had a good experience with it. The program, over time, builds a whitelist of programs that you have approved to run on your PC. I am also considering BlackFog Privacy and VoodooShield as useful, supplemental layers of defense; reports on the security community Wilders Security indicates a high degree of compatibility and satisfaction for both of these products.
* I am evaluating 0patch, by Acros Security. This is a service that injects on-the-fly patches to software that no longer receives updates from its vendor. I am currently using it on a Vista test machine and have experienced no problems, although I’m not sure yet how useful it might be as it has rarely kicked in to do its thing. For a more thorough test, I may need to install 0patch on my main Vista PC, but for now at least I’ve determined that it doesn’t make Vista crash or slow down. When Windows 7 goes EOS, 0patch could conceivably fill in for the bulk of security patches that Win7 will not receive.
* Finally, back up the PC (data and programs) regularly. If all else fails and you get infected, you will then have a reasonably current copy of your computer that you can install over the infected system. There are numerous image backup solutions out there; I use the free version of Macrium Reflect.
* * * * *
You might think that there is considerable overlap in the kinds of protection offered by the above set of measures. And you would be right: the defenses feature a moat, trenches, walls, minefields, sentries, snipers, archers, machine-gun nests, early-warning systems, Patriot missiles, deflector shields, and an escape tunnel. I have deliberately built redundancy into the strategy, so that whatever one misses another one will stop. I’ve neither experienced nor heard of any incompatibilities affecting computer usability. (The only caution is to avoid using multiple resident AV programs at the same time, for example BitDefender and Kaspersky.)Is this paranoid? No more so than the folks who tell us that you must patch right now or you’re doomed, or that you must upgrade to Windows 10 when Win7 goes EOS or you’re doomed.
With this combination of defensive measures, I have every confidence that my Win7 box will remain well protected for as long as I care to use it. So long as security vendors continue to support Windows 7, and Win7 browsers continue to load websites, I don’t see any great impediment to keeping this Windows 7 system connected to the Internet for the foreseeable future.
Total of 33 users thanked author for this post. Here are last 20 listed.
-
On the assumption that you/we are most likely to have problems when browsing online, you could also consider running your browser in a sandbox (most of the time).
I have long used Sandboxie for this and there was an introductory guide on the gHacks site recently if you are interested: https://www.ghacks.net/2019/10/29/how-to-use-sandboxie-for-browsing-downloading-and-installing-programs/
You will need to run your browser outside the sandbox occasionally to pick up and keep browser updates and any extension updates. I normally use Firebox and have its update setting to inform me when there is an update, but not to actually download and update, so that I can update after leaving the sandbox. I also have uBlockOrigin (uBO) automatic updates switched off, but start Firefox and manually update uBO every few days. For convenience I allow bookmarks saved in the sandbox to be retained on leaving the sandbox. I run Thunderbird for e-mail in a similar way.
I have no experience using Sandboxie to try out programs as the article suggests.
My only slight doubt mentioning Sandboxie is that after several changes of ownership its future development is unclear (see https://www.ghacks.net/2019/09/10/sandbox-program-sandboxie-is-now-freeware-soon-open-source/ ), particularly as I believe that Sophos itself is/may be changing ownership.
Some security products e.g. Comodo have their own sandbox features.
HTH. Garbo.
6 users thanked author for this post.
-
Thanks, Garbo. I have to admit that I haven’t given sandboxing a lot of thought. Maybe my logic is flawed, but the way I see it is that whatever I’m doing in the sandbox, sooner or later I’ll be saving or printing something, which means it has to come out of the sandbox (right?) and if that’s infected then it will try to attack my computer at that point anyway. I do a lot of saving of Web articles to PDF, so it’s not an unusual scenario for me.
Probably I don’t have an adequate understanding of sandboxing technology, but the above logic (for what it’s worth) is the reason I haven’t looked at it very hard.
1 user thanked author for this post.
-
A more complete guide, and what was my tutorial to Sandboxie when I started with it, can be found at: https://www.techsupportalert.com/content/introduction-and-quick-guide-sandboxie.htm
It is true that you will want some downloaded files and data printed to PDF files to be recovered out of the sandbox, but you are in control of what these are. I download to the “Downloads” folder and always print (using CutePDF) to this folder (even if I’ll move the PDF file later). I have Sandboxie immediately prompt me whenever something is “downloaded” in this way so I can immediately decide what to do with it (recover/leave/delete) before I forget what I’ve been doing (at the end of session). Other stuff downloaded beyond what I have explicitly downloaded can be seen and filtered out before reaching the real PC. On exit anything left is deleted. (You can overwrite whatever is deleted for a more secure deletion e.g. using Sysinternals “sdelete”.)
Other changes the webpage may try to make to the system do not get outside of the sandbox unless you have allowed it in the settings. Beyond the default settings I have allowed bookmarks to be added/deleted, but this is a compromise. There are lists of possibilities for common programs in the settings.
I have been using it since 2013, so I no longer really think about it 🙂
HTH. Garbo.
2 users thanked author for this post.
-
I don’t think the biggest threat is the pdfs you download.
Sandboxing would be useful to help prevent some unrecognized threats, 0-days, drive-by downloads that automatically infect a vulnerable system without needing you to download anything. Fileless malware is a tricky one and sandboxing could add a layer of protection that would supplement what you already have. The anti-exploit is already a great step-up, but sandboxing is another useful tool to your arsenal that brings a different type of protection.
I use Firefox to read downloaded pdfs most of the time when it works, so it reduces the risk of being infected by some malware that would need some of Adobe’s capabilities or vulnerabilities to be triggered. Another little step to reduce the risk of being infected. Firefox could have different vulnerabilities of course, but the capabilities are limited and it is probably not the first target for pdf injected malware.
1 user thanked author for this post.
-
-
-
On the topic of browsing being the biggest risk, I have found that the comprehensive filter lists in uBlock Origin seem to be effective in preventing me from accidentally connecting to potentially dodgy website domains, when clicking on links in web pages or emails.
So that appears to be an excellent protection layer for keeping away from the scripted type of attacks lurking in some website code.
As a backup layer for that, anti-exploit software would be good idea for stopping an attack that was able to gain access to your system, and hopefully prevent encryption or exfiltration of your data before the damage is done.
And finally, making disk images that you can easily restore your PC from, if necessary, is a very effective way to remove a malware infestation. And get your encrypted data back.
5 users thanked author for this post.
-
+1
And as a bonus, aside from uBlock Origin serving as one of the layers of defense, ever since installing it my Web page loads have gotten a lot faster, as the pages aren’t weighted down by flashing ads, autoplay videos, and assorted other bandwidth hogs.
-
And as a bonus, aside from uBlock Origin serving as one of the layers of defense, ever since installing it my Web page loads have gotten a lot faster, as the pages aren’t weighted down by flashing ads, autoplay videos, and assorted other bandwidth hogs.
Not only that, but in a quick ‘n’ dirty test I ran some time ago, using uBlock Origin cut the RAM use in half on the same group of pages, and that’s really saying something. The RAM consumed by the ads was greater than that of the actual content in the pages and the program code of the browser combined.
Group "L" (KDE Neon Linux, User Edition).
1 user thanked author for this post.
-
-
-
-
It’s available here as a rolling beta standalone (has been this way for several years now):
This is a full Beta version with premium features available to Free users.
4 users thanked author for this post.
-
-
Can’t imagine what’s blocking the installer. I just downloaded the latest “mbae-setup-1.13.1.127.exe” from that link, and the installer executed without any issues on my Win 7 Pro x64 machine.
Did you click through the Windows UAC prompts to the license agreement, etc.?
-
Malwarebytes Premium (or Premium trial) includes the Anti-Exploit module. It’s possible the MBAE installer sees that and does not continue, because it is already installed.
There are two things you could try.
- Let the trial expire and then run the MBAE installer again.
- Or force the trial to expire by going to the account details tab under “settings” (the gear icon) in the app and ending the Premium trial.
Keep the free version of MBAM installed after the trial, as it is a good on-demand scanner for free.
1 user thanked author for this post.
-
-
-
-
hmm, just came across this very interesting article by Martin Brinkmann over on Ghacks
Someone discovered a way to enable Extended Security Updates on all machines running Microsoft’s Windows 7 operating system…
Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L2 users thanked author for this post.
-
Wow, this development is certainly worth watching! From that Ghacks post:
The developers plan already to extend support to Windows Vista and to support the POSReady 7 SKU which will receive security updates until 2024.
Over the last couple of years, I’d read around the Web people wondering if there might be a POSReady version of Windows 7 as there is for XP. This is the first time I’ve seen such a version referred to as an actual fact and not just a hope.
I would even be willing to pay Microsoft a reasonable fee for these continued patches for my Home editions (but not $200 or $100 a year, forget it!).
1 user thanked author for this post.
-
-
-
jbeattyauditor: “It IS just an option – unless, of course, you want to enable ESU on a particular PC or server.”
Not entirely an option, as far as I am concerned, because it is tied to having to install the November S&Q Rollup, which is not optional. And that is my point.
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
1 user thanked author for this post.
-
-
-
-
Malwarebytes Premium (or Premium trial) includes the Anti-Exploit module. It’s possible the MBAE installer sees that and does not continue, because it is already installed.
There are two things you could try.
- Let the trial expire and then run the MBAE installer again.
- Or force the trial to expire by going to the account details tab under “settings” (the gear icon) in the app and ending the Premium trial.
Keep the free version of MBAM installed after the trial, as it is a good on-demand scanner for free.
Yes, that is the way to go. I have MBAM Free and MBAE installed on 2 PCs. There is a catch which means when MalwareBytes update their main engine you will have a choice to run another trial for 14 days. The update also removes MBAE, so after the trial expires you will have to install MBAE again. My main PC has a paid version of MBAM installed. Hope this helps.
-
You are correct, based on my experience,updating MBAM removes the MBAE beta.
But you can re-install it.
1 user thanked author for this post.
-
You are correct, based on my experience,updating MBAM removes the MBAE beta.
But you can re-install it.
FYI Malwarebytes also have Browser Guard for Firefox and Chrome available. It will also run on the new development of Microsoft new Chrome Browser. I have it running on one PC without a problem.
1 user thanked author for this post.
-
* Additional protections: I have installed OSArmor by NoVirusThanks and have had a good experience with it. The program, over time, builds a whitelist of programs that you have approved to run on your PC. I am also considering BlackFog Privacy and VoodooShield as useful, supplemental layers of defense; reports on the security community Wilders Security indicates a high degree of compatibility and satisfaction for both of these products.
Since the time I wrote that paragraph in the opening post, I have additionally installed BlackFog Privacy. It seems to work well. The only cautions are that 1) BFP tends to be aggressive with its blocking of what it considers “fake news” sites (even if you have unchecked that item in the UI), although it’s easy to whitelist something you do want that they’d rather you didn’t see; and 2) it’s probably a good idea to go through the settings for potentially unwanted cleanup actions upon closing a browser.
Apart from these cautions, BlackFog Privacy looks like an excellent product, as far as I can tell. I have seen very few Web ads of any sort since installing this program.
Here is a screenshot of the settings UI:
By default, BFP blocks “egress traffic” to China, North Korea, Russia, and Ukraine (“geofencing”). You can uncheck any or all of these, and instead, if you prefer, block connections to Burkina Faso, Fiji, Greenland, and/or Liechtenstein among hundreds of other countries/territories.Do note that this is a paid product. (I’m nearing the end of a 30-day trial.) But then, bear in mind that the objective is to keep our EOS Windows 7 systems safe going forward, and that may be worth something to you.
-
I imagine those products Cybertooth has installed for detecting dodgy Web sites are one way and perhaps the only way of dealing with this widespread problem. But they have, in general, two important drawbacks that are worth noting:
(1) When they incorrectly either block or advise to avoid a site that is actually OK and belongs to some legitimate organization or merchant, the poor organization or merchant can become seriously victimized without the possibility of defending itself, himself, or herself in court, as it were. This I have seen happen and learned just how pitiful, loud and numerous the complaints of the innocent victims can be!
(2) If, again by mistake or by some small and harmless irregularity, a site with some much needed information that one is desperately looking for gets vetoed by the defensive software, one may either never, or not soon enough, be able to find that information somewhere else.
One can always white list a site, of course, if one (a) knows enough about it already to decide to do so, or (b) somehow can sense both its existence and its URL before discovering it during a Web search — not a very likely proposition, I should think.
So one must be aware that there are not just pros, but also cons with this as with anything else.
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
1 user thanked author for this post.
-
-
Yep, that’s the reason for a multi-layered strategy: if one line of defense fails (in this case, the website rater), then other lines come into action (the anti-exploit, behavior blocker, firewall, or anti-executable).
-
-
That’s another situation where the other lines of defense (those that combat the actual attacks, as opposed to globally allowing/blocking a website) should spring into action. On my list, this function would be served (depending on the nature of the attack) by the AV, the anti-exploit, the software firewall, OSArmor, and/or VoodooShield. They don’t care from what website the attack is coming, only that it’s taking place and needs to be stopped. (Actually, the last three may not even care if it could be an attack; what they do largely is to tell you that a new process is running and ask you if you want to let it run, giving you the chance to kill it).
1 user thanked author for this post.
-
-
-
I am about five days into researching and implementing steps to harden my Win7 computers against attack. I knew from the start that @Cybertooth‘s initial post here, and the comments that followed, would be worth revisiting. Now that I am wrapping up, and my head is swimming with this stuff, I am a bit surprised to find that I basically came back to what @Cybertooth has proposed. Hats off to you.
On the internet-facing computer:
- I will shortly replace the router with a Pepwave Surf SOHO Mk3, which I plan to configure as recommended by Michael Horowitz’s “Router Security” web page. Being able to have more control over what the router is doing is a long-sought goal.
- I will replace the modem with a Netgear CM500 (this is more about performance than security–that and eliminating the bright flashing lights at night.)
- I already use Firefox with UBlock Origin and NoScript; and Brave, which I understand incorporates something like UBlock Origin. I haven’t figured out how to add NoScript or equivalent to Brave.
- I have created a password-protected Admin user account and demoted the existing one to Standard (and wondered why I didn’t do this on both machines long ago).
- I will add either Microsoft EMET or HitmanPro.Alert.
- I already have Bitdefender and a “proactive” scanner, Heimdal Thor Foresight.
- I will try Voodooshield and see if it works for me.
- Windows Firewall is on the job, but I need to revisit how it’s configured.
I am not planning to get into sandboxing right now, but might in time. I’m interested in 0patch or any other third-party service that can supply security patches, but need to learn more. As for backups, I have had that covered for awhile now.
A lot of the list above is also being applied to the non-internet computer.
Thanks again for bringing the subject into focus.
-
I already use Firefox with UBlock Origin and NoScript; and Brave, which I understand incorporates something like UBlock Origin. I haven’t figured out how to add NoScript or equivalent to Brave.
Raymond Hill, the developer of uBlock Origin, also offers uMatrix, which offers all of the functionality of NoScript (and even greater granularity), and is available for Firefox and Chrome (which would work with Brave). The display is information-dense and is a little bewildering at first, but once you begin to use it, you see it makes perfect sense, and I like the UI more than that of NoScript (classic addon edition). I’d recommend that for Chromium-based browsers, and you may also want to use it in Firefox. I was happy with NoScript, but when I started experimenting with Chromium recently, I wanted as much of an apples-to-apples comparison as possible, so I used NoScript. After I got used to it, I wanted it in Firefox too!
Group "L" (KDE Neon Linux, User Edition).
-
I was a long time fan and user of NoScript, but since I bounced between Firefox and Chrome, I wanted the same extensions in both browsers. So I started using uBlock Origin and uMatrix.
NoScript is a fine program, but I eventually decided that uMatrix worked better for me. I eventually preferred that it would allow 1st party scripts, images, etc. to run by default, which generally allows the page to render (unbroken), but still blocks (potentially untrusted) 3rd party elements by default.
1 user thanked author for this post.
-
If you find the uMatrix UI too “bewildering” and are familiar with uBlockOrigin (uBO), then it is possible to run uBO in “Medium Mode” (less “bewildering, but with less “granularity”?).
According to the uBO site, Medium Mode is “roughly similar to running AdblockPlus with many filter lists + NoScript with 1st party scripts/frames automatically whitelisted.” – see https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode
I use this in Firefox, although comparing my filter lists I have a few more selected than the 6 listed at the link above. For example as a past user of the Disconnect add-on I remember selecting the Disconnect lists in uBO.
There is also a “Disable Javascript” (by default) option in the uBO Settings. Javascript can be re-enabled on a temporary basis using the lower right corner setting in the uBO main drop-down. (I usually run Firefox inside a Sandboxie sandbox, so for me such tweaks are usually temporary anyway.)
From memory (I haven’t checked while writing this) in Palemoon which uses an older version of uBO or a fork of an older version of uBO, this “Disable Javascript” option is not present there. Again from memory “Medium Mode” is available in Palemoon.
I don’t have any Chromium based browser, so I don’t know if it works the same with any of those (Chrome, Vivaldi etc).
HTH. Garbo.
PS: uBO also has a “HardMode” if you want to tighten up even more (and a “Nightmare Mode” – I haven’t checked this). There are links to these on the right hand side of the link above.
1 user thanked author for this post.
-
After more than a week of working on it (off and on), this is where I have landed:
- Router–The Pepwave router has arrived but is not yet installed. I’m still using the old Netgear R6250. Installing the Pepwave with the right settings is the last big task.
- Software firewall–I installed ZoneAlarm Free thinking, per some erroneous Internet advice, that it would disable Windows Firewall. It didn’t, and while the two engaged in a fistfight for priority the computer bogged down and froze a few times. ZoneAlarm recommends disabling Windows Firewall, and at least in one place Microsoft also recommends against running competing firewalls. Further research turned up a school of thought that Windows Defender is highly competitive with third-party firewalls. The one problem Cybertooth mentioned above is that it does not ask permission when new programs try to go online; and in fact it is set by default to allow outbound connections. But potentially this can be resolved by adding a lightweight little piece of freeware, Windows Firewall Notifier. Once Windows Firewall was disabled, ZoneAlarm Free worked quietly in the background, but if Windows Firewall was a viable option, it seemed better to use it rather than have a disabled, built-in piece of software waiting to be abused. My first attempt to uninstall ZoneAlarm Free did not go well, leaving it still present in Control Panel > Programs and Features and six of its services still present in msconfig. An uninstall .exe file buried deep in the program did the trick, though.
- User accounts–I converted the existing Administrator-level account to Standard (fewer privileges) and created a new password-protected Admin account for use when needed. One thing I learned is that each account will have its own desktop, which means that opening the new Admin account means leaving behind the familiar desktop, GUI, etc. But I also learned that it really isn’t a problem, because when the need for Admin privileges arises and the dialog box pops up asking for the password, the Admin account opens in the background and I am still looking at the familiar desktop. I don’t have to jump into the other desktop unless I deliberately open it.
- AV program–Bitdefender Antivirus Plus was already installed.
- Anti-exploit program–The hardest part here was to sort out what constitutes an anti-exploit program. Definitions vary and there is a lot of overlap among programs. I already had Heimdal Security in place and decided to stay with it for now.
- Hosts file–I downloaded the hosts file supplied by mvps.org. Down in the fine print on that web site is the warning that a host file larger than 135 KB will usually cause the computer to slow down. The one I downloaded was 405 KB, and the computer hard drive began to rev up and down unpredictably, which obviously was not acceptable. The fine print goes on to recommend unchecking DNS Client in msconfig > Services. DNS Client is required for Network Discovery, used in Home and Work networks. If you uncheck it you are basically deciding to call your network a Public network. That was OK with me, because somewhat counterintuitively a Public Network is the most secure setting. Disabling DNS Client put an end to the roaring hard drive.
- Hosts file, Part 2–I found online some text that could be cut and pasted into the Hosts file to block Facebook. It worked great! While I plan to continued installing Hosts file updates periodically issued by mvps.org, it’s good to know that I can edit the file if I have the correct text to insert. It’s just a .txt file, after all.
- Whitelisting programs–Cybertooth included OSArmor in this group. I am not sure that’s what I would call it, but I liked what I saw and installed it. I also installed VoodooShield and so far it has operated without inconvenience.
- On-demand malware remover–I downloaded and saved Norton Power Eraser. The other options are all available online when needed and for the most part are not designed to be permanently installed.
- Browsers–I already had Firefox (with NoScript, among other plugins) and Brave. Just having two separate browsers for distinct uses provides a level of protection, I think.
- Web traffic-filtering browser extension and DNS resolver–I added Bitdefender Traffic Light to Firefox and installed the Quad 9 DNS resolver. So far, I have been unable to figure out how to keep the Internet computer from changing the DNS address back to what it was before. I’m thinking that the router may be doing it, and when I change the router we’ll see what happens.
- Ad-blocker–I already had uBlockOrigin in Firefox. Brave supposedly includes similar software.
- Backups–I already have a “rule of three” backup plan in effect using Macrium Reflect and a well-known online provider.
The computer runs quietly and smoothly, with no sign of slowdown. What the mvps.org web site says is probably right: Changes to the Hosts file lighten the workload, offsetting the burden of the additional software.
I drew up the foregoing list to better understand the layering of defenses mentioned by Cybertooth and the extent (if any) to which they might conflict. In practice, so far, I don’t see much conflict, actually, although at times it seems a bit like having competing fire companies rushing to the scene.
3 users thanked author for this post.
-
@wdburt1, thanks a bunch for the extensive and detailed reporting on your experience! <thumbs up>
About what kind of software to call OSArmor, some of these programs do defy clear-cut categorization and “whitelisting” may indeed not be the best term for it.
I have a question for you. You reported that your DNS resolver keeps getting set back to what it was before. You also wrote that you’re using Heimdal Security as part of your protection strategy. The DNS address that you keep getting put back to, does it begin with 127.7 ?
If it does, then Heimdal Security may be the reason. Here’s a note in a whitepaper by Heimdal (see p. 30, just before section 5.19 starts):
*in order for the Heimdal Traffic Filtering option to work properly, Heimdal should be able to set its own DNS address (127.7.7.3), that’s why the client should have the DNS address set on automatic.
This should be OK: Heimdal is performing the same DNS security function for which I’d suggested Quad9 as a possibility.
Thanks again for the rundown, I learned a lot!
1 user thanked author for this post.
-
@Cybertooth, thanks for the good suggestion. The DNS that it keeps reverting to is indeed 127.7.7.X, where X varies between 3 and 5. I installed Quad 9 on the right hand (non-internet) computer as well, and on that machine the Quad 9 DNS address is stable.
I guess maybe I can uninstall Quad 9 on the internet computer.
1 user thanked author for this post.
-
Edit: No need to uninstall Quad 9. Just let the computer find the DNS address automatically, as Heimdal requires. (Quad 9 “installation” consists merely of entering their DNS address.)
1 user thanked author for this post.
-
-
-
I installed Windows Firewall Notifier a couple of days ago. It generated a lot of notifications that it was blocking various installed programs, and it didn’t seem to be “learning” anything when told to Allow. I disabled it until this morning, when I tried again. Same story.
As mentioned previously, WFN does not install, but runs from an .exe file in a saved folder. Supposedly it also creates a Scheduled Task that springs to life when needed. It “uninstalls” by opening the program and disabling notifications regarding outbound connections to the web, after which the program folder supposedly can be deleted in its entirety. In case that doesn’t work, there is a separate .cmd file that can be used to disable the program. None of that worked for me, though at various points I saw various confirming messages mixed with error messages. This software is still beta and acts like it. All I can say is that I think I disabled it. I never did see evidence of a scheduled task.
In hope of finding a Windows Firewall add-on that would “learn” what rules to apply, I installed Windows Firewall Control, which is a product of Binisoft but also carries the Malwarebytes label. This one installs in the traditional manner and has a more useful interface and setup options, including a learning mode, which automatically creates “allow” rules for digitally signed programs and displays notifications only for unsigned programs. When you get a notification, the choices are more clearly explained. After a few initial notifications, things have settled down and are running normally. The plan will be to run it in learning mode awhile, then shift to the stricter “display notifications” mode, which displays a notification whenever an outbound connection is blocked, except for user-specified exceptions.
So the end result is that I continue to use Windows Firewall with a nifty little add-on that improves the interface.
1 user thanked author for this post.
-
Update: Heimdal Thor Foresight has become increasingly intrusive with popups advertising upgrades. A few days ago they were coming about one every 15 minutes. So I uninstalled it and installed HitmanPro.Alert. I’m still in the 30-day trial period but so far so good. It’s not completely free of little popups but I like the keystroke encryption feature mentioned by Cybertooth above.
1 user thanked author for this post.
-
That’s been my experience too–Heimdal seems to have recently become more aggressive about pushing its products.
That said, I’m staying on it for the time being as it does alert me to bad (usually malvertising-related) websites that the pages I visit try to connect to. And that’s despite the fact that I use either uBlock Origin or the Brave browser, which by default blocks advertising.
Still, I may reassess Heimdal if the pop-up ads keep getting worse.
Oh, wait–I just looked through the settings for Heimdal Thor, and under “General Settings” there is a Gaming Mode on/off toggle. I’ll try that for a few days and see if it takes care of the ads. Hope that it doesn’t also suppress the notifications about blocking bad stuff; we’ll see.
1 user thanked author for this post.
-
-
I have a question about adding a NoScript-type extension to my Opera browser. I am currently running Opera 66.0.3515.36 and after reading though this discussion, think that adding a such an extension might be a good idea. Has anyone had any experience with one they call SafeScript? It is an extension for Opera. Or is there an Opera version of one of the others that might be recommended?
Also as an update regarding 0patch…
I’m interested in 0patch or any other third-party service that can supply security patches, but need to learn more.
…some of those interested in 0patch may have seen Woody’s reference to it in his recent article in Computer World about it.
To add to that, I did email Mitja at 0patch to ask when the Win 7 EOS patches would be available from 0patch. His reply – also in the CW article was:
“Post-EOS micropatches will become available as we become aware of vulnerabilities that: (1) affect Windows 7 / Server 2008 R2, (2) pose a high risk (see Which vulnerabilities does 0patch provide micropatches for?), and (3) we have a proof-of-concept or exploit for it so we can analyze it. Having access to the patched code (from Extended Security Updates) will help a lot but will not suffice to compensate for #3.
That said, we expect the first micropatches will be issued sometime after the February Patch Tuesday, after we have reviewed what was patched in Windows 7 ESU, and whether any other vulns might affect Windows 7 / Windows Server 2008 R2. It may happen though that there will be no Win7/Srv2008 micropatches in any particular month based on the above-described criteria.”
As to getting the January patches, Mitja also said:
” It is sub-optimal to use 0patch for Windows 7 security micropatches if you don’t have all official Windows 7 updated applied.”
Still sorting through my other options for protecting my Win 7 laptop. Thanks for so much great advice.
3 users thanked author for this post.
-
I have a question about adding a NoScript-type extension to my Opera browser. I am currently running Opera 66.0.3515.36 and after reading though this discussion, think that adding a such an extension might be a good idea. Has anyone had any experience with one they call SafeScript? It is an extension for Opera. Or is there an Opera version of one of the others that might be recommended?
As a follow-up to my own question – after reading the warning about Opera, I have just gone ahead and switched over to Firefox, so I’ll look into those extensions for FF.
1 user thanked author for this post.
-
-
@wdburt1, as for the firewall, if you use the Windows Firewall there is a small utility which may be of help I recently assisted a member and done a quick walkthrough on WPD for Win 8.1 and this also applies for Win 7 Have been using this for a few years on Win7/8 to good effect
Win8.1 Pro | Linux Hybrids | Win7 Pro O/L | WinXP O/L1 user thanked author for this post.
-
-
@moonbear, here’s a brief set of instructions for editing the Hosts file. But I would add some points to that write-up:
You are right to suspect that it’s not as simple as just copying and pasting the lists you want into the file. There are three tricks–
- As a precaution, before doing anything else, make a copy of the current Hosts file and add something to the copy’s name, for example “Hostsbackup” or anything that you’ll remember. That way, if anything goes wrong with your file editing, you can always put things back the way they were by renaming that file back to “Hosts” (note that the file has no filename extension).
- You need to open the Hosts file by first launching the program you’ll be using to edit the file (for example, Notepad) , making sure to right-click on it in order to run the program as an administrator. Then you open the Hosts file from within that program.
- When you’re done, make sure in the “Save As” area that there is NO filename extension associated with the file you are about to save. Otherwise, you’re liable to end up with a file named (for example) “Hosts.txt”, which will not replace your current Hosts file.
Give it a try and let us know how things go!
-
-
-
Thank you very much for the clarification. I have Cerebral Palsy which in my case means I can’t really use my right hand so whenever I see “use multiple keys to do X” it leads nothing but frustration.
I will report back with my results soon.
1 user thanked author for this post.
-
This was a new experience for me, too. I use Spybot’s Hosts file with manually typed additions, so I’d never run across that issue before.
The error that you ran into, does it look like this:
If this is what you’re getting, then try changing the character encoding when you save the file. This choice will be near the bottom edge of the Save dialog:
The screenshot didn’t include it, but in the drop-down menu off the bottom edge there will be three other choices. Select “Unicode” (nothing more) and save the file. (Please note that I’m using a test text file here, so other settings that you see in the screenshot will differ from yours.)As a test, I would suggest adding a known site (that you never visit) to the Hosts file, such as facebook.com, then saving the file and trying to visit Facebook. If you can’t get to the site, then you know that the Unicode file save worked. If you’re OK with Facebook, then you can go back into the Hosts file and remove facebook.com from your list.
Others reading this who may be more familiar with the nuances of ANSI vs. Unicode encoding, are invited to provide more details. Shouldn’t this be a hurdle that’s addressed on Dan Pollock’s page?
1 user thanked author for this post.
-
That’s the exact error I was getting.
Before I replied, I tried something:
Howtogeek has a tutorial on editing the hosts file where they also use facebook as an example. I copied & pasted their example and changed the 0.0.0.0 to 127.0.0.1 then instead of clicking save as I just clicked save.
It seems to have worked as when I tried to reach Facebook.com, Chrome threw up a
this site can’t be reached screen with err_connection_refused. (I have it sitting in another tab as I type this.)
1 user thanked author for this post.
-
-
-
Security Now 744 VPN-geddon Denied In this episode of Security Now , Steve Gibson mentions about the Win7 hobbyists already hacked the win 7 extended updates and the link to their forum. The cat and mouse begins.
2 users thanked author for this post.
-
-
For better or worse, viewing that MDL thread now requires getting an account there and signing in.
For better. That thread is now overflowing with the same questions over and over and over again. Terrible to sift thru for actual relevant info & updates. This will help, albeit not enough.
Group B for WIN7 w/ ESU, plus trying out Linux builds in dual boot.
1 user thanked author for this post.
-
-
Yes, you should definitely add the <localhost> section to your Hosts file.
I’m no expert on computer networking, but if I have it right, then this section is what prevents your browser from actually reaching the websites you want to block. For example, assuming that you have included that section in the Hosts file, then when you set facebook.com to 127.0.0.1, essentially what you’re doing is to tell your browser to look for facebook.com on your PC (“localhost”), which of course it won’t find and give you that “can’t connect to facebook.com” message.
For some additional information, see this page, especially the “Site Blocking” section, and this Wikipedia entry.
Networking connoisseurs are welcome to correct or expand on my explanation!
1 user thanked author for this post.
-
The localhost section isn’t needed; 127.0.0.1 *is* localhost.
The entry mentioned above has a comment tag (#) before localhost which means the OS won’t even see the word.
Your hosts file needs nothing other than the IP address followed by the site you wish to associate with it. (You can use this to provide fixed IP links to other systems on your LAN, btw, and avoid using SMB1 in the process.)
1 user thanked author for this post.
-
What I understood by the question @moonbear posed, was that he was referring to the entire section labeled #<localhost>, i.e.:
#<localhost> 127.0.0.1 localhost 127.0.0.1 localhost.localdomain 255.255.255.255 broadcasthost ::1 localhost 127.0.0.1 local ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts #fe80::1%lo0 localhost #</localhost>
Wouldn’t at least some of this need to be included, so that the blocking takes place as desired?
1 user thanked author for this post.
-
-
There’s a technical discussion of this issue here.
Personally, I would leave the contents of the section intact as we see it in your post. But the two “#” lines that you specified are merely comment lines, markers for convenience to indicate where that section begins and ends; as @jabeattyauditor suggested, you can delete those two “#” lines and be just fine.
2 users thanked author for this post.
-
The comment lines designated by # serve the purpose of documentation. If you open the file a month (year) from now, it helps you to know what’s being done.
Don’t know if you’ve ever done programming, or particularly tried to read someone else’s code, but it is very hard to follow the flow of things without the commented documentation. I have always left comments in the code when programming. Six months later, it would be a nightmare for me to follow my own logic without them. And Heaven help anyone else trying to wade through the murk.
3 users thanked author for this post.
-
-
-
-
Another security tactic, for Home users who lack the application whitelisting abilities of Applocker in Win 7 Professional:
Use the Parental Controls applet in the Win 7 Control Panel for application whitelisting.
Select the user account you want to apply Parental Controls to, and then select the installed programs you wish to allow access to. To simplify things, I picked ‘All’ (I did an all-files anti-virus scan beforehand to ensure a clean baseline).
Caveats: some, but not all, programs that auto-update themselves may start complaining or not work at all. I only saw this with the desktop software for Napster/Rhapsody music streamer.
2 users thanked author for this post.
-
I have to agree that the paranoia about patching is a bit over-done, but not getting anymore security patches is concerning. The main threat for casual “home” PC users is through their browser. I use Firefox with NoScript, uBlock Origin, and a number of other protective extensions. And have used the hosts file modifications, and the malware-filtering DNS, for years.
But I am considering some of these other options that you have listed. What is using OSArmor like? Does it prompt for every little thing you run at first? Does it have a “config file” that you can copy to another system? Or does every system have to build up a unique profile through usage?
You mention EMET. Have you actually installed it? Does it have any known compatibility problems with common applications?
-
OSArmor isn’t hard to use. Although it has a lot of sophisticated elements to it (many of them too sophisticated for me 🙂 ), you can use it at default settings and have a good experience. However, on those few occasions there’s been an alert, I’ve jumped out of my chair, as the warning sound is pretty creepy. In my mind it evokes an image of some evil crow. If you still use Adobe Flash on IE11, when updating it I recommend temporarily disabling OSA (you can right-click on its Notification Area icon) to avoid this scare.
Here are a couple of screenshots of the OSArmor GUI showing a sampling of its protections:
I’ve been using this program for more than three months now, and the alerts have been few and far-between.
Now regarding EMET, I don’t have it installed on my Windows 7 PC since I use HitmanPro.Alert on it, but I do have installed on a Vista machine and on my Windows 8 laptop. As with OSArmor, you can make your experience with it as simple or as complicated as you like; I tend to leave EMET set to default values. The only time it’s given me grief was at first when I tried to launch a browser (I think it was IE11) and it couldn’t due to one of EMET’s protections. It was so long ago that I can’t remember the exact details, but I do remember that the solution was to switch off “EAF+” protection for the problem application.
As with any new software that we’re trying, the Web is our friend when it comes to researching problems as they arise. 🙂 One very good, ongoing discussion for OSArmor that I monitor takes place at Wilders Security.
Good luck, and let us know how EMET and/or OSArmor work out for you!
1 user thanked author for this post.
-
-
-
Wow, the “third-party” security world is much bigger than I realized.
Yes it is. You have to keep an eye open though. Some sites purport to offer a free security check, when in fact they are just collecting your personal information. One way is to offer you a security check but to see the results of the testing requires that you to fill out a form so they can email the report to you. False positives is one way they “scare” you into a purchase and/or gather your personal info. Free isn’t always a bad thing, just be aware.
You can do an internet search on the site you might want to use and see what people have to say about it. Another is to check out vetted sites from a trusted source.
This is just one of many sites that vet such “free scans”.
https://staysafeonline.org/stay-safe-online/free-online-security-checkups-tools/
Stay safe out there.
-
-
I just discovered this site by a well known security company to test your PC’s defenses, and tried it on my Windows 7 machine. It looks like the steps taken to fortify the computer (as detailed in the original post above) are working:
“Check” it out! 🙂
-
This reply was modified 8 months, 1 week ago by
.
-
This reply was modified 8 months, 1 week ago by
-
This reply was modified 8 months, 1 week ago by
1 user thanked author for this post.
-
I just discovered this site by a well known security company
Run by the folks at Check Point.
Edit for content.
Please follow the –Lounge Rules– no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.1 user thanked author for this post.
-
Thanks for the recommendation to protect a Windows 7 PC. It’s a nice “belt and suspenders” approach.
About the webpage to check one’s own security (posted 15 Feb), the webpage’s domain is using non-secure http. That seems unusual for a security check. Isn’t that susceptible to a man-in-the-middle attack? But I agree the main vendor is well regarded. And, their domain’s webpages are secure http.
Win 10, Win 7 Pro 64-bit, Office 2010.
Nethermost of the technically literate.1 user thanked author for this post.
-
It’s possible the checks require non-encrypted comms.
cheers, Paul
1 user thanked author for this post.
-
This reply was modified 8 months, 1 week ago by
-
Use a software firewall that will explicitly ask your permission when new programs try to access the Internet for any reason. Over time, you will train the firewall to allow trusted programs and the number of notifications will fall to just new (and possibly unknown) programs. ZoneAlarm Free Firewall is set to ask you “out of the box.”
Since the time I wrote that paragraph, I have installed ZoneAlarm Free Firewall on my main Windows 7 PC (previously, I had used it on a Windows 10 test system, an XP machine, and–going way back–a Windows 98 system).
Everything is working together well: no incompatibilities have been observed between ZA and the rest of the security measures on that computer.
If you install ZoneAlarm’s firewall, be aware that there will be an initial “training” period during which you will be getting a lot of notifications from ZA, asking for your permission to allow or block programs as you launch them and they attempt to access the Internet. You can tell ZA to remember your choices, so once these are set (you may need to do them each a couple of times) the distraction factor will diminish greatly.
This means that it’s especially important to be sure that your PC is malware-free as you give ZoneAlarm the green light to allow programs onto the ‘Net. If you have already implemented many of the other measures described in the original post above, then you should be fine: just make sure to actually look at the name of the program that ZA is reporting, in case it’s something unfamiliar and unwanted. Otherwise, prior to installing ZA you may want to run malware scans with your main AV and one or two of the secondary scanners, preferably including an offline scan.
-
I hope this question is not off this topic, and if it is would one of the Lounge monitors please move it to where it should go.
Also, please be patient with me: I’m an 80-year-old, non-techie.
I am running, and want to keep running, W7 SP1 as long as possible.
I also run the Pro (paid for) version of Macrium Reflect; and religiously back up my system and data.
After that verbose lead-in, here’s my question:
If I bought a refurbished laptop that had Windows 8.1 on it, could I re-image/restore my current Windows system and data to that (formerly) Windows 8.1 machine?
If that’s possible, would some kind soul lay out the steps (for dummies) to do that?
Thank you,
Southie-Guy (formerly known as Dick-Y)
1 user thanked author for this post.
-
If you have a legal copy of Win8.1 on that machine, it is good till 2023. I would keep it, as it will be more secure than Win7 in the next three years. You will continue to get Windows Updates.
Download free Open Shell (formerly Classic shell). It will avoid the Metro desktop and make Win8.1 look/act like Win7. I have used this on all my Win8.1 and Win10 machines.
4 users thanked author for this post.
-
Depending on how comfortable you are with removing and replacing internal drives on your laptop, you might consider taking out the Windows 8.1 drive from it and putting in a brand-new drive onto which you would image your Windows 7 installation. That way, you wouldn’t have to reinstall your programs.
In my experience, chances are there will be some minor temporary glitches as Windows adjusts itself to the different hardware. A more important potential drawback of this route, however, is that Windows might decide that this is not a legitimate installation because it would be a second use of the same license. In that case, you may need to contact Microsoft to explain the reason for the change (usually an automated process).
1 user thanked author for this post.
-
If the Win7 is an OEM machine, the image onto another laptop would not be legal.
1 user thanked author for this post.
-
-
-
-
-
You will have to install the third-party software on the Win8.1, yes. You shouldn’t have any problem with it running on Win8.1
You can copy your data to the Win8.1 machine from the the Win7 machine.
Keep the Win7 machine as is in case you have a problem.
Be sure to make an image of the Win8.1 as you got it, and again after you finish adding programs and data.2 users thanked author for this post.
-
I’m a UI purist who considers Win2k to have had the gold standard of MS UIs, but Win 8.1 (with Classic Shell, a custom theme, Old New Explorer, 7+ Taskbar Tweaker, and other such things) was even acceptable to a contrarian like me. It was the last Windows that was ever a “main” OS for me before I completed my migration to Linux. I’d certainly use that in lieu of 7 if I was still using Windows.
Group "L" (KDE Neon Linux, User Edition).
1 user thanked author for this post.
-
-
-
Or restore your data from backup – good opportunity to test. (After you’ve backed up the machine of course.)
cheers, Paul
1 user thanked author for this post.
-
-
@southieguy, if you wish merely to copy the data off your Windows 7 system onto the new Windows 8.1 laptop, then you might want to (1) image the Win7 data partition, (2) create a data partition on the Win8.1 drive, and then (3) copy the data from the imaged Win7 data partition over to the Win8.1 data partition.
If you have a way to get the two drives to communicate with each other, then you could skip step (1) above. There’s no special reason to image the old Windows 7 drive, except as a backup in case something gets royally messed up in the process.
In either case, there is the possibility that some of your data on the Win8.1 drive will be unusable until you install the software that’s associated with it onto your new Windows 8.1 system.
1 user thanked author for this post.
-
-
You need to redirect all your folders before restoring so Windows doesn’t junk the stuff you just restored.
Or not use a 2nd partition.
cheers, Paul
1 user thanked author for this post.
-
-
-
You definitely want an SSD in that machine.
No need to have a 2nd partition as you can back up the data independently of the disk image.cheers, Paul
1 user thanked author for this post.
-
On my current W7 SP1 system, I have 2 partitions, so that my data is on the 2nd one.
I always set my systems up this way. Having separate partitions for data and system files means that if you need to restore the system setup, you don’t need to worry about whether you’ve managed to back up any personal data files that may have changed since the last system image, and the restore process will be much faster. It allows you just to restore what’s needed rather than nuking everything from orbit and starting over.
Before transitioning to the new laptop, would it be better to go to a 1-partition system so that I can image that 1 partition that would now have everything together (i.e., my data too after moving it)?
I don’t think that would really help anything. As PKCano said, an image can contain any number of partitions within itself, so there’s no need to put it on one partition to image it all at once. Depending on how you have things set up, it may only be necessary to image the data partition, since the system partition will be a new OS, and you’ll be installing things anew into that. If some of the data is still on the system partition, you could either copy that to the data partition prior to imaging, to make it a simple one-step restore, or you could image the whole thing and restore the bits of data that are on the system partition on a file-by-file basis.
Said another way, what would be the best way to transition to the new laptop with all my data now resident under Windows 8.1?
If it were me, I’d make sure all the data you want to keep is on the data partition, image that, then use the backup software (whatever one you’re using) to restore that image to the new laptop, then point any shell folder references to that as necessary. Be sure not to overwrite the existing system partition, of course! If there is an existing, available partition already there, you can use that (change the size first if needed), or you can create a new one. The backup software probably will have that capability itself, without having to use anything else.
Group "L" (KDE Neon Linux, User Edition).
3 users thanked author for this post.
-
-
@SouthieGuy-
Just for future reference- Windows 8.1 support forum.
But your question is really about e-mail. Your Hotmail account is an on-line service, although that might not be immediately apparent if you are using a particular e-mail client. If I’m following the Hotmail to Outlook saga correctly, you should be able to log into your account from your browser, at Outlook.com.
Several years ago, Hotmail.com and Live.com were rebranded as Outlook.com. You can sign in to Outlook.com with your Hotmail email address and password
You can test this on your new machine, just to be sure.
As to saving your e-mails… How have you been saving them until now? Are they all on Outlook.com, or saved locally? In what format? E-mail saved locally from Outlook tends to be in a proprietary format.
Personally, I like using Thunderbird as my e-mail client. I have enough tabs open in my browser, as it is. I can access multiple e-mail addresses, all in one place. I then set up local folders to save to, organized by year, with appropriate sub-folders. Those are then backed up when I back up my computer. Archiving is not the same as saving locally… and remember it takes 3 copies to really be backed up. Once you figure it out, it is easy to save your Thunderbird profile, and e-mails, and even move them from one computer to another, as necessary.
A whole thread could be done on e-mail formats, and the best way to save your e-mail long term. As someone who has hung in there from Hotmail to the current Outlook, you might want to investigate what options there might be, especially if you have a large amount.
Hope you enjoy Windows 8.1!
Non-techy Win 10 Pro and Linux Mint experimenter
4 users thanked author for this post.
-
Do you use an email client or via your browser?
If it’s browser you don’t need to do anything.
If it’s a client you need to work out how you’ve set up the client. IMAP means very little work, POP3 may mean you have to copy mails from machine to machine.cheers, Paul
1 user thanked author for this post.
-
-
-
I log in from Firefox. While answering this question, holding my mouse’s pointer over where I sign in , I see https://login.live.com/login.srf?wa= . . .followed by lots of what look like macro parameters.
I think that means. Paul T, that I don’t have to do anything except sign in to Firefox on Windows 8.1. Yes??
Thanks,
Southieguy
1 user thanked author for this post.
-
Yes.
You are only using the browser so all mail is stored on the server.cheers, Paul
1 user thanked author for this post.
-
-
@rmeijer reported here on a 2019 Australian white paper which offers methods for hardening Windows 7 security.
Most of the suggestions pertain to the Enterprise or Ultimate editions, and if you have either of these (especially in a local network setting) the paper could come in very handy. Windows 7 Home and Pro users will be able to apply a few of the ideas, though–see page 11 for Data Execution Prevention; page 17 for SEHOP; and page 45 for WPAD.
I’ll let you know if I run into any difficulties as a result of making the above changes.
-
Time to report on the changes in the previous post: everything’s working well, no problems have cropped up from making them.
Meanwhile, I have been using 0patch on my main Windows 7 PC and that, too, is working well. I also have a couple of secondary Win7 systems using @abbodi86‘s W7ESUI script to install post-January 2020 Windows updates, and there are no complaints there either. Not sure which way to go (0patch or W7ESUI) in the long term. I doubt that 0patch covers everything that the script does, but on the other hand 0patch is completely automated, so it involves less work.
-
-
I doubt that 0patch covers everything that the script does
0Patch covers other installed software while the script is W7 system only.
1 user thanked author for this post.
-
I do know that 0patch covers software from other vendors. And that’s a good thing. But… does 0patch cover all the same Windows vulnerabilities that are addressed by Patch Tuesday updates? Keep in mind this statement on their website:
The goal of 0patch is not to micropatch every vulnerability but the important ones, such as those exploited in the wild or those without official vendor patches.
That’s what I had in mind when I wondered aloud whether 0patch covers everything that @abbodi86‘s script covers. The policy stated by 0patch is sensible, and I like and use their service, but still I wonder…
Maybe the idea is that if an “unimportant” vulnerability starts getting exploited and so graduates to “important” status, then 0patch starts patching it. Or maybe the best policy is to use W7ESUI in addition to 0patch, as @7prosp1 proposes.
1 user thanked author for this post.
-
-
If I were you, I would use both W7ESUI and 0patch for all your Win 7 systems.
While 0patch will often issue micropatches for vulnerabilities before Microsoft issues security fixes for them, as alex5723 notes, 0patch has the added benefit of covering additional software you may have installed on your system.
Also, if and when Microsoft does issue official security fixes for Win 7, 0patch will simply withdraw their micropatch(es) so they no longer apply where applicable. It’s a pretty neat way of doing things and, IMO, using W7ESUI and 0patch in tandem will give you a complimentary solution for keeping Win 7 as secure as possible.
What version of 0patch are you currently using on your main Win 7 system? (Pro or Free?)
2 users thanked author for this post.
-
If that’s the case then I would suggest you put 0patch Free on your two secondary Win 7 systems for the time being to save yourself a few bucks. You can always add Pro licences to one or both of the systems later on if the need arises.
The only thing is you’ll need to create another 0patch account for the Free versions as once you purchase one 0patch Pro license for an account, Free licenses are no longer available in that account.
2 users thanked author for this post.
-
A new note on security for Windows 7 users: the single biggest vector for malware infection is email, as asserted in this recent Verizon report (see Figure 17). If we were to add together the four email-related bars in that chart, then arguably malicious email (“malmail”?) would account for a clear majority of PC infections.
This suggests that if you don’t normally use your Win7 machine to check your email, then you are that much safer even in the absence of the other security measures suggested at the top of this thread.
Therefore, for those who have more than one computer available, one possible way to enhance your cybersecurity while continuing to use your Windows 7 system might be (in addition to those already listed) to use it for all purposes except email.
-
Cybertooth: “…one possible way to enhance your cybersecurity while continuing to use your Windows 7 system might be (in addition to those already listed) to use it for all purposes except email. ”
Quite: I no longer patch Win 7 and do not use Windows 10 (to my profound relief), but have Linux in dual boot with Win 7 and also a Mac that is my actual workhorse. So I do not use the Win 7 browsers or the email client anymore. I have shifted that activity to those other two OS, one sharing the same PC, the other in another computer (and I can easily share files that my AV declares to be “clean” between macOS, Linux and Win 7). Neither system is perfectly safe, but believing that there can be “perfect” safety in anything is to embrace a delusion. “Safe enough” is good enough and I think this fairly describes my situation now.
On another security related issue: I also connect the PC to the router via an Ethernet cable instead of using WiFi, to avoid leaking over the air information to unknown parties. It helps that I always use the computers in the same room, at home, and very rarely and only for short periods get moved elsewhere.
Thanks for taking the time to advise us, at AskWoody, on how to stay relatively safe while still running Win 7.
Windows 7 Professional, SP1, x64 Group W (ex B) & macOS Mojave + Linux (Mint)
3 users thanked author for this post.
-
I have a question about adding a NoScript-type extension to my Opera browser. I am currently running Opera 66.0.3515.36 and after reading though this discussion, think that adding a such an extension might be a good idea. Has anyone had any experience with one they call SafeScript? It is an extension for Opera. Or is there an Opera version of one of the others that might be recommended?
As a follow-up to my own question – after reading the warning about Opera, I have just gone ahead and switched over to Firefox, so I’ll look into those extensions for FF.
well LHiggins, I have Noscript addon installed onto my Opera browser – from the Chrome store
but first I had to head over to Google Chrome store site from the Opera browser and install a special addon that allows installation of Chrome addons/extensions into the Opera browser and then I can obtain the Noscript extension from the Chrome store and install it onto Opera.
-
This reply was modified 3 months, 3 weeks ago by
.
-
This reply was modified 3 months, 3 weeks ago by
1 user thanked author for this post.
-
This reply was modified 3 months, 3 weeks ago by
-
In the original post at the top of this page, we briefly mentioned the idea of using a security-oriented DNS resolver that would help to filter out dangerous websites, and gave Quad9 as an example. (It’s the one that I use.) Here are three more free alternatives:
- OpenDNS
- Verisign Public DNS
- Comodo Secure DNS (free for personal use)
To change the DNS server in Windows 7, you can follow these instructions. If you’re feeling a bit more adventurous, you can alternatively change the DNS settings in your router (see here for a general description; consult your particular router’s manual for specific instructions) and so protect all the Web-connected devices on your network at the same time.
Happy Win7 surfing! 🙂
-
Your ISP might over-ride your attempt to use a different DNS service on your computer because the ISP’s DNS settings are baked-in and not changeable on the ISP-provided gateway/router which will then impose the ISP’s DNS settings on all devices connected . Comcast is one such ISP.
To get around this use one of these free DNS services which will configure your computer to bypass the ISP-imposed restriction:
NextDNS
https://nextdns.io/YogaDNS
http://yogadns.com/Simple DNSCrypt
https://simplednscrypt.org/I’ve tested out all 3 of these which also include additional security and privacy features.
:W10Pro 1909 18363.689
Dell OptiPlex 990-
As I understand it, if it’s not possible to change the DNS settings on a router, then fortunately you can set them on devices individually to your preferred DNS server and the PC will use that server instead of what’s on the router. See here and here, for example.
2 users thanked author for this post.
-
You can use DNS Leak Test (https://www.dnsleaktest.com/) to verify what DNS service you are actually using at any time.
In my case the Comcast-provided router (TG1682G) with baked-in DNS for Comcast over-rode any other DNS I entered in the network adapter settings of any connected device. I had been using OpenDNS for several years with a previous older Comcast router until it was replaced by this new one.
:W10Pro 1909 18363.689
Dell OptiPlex 9901 user thanked author for this post.
-
-
-
-
@Moonbear, you drove me to the Web to learn about displaydns; I was not familiar with that command so you helped me to learn something here.
Regarding the displaydns command, this is what I found:
Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers.
So the answer to your question seems to be in the affirmative.
Anybody reading this who has greater knowledge of the topic, please chime in!
1 user thanked author for this post.
-
Wow, I’m not used to helping someone learn something, especially when it comes to computers.
After reading that paragraph in your post it seems obvious now that the entries in the hosts file would show up considering that if the flushdns command erased those as well, those sites/connections wouldn’t be blocked.
1 user thanked author for this post.
-
-
-
-
Viewing 39 reply threads
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.
Recent Replies
PKCano on Win 8.1 Pro Log In
4 minutes ago- 38 minutes ago
OscarCP on Is this the best science fiction show ever?
40 minutes agoPurg2 on Win 8.1 Pro Log In
53 minutes ago- 1 hour, 11 minutes ago
anonymous on An unexpected surge in weird spam and, or phishing emails.
1 hour, 14 minutes ago- 1 hour, 17 minutes ago
- 1 hour, 19 minutes ago
cyberSAR on Big list of watched new emails of posts
1 hour, 22 minutes ago- 1 hour, 33 minutes ago
wavy on Is this the best science fiction show ever?
1 hour, 34 minutes ago- 1 hour, 44 minutes ago
charleyrich on Tried it all, but can’t get to 2004?
1 hour, 54 minutes agoCharlie on Is this the best science fiction show ever?
1 hour, 54 minutes ago- 2 hours, 28 minutes ago
- 2 hours, 32 minutes ago
- 2 hours, 53 minutes ago
- 2 hours, 54 minutes ago
- 2 hours, 59 minutes ago
- 3 hours, Just now
- 3 hours, 5 minutes ago
- 3 hours, 28 minutes ago
IreneLinda on HP Pavilion g7 1070us Webcam not Listed in Device Driver
3 hours, 31 minutes ago- 3 hours, 38 minutes ago
WSBirdLady on Where we stand with the October patches
3 hours, 45 minutes ago- 3 hours, 51 minutes ago
- 4 hours, 4 minutes ago
- 4 hours, 22 minutes ago
GreatAndPowerfulTech on Patch Lady – who knew a cmos?
4 hours, 26 minutes ago- 4 hours, 48 minutes ago