What is your take about not having a real time antivirus?


Local time
3:12 PM
Posts
60
OS
Win11 64 Pro
Hi again!

So, this is new for me too. I always had an antivirus running. And since Defender became this good, it has been my choice: Defender in real time, Malwarebytes for manual scans.

Now, recently for several reasons I went into a quest to reduce all active processes that I don't absolutely need.
And I've been thinking. I never ever had a virus. Like, EVER. And I use Windows since 30 years.
I've always had my antiviruses set up so not to block things automatically and silently but to warn me of anything they would find. So I'm confident that I really never had a virus, not that I don't know because the antivirus got rid of it without telling me.
I simply have healthy internet habits.
Apart for not visiting shady websites and not clicking links in weird emails, I am equipped as follows:
- VPN with own DNS which block malware, phishing, tracking, etc.
- Firefox with the Enhanced Tracking Protection and all other protections in their maximum settings.
- AdGuard with all filters active.
- Router with a (simple, not configurable) firewall.
- Windows Firewall active (this always).
- I scan EVERYTHING that I download with both Defender and Malwarebytes before I do anything with it. Everything, not matter what.

In your opinion, is a real time protection always a must?
Atm I have disabled the real time protection and behavior monitoring of Defender, as also all Application Guard (Smart this and that) options. EDIT: But I left Core Isolation and Exploit Protection active.

Thanks
 
Windows Build/Version
11 Pro, Version 10.0.22631 Build 22631
Last edited:

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
In your opinion, is a real time protection always a must?


No matter how careful you are... the answer to your question is YES!
Unless ofc, you never go online.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26100.1882 ♦♦♦♦♦♦♦24H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 4702)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Internet Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Mouse
    Logitech Optical M-BT96a
    Keyboard
    Logitech Classic Keybooard 200
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 13 years?
My take on a real-time/active anti-virus program running is to stop as many infections as possible before they can cause damage. Once a miscreant gets installed it can cause a lot of damage. Most infections now come when online but back-in-the-day with Shareware one could get infections embedded in the trial programs or on disks from other sources.
 

My Computers

System One System Two

  • OS
    Win11 Pro RTM
    Computer type
    Laptop
    Manufacturer/Model
    Dell Vostro 3400
    CPU
    Intel Core i5 11th Gen. 2.40GHz
    Memory
    12GB
    Hard Drives
    256GB SSD NVMe M.2 and 2TB SATA HDD
  • Operating System
    Windows 11 Pro RTM x64
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Vostro 5890
    CPU
    Intel Core i5 10th Gen. 2.90GHz
    Memory
    16GB
    Graphics card(s)
    Onboard, no VGA, using a DisplayPort-to-VGA adapter
    Monitor(s) Displays
    24" Dell
    Hard Drives
    512GB SSD NVMe, 2TB WDC HDD
    Browser
    Firefox, Edge
    Antivirus
    Windows Defender/Microsoft Security
I’ve never had a car accident, but I wear a seat belt. I imagine it’s a lot harder to put it on when I’m dangling out the windshield/windscreen.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
The last time I was infected by a virus, was back in the days of DOS, before Windows.

Nowadays, the old Computer Virus is as much a thing of the past as a washboard or apple peeler.
The AV program of today is only meant to get your money, not save your PC.
Yes, that's my OPINION, and is based only on 40+ years of experience as a Computer Tech.

The most common problem today is the "Tracking Cookies" placed in your PC from almost every website you visit.
I can't even check my bank account balance, without getting a Tracking Cookie.
But, not to worry..... "Super Anti Spyware", either Pro or FREE, does a great job of finding and removing all those little Nasties. *
The advantage of the Pro version is that one can set it to update and scan every day at a prescribed time.
I have ten PC's, so I have the pro version of SAS on this PC, and the FREE version on the other nine, which I don't normally use for surfing the web.

* As a working PC tech, my worse case scenario with Tracking Cookies, was one little ladies' PC where I installed and ran Super Anti Spyware FREE, and it removed ~ 140,000 tracking cookies.

On my PC's where Windows Defender is installed and running, I never get warnings about "Virus Detected". It's just no longer a problem.

On my PC's running a Micro or Lite version of Windows, Windows Defender is not even installed. And I don't miss it!

Cheers Mates!
TM :cool:
PS: The last "Trojan Alert" I got from SAS, was a false positive. But it CAN, find and remove Trojans.
 
Last edited:

My Computer

System One

  • OS
    Win-11/Pro/64, Optimum 11, 24H2, V4.1
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Made w/Gigabyte mobo/DX-10
    CPU
    AMD FX 6350 Six Core
    Motherboard
    Gigabyte, DX-10, GA-78LMT-USB3
    Memory
    Crucial, 16 GB
    Graphics Card(s)
    NVIDEA GeForce 210, 1GB DDR3 Ram.
    Sound Card
    Onboard
    Monitor(s) Displays
    24" Acer
    Screen Resolution
    1280x720
    Hard Drives
    Crucial SSD 500GB, Crucial SSD 450GB, SanDisk 126GB SSD, Toshiba 1TB HD
    PSU
    EVGA 500 W.
    Case
    Pac Man, Mid Tower
    Cooling
    AMD/OEM
    Keyboard
    101 key, Backlit/ Mechanical Switches/
    Mouse
    Logitech USB Wireless M310
    Internet Speed
    Hughes Net speed varies with the weather
    Browser
    Firefox 64x, Waterfox, Duck Duck Go
    Antivirus
    Windows Defender, Super Anti Spyware
    Other Info
    Given to me as DEAD, and irreparable.
    Rebuilt with Gigabyte mobo, AMD cpu, 16GB ram and 500GB Crucial SSD.
In your opinion, is a real time protection always a must?
Not really since Vista thanks to UAC. People actually have to want to get infected.
AV can be exploited, since it runs as SYSTEM, some malware take advantage of it.
I would not advise anyone to run without AV, but default deny can protect PC.
I have not used AV since XP and in order not get infected, you simply disable malware.
I disable WSH (VBS) and I remove PowerShell, basically main attack vectors in Windows.

VPN with own DNS which block malware, phishing, tracking, etc.
Note that every DNS is different, just like AV, DNS can block 0% of malware or up to 99%.
I block 95% TLDs and NRDs, that effectively blocks almost all phishing, malware and C&C.
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 3.08 (07/24)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @4800 CL40 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @60FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Backup: Hasleo Backup Suite (PreOS)
    Notifier: Xiaomi Mi Band 7 NFC (05/24)
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    2nd Monitor: AOC G2460VQ6 @75Hz (02/19)
The TLDR answer is yes, you should have some type of real-time endpoint protection software. The premise is that malware is software and computers (operating systems) run software. The only different is the intent. To @TechnoMage2021 malware is still a very real and growing/evolving problem. Home users are a far more enticing target due to people with your mindset. You don't even need to know how to make malware these days, you can simply find a MaaS (malware as a service) or RaaS (ransomware as a service) outfit and buy ready to use malware/ransomware kits for deployment, phishing/smishing campaigns designed to push people to waterholes and you've likely hit 20-40% of your targeted victims. Even if you opt for a free version that's still better than nothing although when it's free your (the user) data is often harvested and sold off, so if you don't care about privacy by all means. Example case Avast fined $16.5 million for ‘privacy’ software that actually sold users’ browsing data
 

My Computer

System One

  • OS
    Windows 11
I’ve never had a car accident, but I wear a seat belt. I imagine it’s a lot harder to put it on when I’m dangling out the windshield/windscreen.
I saw that coming the moment I typed that sentence :D
I know what you mean but you also know what I mean, I suppose.
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
I saw that coming the moment I typed that sentence :D
I know what you mean but you also know what I mean, I suppose.
I do know what you mean, and I know you're interested in preserving resources, based on your latest posts. On the machine I'm using to type this, Defender is using fewer resources than Windows Explorer. And neither can hold a candle to the resources consumed by the browser I'm using. You can run without anti-malware protection, sure, but if I were interested in making a Windows machine more efficient, I'd look elsewhere.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
I disable WSH (VBS) and I remove PowerShell, basically main attack vectors in Windows.


Note that every DNS is different, just like AV, DNS can block 0% of malware or up to 99%.
I use Windscribe, in case that tells you anything.
Plus I have also the DNS filter of AdGuard active although I forgot to ask the guys @ Windscribe if that creates conflicts with their DNS.

I have no idea what WSH/VBS are, but I guess I'll find the answer in the link you provided?
And about removing Powershell, how do you do it, and do you also remove windows terminal and leave only the basic cmd?
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
I do know what you mean, and I know you're interested in preserving resources, based on your latest posts. On the machine I'm using to type this, Defender is using fewer resources than Windows Explorer. And neither can hold a candle to the resources consumed by the browser I'm using. You can run without anti-malware protection, sure, but if I were interested in making a Windows machine more efficient, I'd look elsewhere.
Absolutely, Firefox uses MUCH more resources than Defender. And I have tried to address that at least in part by going back to uBlock Origins which had always been my to-go choice, as I have noticed that with uBlock my fans get triggered less, but there are things that it doesn't block as well as AdGuard. That where I started looking elsewhere and pointed fingers at Defender.

But foodle it, I guess I will activate it again and hope in the best with the BIOS tweaks that I implemented recently.
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
I have no idea what WSH/VBS are
Windows Scripting Host. When people say that malware runs by itself, that is what it uses. You can basically disable malware. :lmao:
Code:
reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\WOW6432Node\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
MS has recently disabled at least VBS in Windows, thus malware moved to PowerShell instead.
And about removing Powershell, how do you do it
Note that by default Windows includes old and vulnerable PowerShell 5, though there is already version 7.
Removing version 5 can break some apps and some features, but it is well worth it. You can also restrict it.
Code:
reg add "HKLM\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
reg add "HKLM\Software\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
reg add "HKLM\Software\WOW6432Node\Microsoft\PowerShell\1\ShellIds\ScriptedDiagnostics" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
reg add "HKLM\Software\Policies\Microsoft\PowerShellCore" /v "EnableScripts" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\WOW6432Node\Policies\Microsoft\PowerShellCore" /v "EnableScripts" /t REG_DWORD /d "0" /f
reg add "HKLM\Software\WOW6432Node\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /v "__PSLockDownPolicy" /t REG_SZ /d "4" /f

taskkill /im PowerShell.exe /f
taskkill /im PowerShell_ISE.exe /f
taskkill /im pwsh.exe /f
takeown /s %computername% /u %username% /f "%ProgramFiles%\WindowsPowerShell" /r /d y
icacls "%ProgramFiles%\WindowsPowerShell" /inheritance:r /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%ProgramFiles%\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%ProgramFiles(x86)%\WindowsPowerShell" /r /d y
icacls "%ProgramFiles(x86)%\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%ProgramFiles(x86)%\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%WinDir%\System32\WindowsPowerShell" /r /d y
icacls "%WinDir%\System32\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%WinDir%\System32\WindowsPowerShell" /s /q
takeown /s %computername% /u %username% /f "%WinDir%\SysWOW64\WindowsPowerShell" /r /d y
icacls "%WinDir%\SysWOW64\WindowsPowerShell" /grant:r %username%:(OI)(CI)F /t /l /q /c
rd "%WinDir%\SysWOW64\WindowsPowerShell" /s /q
do you also remove windows terminal and leave only the basic cmd?
Yes, replacing this shortcut with CMD's shortcut gives me CMD in the start menu.
Code:
%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk

capture_08112024_172409.jpg
 

My Computer

System One

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 8600G (07/24)
    Motherboard
    ASROCK B650M-HDV/M.2 3.08 (07/24)
    Memory
    2x32GB Kingston FURY DDR5 5600 MHz CL36 @4800 CL40 (07/24)
    Graphics Card(s)
    ASROCK Radeon RX 6600 Challenger D 8G @60FPS (08/24)
    Sound Card
    Creative Sound BlasterX AE-5 Plus (05/24)
    Monitor(s) Displays
    24" Philips 24M1N3200ZS/00 (05/24)
    Screen Resolution
    1920×1080@165Hz via DP1.4
    Hard Drives
    Kingston KC3000 NVMe 2TB (05/24)
    ADATA XPG GAMMIX S11 Pro 512GB (07/19)
    PSU
    Seasonic Core GM 550 Gold (04/24)
    Case
    Fractal Design Define 7 Mini with 3x Noctua NF-P14s/12@555rpm (04/24)
    Cooling
    Noctua NH-U12S with Noctua NF-P12 (04/24)
    Keyboard
    HP Pavilion Wired Keyboard 300 (07/24) + Rabalux 76017 Parker (01/24)
    Mouse
    Logitech M330 Silent Plus (04/23)
    Internet Speed
    500/100 Mbps via RouterOS (05/21) & TCP Optimizer
    Browser
    Edge & Brave for YouTube & LibreWolf for FB
    Antivirus
    NoAV & Binisoft WFC & NextDNS
    Other Info
    Backup: Hasleo Backup Suite (PreOS)
    Notifier: Xiaomi Mi Band 7 NFC (05/24)
    Headphones: Sennheiser RS170 (09/10)
    Phone: Samsung Galaxy Xcover 7 (02/24)
    Chair: Huzaro Force 4.4 Grey Mesh (05/24)
    2nd Monitor: AOC G2460VQ6 @75Hz (02/19)
MS has recently disabled at least VBS in Windows, thus malware moved to PowerShell instead.

Note that by default Windows includes old and vulnerable PowerShell 5, though there is already version 7.
So, the first script you gave was to remove VBS? But is it still needed if MS disabled it?

And the second long script does what exactly? Uninstall Powershell? Disable it?
Btw, if I install Powershell 7, would powershell 5 automatically be overwritten? And would PS7 be safe enough?
Or is it better to just remove/disable powershell completely, 5, 7 and whatever?

What about Windows Terminal? Is it a coven for malware too? Can it be uninstalled?
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
VBScript isn't disabled or removed. It's only deprecated. It becomes a Feature on Demand (FoD) in 24H2, but will still be enabled by default. A couple of years from now, the FoD will be off by default. Eventually, they'll remove it entirely. There is way too much existing VBScript code out there for Microsoft to just turn it off now. This is the latest info I've seen: VBScript deprecation: Timelines and next steps

If you're not using VBScript for anything, my suggestion would be to disable Windows Script Host and stop there.

PowerShell 7 does not automatically replace PowerShell 5 (which is known as Windows PowerShell really). They are two separate things really, with a lot of common features.

I'm generally in favor of reducing attack surface, but I think removing PowerShell is a bridge too far. Especially Windows PowerShell (v. 5), so many thing rely on it, you're just asking to break something. In environments I've been where they were concerned about ransomware abuse of PowerShell, which is a legit concern by the way, I've blocked PowerShell processes from getting to the Internet. That's really all you need to do. PowerShell will still continue to function for local systems management tasks, but if a ransomware spaghetti tries to use it to download a payload or something, the firewall would prevent that communication. If you're on a Pro version SKU or higher, I would use Group Policy to setup these firewall rules, as rules you just configure in the firewall management console can be disabled by jerk-face ransomware miscreants.

Edit: I didn't say "ransomware spaghetti." I used a four letter word for feces that starts with T and ends with D. Tip of the hat to whatever system edited out that word but let me say jerk-face. :winkt:
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
If you're on a Pro version SKU or higher, I would use Group Policy to setup these firewall rules, as rules you just configure in the firewall management console can be disabled by jerk-face ransomware miscreants.
Yes I have Pro.
I never got much into Windows Firewall because I find it quite complicated and as you see I have the tendency to dive too deep in anything that I start, so I tend to postpone starting new things until I really have to, sometimes even contradicting all the effort that I put on enhancing privacy (as it would make sense that with such concern I prioritize learning what rules to create and what to delete in WF).
But your recommendation seems reasonable.
I used Chris Tech GitHub Windows tweak utility to default PowerShell 7 once. As you say, it doesn't uninstall the 5.
Would PowerShell 7 be safer against Ransomware? And would it be enough that it's the default, even if the 5 remains in the system?
Could you share how you prevented PowerShell from interacting with the internet?
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
I wouldn't say PowerShell 7 is safer than 5. They both have features that can be turned on to make them safer, features that are usually not turned on.

Here is a guide from a few governments about keeping PowerShell while making it safer to have around.

As for the firewall rules, I create an outbound rule to block the program (see below). For the remote IP address, choose "Predefined set of computers," and select Internet from the drop-down box.

As for the program to block, I create rules for these. In almost all cases, these can be safely blocked. Exceptions need to be made sometimes in large environments, but in most cases, these do not need access to the Internet, and they are abused by ransomware folks.

Code:
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe
%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

%ProgramFiles%\PowerShell\7\pwsh.exe

%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell_ise.exe
%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe

%SystemRoot%\System32\regsvr32.exe
%SystemRoot%\SysWOW64\regsvr32.exe

%SystemRoot%\System32\rundll32.exe
%SystemRoot%\SysWOW64\rundll32.exe

%SystemRoot%\System32\cscript.exe
%SystemRoot%\SysWOW64\cscript.exe
%SystemRoot%\System32\wscript.exe
%SystemRoot%\SysWOW64\wscript.exe
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
As for the program to block, I create rules for these. In almost all cases, these can be safely blocked. Exceptions need to be made sometimes in large environments, but in most cases, these do not need access to the Internet, and they are abused by ransomware folks.
So, these that you listed are the programs that you block in Windows Firewall?
Or is it a code to run in CMD to block them? It says code, that's why I ask, sorry if it's a stupid question.
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
Those are the paths to programs I block. I put them in a code block because they're paths to files; old habit, sorry. :)
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC12WSHi7
    CPU
    12th Gen Intel Core i7-1260P, 2100 MHz
    Motherboard
    NUC12WSBi7
    Memory
    64 GB
    Graphics Card(s)
    Intel Iris Xe
    Sound Card
    built-in Realtek HD audio
    Monitor(s) Displays
    Dell U3219Q
    Screen Resolution
    3840x2160 @ 60Hz
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Keyboard
    CODE 104-Key Mechanical Keyboard with Cherry MX Clears
  • Operating System
    Linux Mint 21.2 (Cinnamon)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Intel NUC8i5BEH
    CPU
    Intel Core i5-8259U CPU @ 2.30GHz
    Memory
    32 GB
    Graphics card(s)
    Iris Plus 655
    Keyboard
    CODE 104-Key Mechanical Keyboard - Cherry MX Clear
Those are the paths to programs I block. I put them in a code block because they're paths to files; old habit, sorry. :)
Oki, thanks, will disable all those now when I install Win in my new SSD.
But I've read the PDF which you linked. Not in depth, but still, I've read it and it seems like most if now all the reasons they give not to uninstall Powershell are for networking in business, like for remote control by administrators.
What about one single system, no network, not even HomeGroup?
Which apps/programs/services would not work if I remove PowerShell and Windows Terminal and leave just the classic cmd?
 

My Computer

System One

  • OS
    Win11 64 Pro
    Computer type
    Laptop
    Manufacturer/Model
    LG Gram 17 (2022)
Back
Top Bottom