My security is simple but effectively consistent, most people misunderstand that security needs to be complicated or overwhelming.
1. Control ALL internet traffic (a fine grained firewall like Comodo will do the trick) this means don't set EVERY app to auto check for updates, don't give every app internet access because they ask for it, even if benign, understand EXACTLY what they are doing when they DO have access, that requires packet inspection (something as simple as Wireshark will do the trick, but if you want to get more anal, there are other options)
2. Hash scanners (a robust but non-intrusive av - for example defender does the trick - as far back as when it was called MSE, I put a review a long time ago on here) - just one, don't over do it, don't put a bunch of them, and they all behave the same, so don't follow the hype, they ALL scan the same damn hash and use the same damn heuristic, regardless of what garbage they tell you, I need them to alert me to the persistent shit, I will handle the zero-days myself through habitual protocol. Sophos is also good, but overzealous, so you need to temper the settings a bit, Comodo AV is ok but sometimes too overreaching but can be tweaked to reduce the false positive but ultimately they all rip of ClamAV to some extent, so you can just get a stand alone scanner for manual scanning and just use that.
3. CHECK EVERY FILE BEFORE YOU OPEN IT, RUN IT, COPY IT, MOVE IT, STORE IT, or whatever to it. Run a simple test with something like VirusTotal (to get multispectrum analysis) or Metadefender if you want to be able to do larger files. Lock down all your system files, simple DEP will handle that. If you are a masochist, you can try Comodo's HIPS but it is excessively confusing for most but it will have one advantage, when dealing with an app whose behavior you DON'T know, this will expose everything it does, and can provide you all the interactions which can help you diagnose if safe or not but I would NOT use their HIPS 24x7 that would be exhaustively counterproductive. When you do open a file or run it, make sure your "temp" or "scratch" folders are all isolated with ONLY SYSTEM and ADMIN user access, NO ONE ELSE, that way you will guarantee that no one can actually leverage them against you; and also make sure you are opening it (at least the first time) inside a sandbox. Some good ones are Sandboxie (free-ish) but be careful configuring it for convenience, you might just be letting the devil in without realizing it. Another open option which does pretty well is Comodo's sandbox which they are Auto-Containment, I don't have it auto, just manual through right click when I need it. Side note, the crippled folder I told you will be created for each file you open in this method by default, so there is that nice feature.
That's it as far as the system is concerned (Defender, comes installed) and Comodo Firewall (which gives me the other items I mentioned too built-in) and VirusTotal/Metadefender are online, that's it. When it comes to securing the browser, I need TWO things, mostly just one but the second one makes me feel better, so no harm. uBlock (with third party frames and scripts disabled globally by default) and a few major malware, tracking lists and a shit load of custom filters and rules and NOTHING gets passed it and Disconnect. Plus if I need something to run, I can do it temporarily for that session which resets automatically when I am done and that's that. Hell I have even configured my browser to keep my cookies and use CCleaner to trim the unwanted ones to ensure that I always stay logged into certain places, like here for example. Never been session or cookie hijacked, that's a testament to the robust setup and I get the convenience of not having to constantly log into the my most used tools. That being said, I NEVER EVER EVER EVER EVER stay logged into anything like a bank, credit card, or whatnot. That I log in, finish, log out and that's it. I mean think about how annoying it would be if every time a student sent me a message and I had to log in to respond, it gets annoying quickly but the way I do it, the session remains, although they have their own "max" session which logs me out eventually on a schedule but at least. I also set my cache to 0, history to nothing and disable all GEO and WebRTC features and Media autoplays and keep all "plugins" disabled by default.
That's it. Now there are slight adjustments in the browser behavior between Firefox and Chrome but how I configure them, they behave nearly IDENTICAL. For example, on FX, I use uBlock, Disconnect, GreaseMonkey and VPN for going into the deep
and on Chrome (which I effectively have stopped using after a period of developing on it) I use uBlock, Disconnect, TamperMonkey and VPN - so you can see, nearly identical. Now on FX, I use about:config to disable geo, peerconnection, media autoplay, hardware "accelerations" (they are vulnerable to malicious decoding code) - and a few other personal tweaks that are less security and more anal retentive. On Chrome, I use the about:flags to disable geo, google "phone home" services, webrtc/rtcpeer, hardware and automatic tab discarding. That's it in a nutshell. It seems like a lot of work, and it is, I won't dismiss that but once you get the system to the level I have it now, it becomes a self regulating beast that following MY BEHAVIOR so ultimately I am the weak point in all of it, if _I_ fail, then the whole system fails, it's not the hacker or the computers fault, it is mine as the user, simple as that. You sleep on the job, you get hit, simple as that. You stay vigilante, doesn't mean you don't get hit but at least you are ready for it and can defend it. There is no magic to it, just being proactive.
