I'm personally comfortable using stuff like NoScript where you actively need to work with it as you go about. My father, on the other hand, will either ignore or close any prompts that come up. For instance, I've already put Firefox and Chrome on his computer with AdblockPlus and Ghostery, because those are handsoff extensions. Other than that he's only got Windows defender right now. What additional antivirus, antiPUP, etc. things should I consider for him that would require no user input? Paid options are fine.
-
We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.
Handsoff setup recommendations for my father
- Thread starter Virumo
- Start date
How much browsing does he honestly do?
Personally, I'd set up NoScript anyway and sit down with him to whitelist the handful of sites he most likely spends 99% of his time on. Anything else, if it doesn't work oh well.
Anything truly hands off is going to run into false positives eventually, and anything designed to be hands-on is either insecure or too restrictive if you treat it as hands-off. you just have to balance security vs usability for what he needs to use it for.
Personally, I'd set up NoScript anyway and sit down with him to whitelist the handful of sites he most likely spends 99% of his time on. Anything else, if it doesn't work oh well.
Anything truly hands off is going to run into false positives eventually, and anything designed to be hands-on is either insecure or too restrictive if you treat it as hands-off. you just have to balance security vs usability for what he needs to use it for.
I'd strongly consider getting him a subscription to Sandboxie and a different anti-virus.
Sandboxie creates a virtual environment for the applications you run in it so in theory an infection could never reach the rest of the system.
For AV, Bitdefender does very well in testing and can usually be found on sale several times a year. For a free solution, Avira is good.
Also make sure he's not set up with an Admin account.
Sandboxie creates a virtual environment for the applications you run in it so in theory an infection could never reach the rest of the system.
For AV, Bitdefender does very well in testing and can usually be found on sale several times a year. For a free solution, Avira is good.
Also make sure he's not set up with an Admin account.
NoScript would definitly be too much. If you absolutely wanted some kind of blocking like that I would recommend uBlock in medium mode[1] as it would be far easier than maintaining NoScript. Otherwise just run uBlock, if you're super worried about false positives just use the default filter lists + the privacy ones. However you should be able to enable quite a lot without false positives even if the chances do increase.
I would forget about Sandboxie as that's also likely too hands on and adds needless complication into it. It's not going to offer much if you're already using Chrome which already has proper sandboxing. There's also nothing wrong with sticking with Defender if Windows has been set up properly (e.g. with a software restriction policy (SRP)) and as you've said it's not an admin account.
I'd also ditch Firefox and just use Chrome. You can disable the data reporting stuff if it bothers you just makes sure the protection from maleware (Safe Browsing) and optionally the DNT settings are enabled. Install HTTPS Everywhere[2] and uBlock Origin[3], enable whatever filter lists you want (you can enable a lot and see how it goes) and ensure it auto updates. Not sure if this hit the stable channel yet but in chrome://flags there are two options to enable AppContainer support and win32k lockdown support in plugins which you'll also want to enable. You can also block third party cookies in the content settings which is pretty safe to do without breaking anything.
That should give you a pretty damn secure hands off browser with proper sandboxing including plugins like Flash.
[1] https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode
[2] https://www.eff.org/https-everywhere
[3] https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm
Last edited:
John Connor
Lifer
Sandboxie and Bitdefender Free. Toss in Comodo Firewall if you want to mess with it.
Computer is already in his possession (XPS 15 9550), he's also got a contract with Dell for tech support, I'm not sure how changing the OS around would gel with that. Either way, I have no experience with Chrome OS, so I have no idea how MS Office, ACT!, and the other software he uses would work in it.
I could probably make not using an admin account workable. Barring physical access to the computer or anything similar where they can view the screen (if that level of penetration is already achieved he's probably toast anyway), would leaving the admin account without a password introduce a security risk? Or using a password, but having the password hint be super obvious (his middle name)?
I've never set a SRP before, is there a good guide for it out there?
Enjoying all the suggestions from everyone so far, thanks for the great input.
Edit: in the past my father has been hit with things that change his home page to Google imitators like Conduit. Anything that would specifically prevent against that nuissance would be nice. Other than that, crypto-ransomware is my biggest fear, in case my father would panic and do something that would make his data unrecoverable.
Last edited:
If he uses other software other than a web browser than ChromeOS wouldn't work. It's just a glorified web browser (so you'd be stuck with stuff like Google Docs, etc).
So long as they're separate and both have passwords that's all that matters. It being super obvious shouldn't matter for what we're trying to protect against.
If his computer supports UEFI (secure boot) use bitlocker (disk encryption). IIRC it will prevent the ransomware from being able to cause any damage.
Last edited:
John Connor
Lifer
Windows 7 does not support secure boot.
John Connor
Lifer
Can you cite a source that says Bitlocker and secure boot mitigates ransomware?
I remember back when Cryptolocker first hit the scene, Surfright claimed they had a product that could stop ransomware. Years later many AVs companies must have similar products built in, right?
PliotronX
Diamond Member
It doesn't; any files that are write-accessible will be targets, once booted into the OS, the encrypted system volume is transparent to everything but seemingly Dell firmware upgrades 😀 When attached bitlocker volumes are mounted, those are vulnerable as well. This means the ransomware will encrypt files that are then encrypted by bitlocker. It would be dangerous to assume bitlocker will keep data safe.
John Connor
Lifer
Thought so.
PliotronX
Diamond Member
No doubt! Mostly directed at those who think Bitlocker or any FDE somehow protects from damaging malware. The only true contingency is a solid backup. Daily, hourly, even monthly, it all needs to be tucked away from this nasty threat. Frankly I'm surprised ransomware hasn't hit this stage until recently. In most modern systems, the user may not even feel the effects of the encryption while it's happening because of AES-NI. Stay safe guys.
Is Bitlocker practical for my father's purposes? If someone steals his laptop and he's not logged in then the data would be safe from theft, but anyone taking that step could also probably just look over his shoulder in some fashion while he enters the password at some point. Does it protect against anything else?
John Connor
Lifer
Don't have any experience with Bitlocker. I use Truecrypt myself. Bitlocker would be the easiest, but if things mess up you lose everything. I'm not really sue if Bitlocker has a recovery option. I'm sure they have something you write to external media I suppose. With Truecrypt you write the loader on disk in case it gets corrupted.
Like was mentioned. Have a backup strategy. I clone my computers to external media using AOMEI Backuper. Other stuff like bookmarks gets encrypted periodically in a SFX archive and sent to my FTP server and a cloud provider.
As far as someone looking over your shoulder. http://solutions.3m.com/wps/portal/3M/en_US/3MScreens_NA/Protectors/
Like was mentioned. Have a backup strategy. I clone my computers to external media using AOMEI Backuper. Other stuff like bookmarks gets encrypted periodically in a SFX archive and sent to my FTP server and a cloud provider.
As far as someone looking over your shoulder. http://solutions.3m.com/wps/portal/3M/en_US/3MScreens_NA/Protectors/
Chiefcrowe
Diamond Member
Bitlocker does have a recovery option - one of them is that you can write it to a USB in case you get locked out.
John Connor
Lifer
Thought that's what they used. Kinda like how you could save your password to USB or whatever in XP. I did that and kept the USB stick behind a Tiki head I had hanging up in my room. LOL
I'm wary of anything selling a "lifetime" license, personally.
KeithP
Diamond Member
I have used WinPatrol (free version) in the past and have always been happy with it. However, when I have suggested it to less sophisticated users they seem to always end up approving everything so it doesn't provide much help.
-KeithP
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 25K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 24K
-
-
