Q: Is it a problem if I surf the Internet using an administrative account on Windows?
A: Using a non-administrative account mitigates 92% of Microsoft vulnerabilities with a critical severity rating.
Q: Does a safe way of doing online banking exist?
A: Bank via LiveCD or LiveUSB instead of Windows. A LiveCD is a CD or DVD burned with a Linux distribution. A LiveUSB is a USB flash drive "burned" (use Rufus or W32DiskImager in Windows, or dd in Linux, with dd being the most reliable method) with a Linux distribution. LiveCDs are slower than Live USBs because CD/DVD players offer slower I/O compared to USB. And there are two types of LiveUSBs, those that save nothing and those that offer an option to save changes, with antiX, MX Linux, and Puppy Linux being good examples of the latter. Most PCs automatically boot from a CD or DVD, but most require pressing a keyboard key as soon as the first boot screen is seen to boot from a USB, and some won't permit it until BIOS options are properly set. Ubuntu, openSUSE, Mageia, Fedora, MX Linux, antiX, Puppy Linux, and Manjaro (its parent, Arch, adds more details) offer advice on the subject of LiveUSBs. To prevent any potential writing to drives, temporarily disconnect all HDDs and SSDs and use a LiveCD. To maximize security, do your banking as soon as the system boots, and then shutdown or reboot, to eliminate any malware being resident in memory.
Q: What is the best antivirus for Windows?
A: Read the findings of the two most trusted labs, AV-TEST and AV-Comparatives. Your author recommends Bitdefender, G DATA, F-Secure, ESET, Avira, and a combination of Malwarebytes and Windows Defender. Both G DATA and F-Secure use Bitdefender's scanning engine in addition to one of their own, CloseGap and DeepGuard, respectively.
Some vendors offer a free version of their antivirus without all of the features contained in their paid product, as AV-Comparatives noted in its test, with technical support, secure browsers, and ransomware protection being just a few of the missing features. Some sell browsing history to recoup the cost. Some vendors offer add-ons, free and paid, with Google products often being installed by default (deselect the checkboxes to avoid them). Some start trials of products. Some display ads or try to send notifications to the desktop.
Some vendors offer removal tools for specific malware, though you've got to know which one is infecting your PC: Symantec offers removal tools, AhnLab offers removal tools, and Bleeping Computer offers removal guides.
RKill is a program from Bleeping Computer that terminates malware so your regular antivirus can remove it. It's always used as the first punch in a one-two punch combination with no reboot in between. It's useful for nasty malware that aggressively fights being removed.
There are options for a free second opinion if you suspect your computer might be infected. Symantec offers Norton Power Eraser, which is intended for "deeply embedded and difficult-to-detect" malware, including rootkits, and does not require installation, though it does require a reboot to eliminate rootkits. F-Secure offers Online Scanner, which does not require installation, but it does imply after scanning has completed that your current antivirus solution is second-rate, offering to sell a subscription. Microsoft offers Safety Scanner, the antivirus engine in Windows Defender which does not require installation, Malicious Software Removal Tool, the same one offered each month via Windows Update which does not require installation, and Windows Defender Offline, which is used via CD or USB flash drive, running a temporary operating system instead of the installed one in order to be able to remove rootkits. Malwarebytes offers a second-to-none scanner, but it starts a free trial of its paid product and requires installation, with reboots if serious malware is found. None of these free products should be used as the only antivirus, as they offer no real-time protection.
Antivirus products are often difficult to completely remove. Bitdefender offers uninstallation tools for its products, both paid and trial, as well as uninstallation links for most other vendors. G DATA offers an uninstaller and other tools on its downloads page. F-Secure offers an uninstaller and other tools. ESET offers instructions and an uninstaller tool. Avira offer uninstallation instructions. Malwarebytes offers its Clean Uninstall Tool. Symantec offers its Norton Remove and Reinstall tool. To complete the uninstallation, look in both "Program Files" and "Program Files (x86)" and remove all directories with the name of the antivirus vendor (expert users should also peruse ~/AppData and C:/Windows/Prefetch, with the name often being abbreviated in the latter, e.g. for Bitdefender, there may be entries starting with "Bitdefender" and "BD"). If an entry remains in Control Panel -> Uninstall a program, use Revo Uninstaller.
Don't install more than one antivirus product, as they will interfere with each other, with one exception, Malwarebytes. It can be used as a paid product that updates itself, provides a real-time shield, and performs scheduled scans, or as a freeware on-demand scanner. It is advertised to work alongside "the free AV that comes with modern operating systems," referring to Windows Defender and MSE, protecting against malware, ransomware, exploits, and malicious web sites. Every now and then, Malwarebytes will notify you that its protection has stopped, sometimes with the setting to restart protection apparently frozen, but a Windows restart will rectify the situation. Before the introduction of version 3.x, lifetime licenses were sold, but now only yearly subscriptions are sold. If the paid product is installed on a system and you need to move it, even onto the same hardware after Windows reinstallation, deactivate the license first (click on My Account at top-left and click on Deactivate License at the bottom) and then reactivate it on the new system .
Windows Defender and Malwarebytes have an interaction problem on Windows 8.1 / 10, one where Windows Defender will simply stop working with no notice. After the Windows Defender GUI is started, a popup will appear that it cannot be started. The solution is to set Windows Action Center in Malwarebytes Settings to "Never register Malwarebytes in the Windows Action Center."
Some antivirus vendors offer browser extensions, e.g. Malwarebytes Browser Extension (for Firefox and Chrome), Bitdefender TrafficLight (for Firefox and Chrome), and Avira Browser Safety (for Opera and Chrome). There is overlap between them and ad-blocking / privacy extensions, but they all block malware.
Some browsers allow for the disabling of checks for risky sites, e.g. Opera's "Protect me from malicious sites," Braves "Block Phishing / Malware," and Vivaldi's "Google phishing and malware protection," with Google being used to verify URLs, recording your browsing history as a bonus. Any good antivirus or one of the above browser extensions will perform that check, so it can be disabled in the browser, gaining some privacy in the bargain.
Security blogs and references, notably ZDNet Zero Day, Bleeping Computer News, Bitdefender Labs and Blog, Malwarebytes Blog, ESET We Live Security, Sophos Naked Security, F-Secure Blog and Safe & Savvy, G Data Security Blog, Trendlabs Security Intelligence and Simply Security, Avira Blog, Kaspersky Securelist, ProtonMail Blog, and NIST National Vulnerability Database, offer security news.
And it's never a good idea to install tune-up utilities or toolbars. The most screwed-up PCs are often ones with these products.
Q: I was told that some malware cannot be identified by antivirus software and therefore antivirus products are useless. True?
A: That malware is classified as zero-day. It is called that because on the day your PC sees it, your antivirus vendor has not yet seen a sample of it so it has not been able to include a defense for it in its product. Eventually the vendors will get around to rectifying that, but some PCs will become infected before then.
Surfing without antivirus protection puts you at risk of malware which has already been identified by antivirus vendors. Ransomware is probably the worst threat for most people, but cyber-thieves don't stop using variants after they have been included in antivirus products. For example, WannaCrypt (a/k/a WannaCry) mainly hit PCs without current Windows updates. And 90% of companies Fortinet tracked were attacked with three-year-old exploits and 60% of organizations were attacked with exploits ten years or older.
Q: Does it really matter if I renew my antivirus product? Am I not protected 99+% via the already-downloaded signatures?
A: New malware is created every day. Having a lapsed subscription means that all new malware is a zero-day from your point of view. And many antivirus vendors have switched to a cloud scheme where some or all of the signatures of potential malware no longer reside on your PC. As soon as your subscription lapses, the cloud become unavailable to you.
By the way, if your antivirus product is sold in stores, e.g. Norton, you can buy a copy on sale and use the activation code to renew, saving money over the regular price. You can use products intended for more users than you have.
One advantage of Windows 10 is that if an antivirus subscription is allowed to lapse, Windows Defender will be automatically enabled.
Q: How do I determine if an email is a phishing one?
A: Phishing, where grifters try to convince users to click on a link that is not what it seems, is responsible for the vast majority of cyber-breaches. To avoid it, users must religiously adopt one habit.
URLs all follow the same scheme. They start with either http:// or https:// -- there's also ftp://, but that is for transferring files via FTP -- with everything from those two slashes to the next slash or the end of the URL being the fully qualified domain name (FQDN). For example, a link might read, https://www.paypal.com/blah/, which is a valid link because www.paypal.com is a FQDN. Another example might read, http://www.paypal.paymenow.com/someconfusingtext/, which is a phishing URL because www.paypal.paymenow.com points to paymenow.com, not paypal.com. To further simply things, only the two right-most parts of the FQDN are important for users, e.g. www.amazon.com is routinely shortened to amazon.com, with amazon being the domain and .com being the top-level domain. Also note that paypal.com and paypal.net are different domain names. Domain names can be looked up via ARIN.
Before clicking on any link on Windows and Linux PCs, whether in email or on a web site, position the mouse cursor over it without clicking, which will cause the text of the actual URL to be displayed in the lower-left corner of the screen. Compare the displayed text to what you expect, and if the text is unexpected, do not click on it.
On a related note, an arbitrarily named concept called punycode could cause you to access a web site via a homograph attack. It's only an issue with Firefox and spins, but it allows a URL to include ASCII coding to display foreign language characters that look like the ones you want, but are actually quite different, e.g. using Russian letters instead of English ones. To prevent this in Firefox and spins: type "about:config" in the address field, press Enter, accept the warning about being careful, type "network.IDN_show_punycode" in the search field, and double-click on that entry (you want Value=true).
Q: My PC was bitten by ransomware. Help!
A: Print screenshots -- the easiest method on Windows is to press PrintScreen, start Paste, press Ctrl-v, and print -- of all warning messages so you can use them as reference. It might be easier to take photos of the screens, because the ransomware may interfere. Then shutdown the PC and do not start it again until you have decided what to do. You will need a second PC for research, doing so at No More Ransom Project, F-Secure, Bitdefender, Avast, and NJCCIC. Decryption tools are available for some, but definitely not all ransomware variants from No More Ransom Project, Bitdefender, Bleeping Computer, Kaspersky, Avast, and Trend Micro.
You can pay the ransom, but only half of those who paid a ransom were able to recover their data. Some ransomware purveyors are incompetent (PowerWorm) and/or malicious (NotPetya and Annabelle) and do not decrypt files after payment. Search on your particular ransomware before paying. And then you must remove the ransomware, because it will bite you again in the future. Malwarebytes would be your author's first choice for removing ransomware.
It won't help you now, but you need to start making backups so you won't be put in this situation again. For most people, all that is needed is a disk large enough for all of the data and a docking station. At the end of each day, you copy your data from the system drive to the backup drive. You must not keep the backup drive running all day for three reasons. First, you are wasting electricity. Second, you are shortening the life of the drive. And third, ransomware will encrypt any data it sees on the PC, so your backup drive will be of no use. The best tactic is to have multiple drives in rotation for backup use because you might not know when ransomware actually strikes.
And you need to change your email habits (see previous section), because over 90% of phishing emails contain ransomware.
Q: How do I research an error message shown on my Windows PC?
A: Copy the error message exactly and note the time of the event. If your PC is still running, copy and paste it into a file and save it. If your error message is shown on a black, blue, or cyan screen -- called a Stop Error, Blue Screen of Death (BSOD), or blue screen -- copy the error message quickly, because it will only be displayed for a short time (for Windows 7 and previous, it will be the second or third line of text; for Windows 8/8.1/10, it will be found at the bottom-right of the text). Looking at Windows event logs (read Microsoft instructions and Bleeping Computer instructions) may give additional insight, especially if the error code flashed by too quickly to copy. Here's a Microsoft list of blue screen error messages. If you changed any hardware recently, that should be the first thing you investigate.
Microsoft Community is a forum for Microsoft products. Search on the text of your error message to see if you can find a relevant answer. To ask a question, you will need a Microsoft login of some kind. You can also search on the text of your error message at microsoft.com. Problems with Windows 7 and all previous versions are no longer be addressed by Microsoft employees.
Q: Is there any way to stop annoying ads, especially pop-ups, from appearing?
A: First, a definition. A browser spin is created by taking the source code of an existing browser, usually either Firefox (Mozilla's heir to Netscape Navigator) or Chromium (Google's open source browser) and creating one with different features, behavior, and/or appearance. Examples of Firefox spins are Waterfox (Firefox ESR spin with telemetry removed; does not work with Microsoft Community), Pale Moon (divergence of Firefox at v-4.28 with its own extensions), Tor browser (Firefox ESR spin that masks IP addresses via a volunteer network, but is often slow due to the extra nodes), and SeaMonkey (Internet suite with Firefox ESR spin browser, email, and newsgroups, with its own extensions). Examples of Chromium spins are Vivaldi (like Otter, it's being developed by those who pine for Opera v-12), Opera (has its own extensions; its VPN is only a proxy, though that's sufficient to mask IP addresses), Brave (has a controversial ad scheme, with its FAQ illustrating the philosophy; HTTPS Everywhere is installed and enabled by default), Otter (employs a QtWebEngine wrapper around Chromium, so the intrusive "auxiliary services that talk to Google platforms are stripped out"), and Chrome.
Firefox extensions often work in Firefox spins and Chrome extensions often work in Chromium spins. Waterfox and Tor Browser accept only the extensions that Firefox ESR accepts. Vivaldi accepts Chrome extensions. Opera allows Chrome extensions to be added only after Install Chrome Extensions is installed, though given the great selection of Opera extensions, there's little reason to install ones from the Chrome Store. The next major release of Brave, Brave Core, will accept Chrome extensions. Otter is still in beta, with support for Chrome extensions not arriving until v-2.0.
Make sure the setting to block pop-up windows is selected and that third-party cookies are blocked.
The premier ad-blocker, uBlock Origin, is available for Firefox, Opera, Edge, and Chrome, with it not storing browsing data. Ad-blockers are included in Opera (enable ad-blocker in Settings or install uBlock Origin), Brave (enable ad-blocker in Preferences->Shield), Midori (lightweight browser from Xfce using WebKit; enable ad-blocker in Preferences->Extensions), and Otter (enable ad-blocker in Tools->Content Blocking), with Chrome only having a partial ad-blocker.
- uBlock Origin will block it per site: click on the icon in the browser toolbar and click on </> at the bottom right of the popup.
For Firefox and spins, media autoplay can be prevented: type "about:config" in the address field, press Enter, accept the warning about being careful, type "media" in the search field, and double-click on "media.autoplay.enabled" (you want Value=false), though this setting sometimes blocks video you want to see.
Some web sites do not work properly when an uncommon browser is used because they simply look for a famous browser name and give up if one is not found. In that case, Midori allows changing the name via Preferences->Network and Otter allows changing the name via Preferences->Advanced->Network.
Two browser extensions worth considering from the Electronic Frontier Foundation are HTTPS Everywhere (for Firefox, Opera, and Chrome) and Privacy Badger (for Firefox, Opera, and Chrome), though the latter's functionality overlaps with that of ad-blockers.
Only install browser extensions that you actually need. Most of them sell your browsing history. And extensions from the Chrome Store have a reputation for malware, so stick with ones from trusted vendors.
VikingVPN has a hardening guide for Firefox, with it being relevant for spins.
Q: Is it okay to leave the settings of my router on the default ones?
A: Strictly speaking, a modem, whether dial-up, DSL, or cable, connects to a telephone or cable line and provides a single Ethernet port, with a router connecting to a single Ethernet port and splitting that into multiple Ethernet ports (a switch will do the same thing as a router, but it lacks a firewall). In the past, ISPs offered either modems or wireless modem-router combinations, but now ISPs provide only the latter. In the below text, router will refer to wireless modem-router combination.
Routers have a factory preset ID and password, though obvious ones, e.g. "admin," must be changed (the best have randomly generated IDs and passwords printed on a label on the bottom). Administrator and Wi-Fi connect passwords should be different to prevent users from changing settings. A connect password will prevent freeloading neighbors and war-drivers from downloading child porn via it (you could be arrested for it because the FBI will think it's you). All current routers are vulnerable to password-guessing attacks -- WPA3 will change that -- so passwords should be at least 16 characters (see the next section for details).
Disable remote administration, as it opens a backdoor for attacks. Disable WPS (Wi-Fi Protected Setup), as it provides a way around your connect password. Disable UPnP (Universal Plug and Play), as its bugs can be taken advantage of by hackers.
Firmware should be updated as soon as updates are available, as routers will not auto-update or inform you that updates are available. Obtain updates only at the vendor's web site. Another option is to install Linux-based firmware, e.g. DD-WRT or Tomato, if your router is supported (many aren't), or buy a router which already has it installed.
The FBI recommended that the over 500,000 victims of the VPNFilter botnet should reboot their router, but that advice should have been to reset it (press the reset button in back for about one minute to revert all settings to factory ones, then change the default settings to the ones you need). Use Symantec's free VPNFilter Check to determine if your router has been compromised. If you're paranoid, you can reinstall the factory firmware.
Q: How do I choose a secure password?
A: The best passwords are long sequences of ordinary words, e.g. "maryhadalittlelambandsometrendywhitewine," because miscreants guess the most likely possibilities or simply try every combination of letters and numbers. 16 digits is currently too long to brute-force attack in a reasonable amount of time, but given the every-increasing speed of computers, that number should probably be incremented by one every year. Adding capital letters and special characters will definitely add security, but do it in a way you can remember, and don't capitalize the obvious words, e.g. in the previous example, don't capitalize "Mary," capitalize a word that is never capitalized. Don't merely convert the letter 'o' to the number '0' or simply add a number at the end of a word because cracking tools account for that.
Q: How can I hide my IP address from web sites?
A: There are a number of ways to do that, but they usually involve a cost in money or response time.
First determine the IP of your router. For Windows PCs, use the instructions found here. Most virtual private network (VPN) providers display your IP address on their home page in an unsubtle reminder, e.g. NordVPN, with a VPN being a network of servers designed to reroute Internet traffic to mask IP address via an encrypted tunnel (here are explanations from ExpressVPN and NordVPN).
For Firefox and spins, your location can be masked, though it's not a good idea when using Wi-Fi: type "about:config" in the address field, press Enter, accept the warning about being careful, type "geo.enabled" in the search field, and double-click on "geo.enabled" (you want Value=false).
For Chromium and spins, your location can be masked, though it's not a good idea when using Wi-Fi: for Opera, Chromium, and Chrome, disable the option at Settings->Advanced->Privacy and security->Content settings->Location (you want "Ask before accessing" to be false); for other spins, surf through the settings.
One way to hide IP addresses is to use Tor browser. Tor is a volunteer network of servers that reroute your Internet traffic through a few nodes, often in different countries. Response is significantly slower than normal. Tor depends on exit nodes, where the final server decrypts your data and passes it back to the Internet, with the possibility of nefarious types establishing exit nodes to read traffic of unsuspecting users, so Tor browser should never be used for banking.
The best way is to use a VPN. Free ones sell your browsing data to advertisers. PC Magazine, Tom's Guide, CNET, and PC World have recommendations for Windows -- PC Magazine also has recommendations for Linux -- and AV-Test tested twelve of them, with NordVPN usually ranked near the top. Three good VPNs are ProtonVPN from Proton Technologies which also offers encrypted end-to-end email ProtonMail, Phantom VPN Pro from antivirus vendor Avira, and FreedomeVPN from antivirus vendor F-Secure.
Opera has an option to mask IP addresses, but it is only a proxy, not a true VPN, though that's enough for many uses.
Q: There are some Windows updates available for my old PC hardware running Windows 7/8.1. Should I accept them?
A: Microsoft has released some strange updates for older hardware ever since Windows 10 was released, some of which break things. For Windows 8.1 and previous: start Windows Update, select the update in question but don't click on the checkbox, click on "More information" to the right, and read the description that appears in IE. If the description is generic and/or irrelevant, don't accept it. This assumes you set Windows Update policy to "Check for updates but let me choose whether to download and install them" and deselected the setting marked "Give me recommended updates the same way I receive important updates," as Microsoft can no longer be trusted.
It's common for Windows 10 PCs to display a black screen for five minutes or more while downloading and installing updates.
To refuse future drivers in Windows 10, you need to do two things, though the second is not available with Home or S:
- Open Control Panel. Click on "System and Security." Click on "System." Click on "Advanced systems settings." Click on the "Hardware" tab. Click on "Device Installation Settings." Click on "No." Click on "OK."
- Type Win-r (Win is the Windows key), which will display a pop-up to enter commands. Type "gpedit.msc" and click on "OK." Double-click on "Administrative Templates" under "Computer Configuration." Double-click on "Windows Components." Double-click on "Windows Update." Right-click on "Do not include drivers with Windows Update" and select "Edit." Click on the "Enabled" checkbox and click on "OK."
And verify that the settings remain the same after every major update.