Apart from doing gigantic scan & system updates what's your strategy to monitor unusual activity of your connected Window system?

taskmgr.exe? perfmon.exe? Network monitoring?

Any good tips? Anything to share? Open source stuff are highly welcome.

Thanks in advance

 

I don't know how experienced you are. With Windows I mean, your cheeky jokes are master level

The first thing perhaps is to use the Firewall in whitelist mode. That is, instead of blocking certain programs you block all by default and allow certain programs to access internet.

For this there're are great free tools. Perhaps the best is SimpleWall. But TinyWall that someone mentioned recently here is perhaps friendlier to use. I thought it was discontinued.

Above that there are network monitoring tools, it's a broad topic.

Network aside, a thing I always do is always save the .exe's or any kind of program in a rar file (or 7z) with a simple password so possible virus have it very hard if not impossible to infect 'em.

 

Thanks @Xupito,
I'm not experienced at all, I use windows firewall allowing just very few application to pass.

Maybe I'm a bit paranoid about spyware, I was thinking if there are some tricks to have a look at unusual network activity, I regularly clone with Clonezilla so a reinstall is not what bother me while being spied I would really not like it.

I heard about stuff like:
https://www.cacti.net/

but I have no experience, maybe I'll give it a try when possible.

 

Hmm, I'm in a very similar boat as you, drop an update if you find something that works

 

i think this is what you are looking for. it is free and open-source. Portmaster by Safing https://safing.io/

 

Thanks @BasedPirate
that looks interesting, must give it a try soon.

 

For me, it's about what is going in and out of my computer, I use NetLimiter 5, everything needs permission in and out some things are only allowed temp access other things permanent and most things perm block.

I also look at what ports are being used and by what and where they are attempting to connect to.

My home network connects to a hardware Watchguard Firewall which has their full suite of modules activated

I also use an endpoint on my DAW computer, people have different opinions on this as they say it interferes with overall performance, but I have never had any issues at all, not even when recording audio tracks.

I use ad blockers on my Browsers which stop most things, other sites get added to my host file or IP added in to Net limiter and WG Firewall

I also scan everything before installing apps, warez and retail with multiple scanners and make a decision based on any findings.

I am fortunate enough to work in Cybersecurity, so I have tools which are not home consumer available that I use.

Probably the most important thing is I take an image frequently of my DAW computer and keep the last 10 images so should anything go wrong I can bring the computer back to a completely working state with all installed apps and configurations to the point the image was taken. I have these backed up to an external NAS that only goes on the network to copy the created image and also an external USB as a backup to the backup. The NAS is also SMB and NFS disabled, so no computer has write access to it apart from SFTP, which is password protected with a 28 character non dictionary password that I change weekly.

Also backup you local data frequently and always backup the backup. I use NovaStor backup and create a weekly encrypted back up of my local docs I want backed up.

All my important computers are not part of my domain, they are independent workgroups each having one unique dedicated account which has local administrator privileges (default Administrator disabled and any other default MS accounts)

My BIOS boot is also Password Protected before it hits the bootloader, so should a reboot happen without my knowledge it won't boot in to the OS without a password being entered.

It sounds a lot but it really isnt, and it's a lot easier than having to reinstall and configure everything from a blank M.2 or SSD.

 

Last edited: Apr 9, 2024

@StormChaser,
that's good stuff, Watchguard Firewall looks strong. NetLimiter is nice app, usually I tend to choose free and open source stuff but it looks quite interesting. I clone disk images every time and as you said doing backup of backups is quite a must.

Thanks for the good advice!

 

Last edited: Apr 9, 2024

You are very welcome.

Great job on the disk cloning and backups of the backups. I can't stress enough how important this is, it doesn't have to be malware but even disk failures which people don't tend to think about, or it would never happen to them.

Never keep any backups on your local disks or even partitions of disks, if the entire HD goes then you've lost the all important data and backup data no matter what partition it sits on, on a single disc.

Just little things is all it takes to keep things running smoothly.

Sure, my Watchguard Firewall is seriously overkill with all it does, and it is, totally, but the more layered approach anyone can do with what they have access too, then the more protected they will be.

Also the FREE Sysinternals Suites has some great apps you can use daily.

Autoruns
Process Explorer
Process Monitor

just to name a few BUT if you are to download the suite then I would delete PsExec.exe immediately, in the right hands it's a handy app, but it can also be used maliciously and some malicious programs look for this to exploit it, unless you know what this is and how to use it then I would also block this application from running or being able to connect anywhere, even if you have deleted it yourself from the suite, it's such a small app and some malicious programs install this as part of there payload.

https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

 

Last edited: Apr 9, 2024

That Sysinternals stuff is really interesting, must have a look at it asap.
Do you have any tips about debloating a fresh install of win 10/11? Maybe some decent script source to do the main things? Some trusted resources? Or do you do it manually one by one?

thanks a lot @StormChaser

 

Last edited: Apr 9, 2024

Depending on what OS installation media you are using will depend on what bloatware you get installed.

Personally I only use an official Microsoft ISO which contains just the OS install for the most part but consumer purchased machines can come with a lot of pre-installed applications, trial applications etc which you certainly want to remove any that you don't want or have.

Some you need to keep, like drivers and management applications of hardware etc

Depending on what level you are at, most consumer built PCs generally have a Software folder on the main OS partition C:\ which contains all the drivers and applications that the computers needs to run, I normally back this folder up to an external drive and flatten the new machine and build it from scratch from a vanilla Microsoft OS ISO and then load all the drivers and applications I need, this way you know what is installed and why you installed it.

There are also a lot of tricks you can do to further restrict windows from doing certain things but far too many to list, Google will be your friend, you can also make tweaks to optimise Windows for audio recording and DAW usage again do a Google Search, lots of resources.

Just removing applications there are some pretty good uninstallers around that do a lot more than just the standard windows uninstaller I use Revo uninstaller which is pretty good, BUT make sure you always look at what leftover files it wants to remove as some could be shared files with other applications. I uninstall one by one so I can see what is being removed.

One thing to consider blocking in a Windows Host file are all the Microsoft telematics, which essentially is a lot of the spying and reporting it does on lots of various things. It's a little bit naughty in the information it wants to send in the background to various places. Again it's not for everyone and there are caveats to blocking lots of things, do some research and make a decision if it's something you want to do.

I have attached a TXT file with the telematics I have blocked in my Host file, I have zipped the file up but if you decide to use this then make sure you scan the file before opening it being that it's now being downloaded from the internet.

Hope this helps.

 

Thanks a lot!

That Microsoft Telematics list is quite long, didn't know about all that addresses, I'll give it a try.

About a debloater there are some github script that claim to remove unnecessary stuff but I have no experience about it.
ex.
https://github.com/Sycnex/Windows10Debloater

Spoiler: Bloatware that is removed (example)

3DBuilder, ActiproSoftware, Alarms, Appconnector, Asphalt8, Autodesk SketchBook, MSN Money, Food And Drink, Health And Fitness, Microsoft News, MSN Sports, MSN Travel, MSN Weather, BioEnrollment, Windows Camera, CandyCrush, CandyCrushSoda, Caesars Slots Free Casino, ContactSupport, CyberLink MediaSuite Essentials, DrawboardPDF, Duolingo, EclipseManager, Facebook, FarmVille 2 Country Escape, Flipboard, Fresh Paint, Get started, iHeartRadio, King apps, Maps, March of Empires, Messaging, Microsoft Office Hub, Microsoft Solitaire Collection, Microsoft Sticky Notes, Minecraft, Netflix, Network Speed Test, NYT Crossword, Office Sway, OneNote, OneConnect, Pandora, People, Phone, Phototastic Collage, PicsArt-PhotoStudio, PowerBI, Royal Revolt 2, Shazam, Skype for Desktop, SoundRecorder, TuneInRadio, Twitter, Windows communications apps, Windows Feedback, Windows Feedback Hub, Windows Reading List, XboxApp, Xbox Game CallableUI, Xbox Identity Provider, Zune Music, Zune Video.

I agree a fresh install with a plain vanilla ISO and dedicated drivers is the best at the moment.

 

As convenient as downloading scripts are unless you know exactly what it’s doing I would avoid them like the plague.

looking at the GitHub script the first thing it’s asking you to do is to force the powershell Set-ExecutionPolicy Unrestricted -Force. Unless you know what this is and why you would want to do this, I would stay clear of it, it’s can be massive risk especially if you are using warez applications of any kind.

powershell is locked down for a reason even for a local or domain administrator accounts. They key is to only allow what is essential and nessasary.

I am sure the script works fine and they can be handy but looking at the list of things it removes how many of them apply to you? When you start ticking off what’s relevant you’ll probably only have a few things which is easier to manually remove.

it’s always best practice for you the be in control of what is removed and what stays, running random scripts Willy nilly isn’t advised at all.

have a look at sysinternals Autoruns this will show you what is running and from where as well as apps launched at logon which you can stop or delete.

 

Last edited: Apr 9, 2024

100% agree, never used any of those scripts, Autoruns is always under control, sysinternals Autoruns must install it soon!

Thanks @StormChaser, lots of good info!

 

run a VPN, set it to Killswitch, so if you disconnect thru the vpn app, all traffic is blocked. Disconnect when you aren't using your computer. Like when you are sleeping or out of the house.
Run TCPview from sysinternals/microsoft - I have it set to autostart when I boot my computer. This will let you look at any connections to your system.
-
Keep an eye on your bandwidth - process explorer can show you whats going on in real time on your machine.

avoid google apps don't stay logged into google. don't hang around dodgy sites. if a web page asks if you really want to leave the site, just close the window,don't bother clicking on anything.

 

For easy mode: run O&O ShutUp to block telemetry, Cortana, and other stuff you don't use. A lot of people (myself included) have fucked up their system by disabling "unneeded" services etc. This is a safe way (and it warns you if it might not be!).

Install Process Explorer, as @Garamondo Furbish recommended, if you run into errant network/CPU/GPU/RAM usage. Modern mal/spyware can see if Task Manager is running and hide itself. If nothing shows up there then figure out Powershell to find the culprit (search for "Powershell Get-Process").

 

Since I never put production machines on the internet there's no need to monitor them or run A/v or firewalls or any of that crap.. My internet surfing machines run outpost FW - the last patched version of that one that is safe to use even tho it's no longer maintained... OPF has a complete network monitor built in that will show status on every single network connection to your machine IN REAL TIME and report on what it's doing. The i-net machines also have bios tweaks that disables the dubious intel management engine - a silly embedded POS mini-os that could allow a monkey to take control of your machine remotely even if it's turned off as it is embedded into the µprocessor dye itself. It's in ALL intel processors from around 2007 on... Some systems have tweaks to turn it off while others have nothing at all... I also block all the network ports that IME uses at the router as a fail-safe. Entire sites internet connection is on kill-switched VPN which keeps everything private.

 

Last edited: Apr 10, 2024

can you take a look at https://github.com/ChrisTitusTech/winutil . Do you have any criticisms of it, specifically the tweaks section.

 

Thanks a lot guys (Xupito, BasedPirate, StormChaser, @Garamondo Furbish, @Will Kweks, @saccamano) lots of good info!

 

I used NetLimiter for ages, very reliabl, but with the increased amount of apps connected to net, just plugging it off is the best strategy.
Not convenient though.