(And a brief guide to their use)
Here are some useful programs I have found for increasing the security of your PC. I have listed the programs by categories in order of what I deem to be the most important. While there are many excellent software solutions for improving computer security, I have opted to list those which I personally recommend to keep the list simple and easy to follow.
The recommendations provided are based upon my own research and experience. I currently have no financial ties to any of these products.
The use or misuse of third-party software is at your own risk.
Security Suite (Use only one):
The security suite is one of the primary software security solutions which should be installed. A good security suite will include several features including antivirus, antispyware, firewall, anti-phishing, among other features. Note - It is important to only install one antivirus as well as only one firewall on a computer as installing more than one antivirus and/or firewall may cause conflicts as they can interfere with each other.
- Norton 360 (recommended) - N360 includes antivirus, antispyware, firewall, intrusion protection, anti-phishing, email protection, password management, parental controls, among other features. It performs well and has a minimal impact on overall computer performance. Most of the essential features are running and properly configured upon installation, and updates occur automatically in the background so for those users who prefer a "install-it-and-forget-it" option NIS is a great choice. But it also includes many ad- vanced settings for those who do like to interact with their security.
*Note* - My list of recommended security suites is based off of reading numerous reviews for the top rated security suites over the course of several years. Essentially, these security suites have consistently come out on top year after year as the best in most reviews I've read. Out of those recommended, I recommend Norton for it's ease of use, their emphasis on performance, their long standing reputation.
Anti-Spyware (install any or all of these):
A great adjunt to an anti-virus program are some stand-alone antispyware programs. These programs are not full-fledged antivirus solutions (so do not use these to replace your antivirus), however they do offer protection against many types of malware. Personally, I do not recommend installing any resident protection (i.e. anything that loads on computer startup and runs in the background), I recommend letting your security suite / antivirus handle the resident protection. These programs should be used occasionally to scan for any malware that the antivirus may have missed (or perhaps did not miss in itself, but left a few remnants behind when cleaning the malware).
- Malwarebytes - Malwarebytes is an excellent program for finding and removing malware. The malware definitions are updated frequently (be sure to update the program before scanning). There is a free version for manual scans and a PRO version for automatic protection.
- Spybot: Search and Destroy - Spybot: S&D is also a useful anti-spyware program. One of the primary reasons I like this one so much is not so much for the scanning, but for the immunizations. Spybot: S&D has the capability to provide an additional layer of protection from malware and harmful websites by utilizing features inside of Windows and Internet Explorer, Firefox, and Flock. While these features are available already in Windows and Internet Explorer, how many of us know which sites to block and then to go through and take the time to list the thousands of sites we want blocked? Well, Spybot: S&D does this for us with it's Immunization feature by loading it's list of known harmful websites. Be sure to update the program before Immunizing or scanning for spyware.
- SpywareBlaster - SpywareBlaster is not a malware scanner, but is like Spybot: S&D's Immunization feature as a stand-alone program. I recommend using this in conjunction with Spybot: S&D because it contains some immunizations that the other will miss and vice versa. SpywareBlaster is particularly useful at blocking specific harmful ActiveX apps from running in Internet Explorer, but also contains some immunizations for other web browsers such as Microsoft Edge, Google Chrome, and Mozilla Firefox. Again, be sure to update the program before immunizing. SpywareBlaster comes in free and paid versions, the paid version supporting automatic updating.
An important way to keep your system from security vulnerabilities is to update the programs which have the vulnerabilities. As noted earlier, it is important to keep your security software up to date so that it can protect against the latest known threats. Next, it is important to keep Windows itself up to date via Windows Update (found in your Start Menu). These updates should be installing automatically, but it is a good idea to check them every so often to make sure everything has been installed. As a general rule of thumb, Microsoft releases updates on the second Tuesday of each month so this is a good time to check for new updates via Windows Update.
But what about other programs? There can be quite a few programs installed and so it becomes difficult to manually check each and every one of them to see if there are newer versions available. Wouldn't it be nice if there was a program to let us know when there were out of date programs installed which have security vulnerabilities? Well there is:
- Software Update Monitor (SUMo) - SUMo is a very useful program for scanning your computer for out of date software. Personally, I recommend using SUMo just to let you know which programs are out of date and then manually updating the programs using either their built-in updaters or by going to the appropriate websites. After updating, you can verify by re-checking with SUMo to ensure all programs (or at least most) have been updated.- SUMo is a very useful program for scanning your computer for out of date software. Personally, I recommend using SUMo just to let you know which programs are out of date and then manually updating the programs using either their built-in updaters or by going to the appropriate websites. After updating, you can verify by re-checking with SUMo to ensure all programs (or at least most) have been updated.
An antikeylogging program protects against software that captures keystrokes from your keyboard. Keyloggers are a danger when it comes to identity theft because if someone were to monitor your keystokes, you would be giving away anything you type on your keyboard. The information could be a harmless document or letter, or it could be passwords or financial information (such as your credit card number). If you opt not to install additional software to protect against keyloggers, you can still gain much protection from known keyloggers from your antivirus and antispyware programs. However, if you are really concerned about identity theft and keyloggers in particular, then you may wish to install an additional layer of protection.
- KeyScrambler - KeyScrambler has the ability to protect against all (or at least most) software-based keyloggers by encrypting keystrokes. Keyloggers will see encrypted (scrambled) data instead of what is being typed and yet the user continues typing as though nothing was going on in the background. KeyScrambler can also display a visual to let you know it's working and so you can see how it is working. KeyScrambler comes in three editions: a free version, professional, and premium. The free version only works with some web browsers (Internet Explorer, Firefox, and Flock), while the professional and premium versions offer protection for numerous other programs and Windows login.
- PerfectGuard - PerfectGuard is designed to work alongside of existing security software to provide an additional layer of defense by protecting from keylogging, intrusion, and ransomware. If you use Pandora Radio, PerfectGuard can also provide protection by sandboxing Pandora, thus preventing downloads from affecting the rest of the system.
Ransomware is a type of malware which holds a person's data ransom by encrypting it and requiring money to be sent in exchange for the decryption key(s). The FBI discourages users from paying to retrieve decryption keys because they are only funding and encouraging cyber criminals and they are not guaranteed to receive the decryption keys anyways. While top-rated security software should provide substantial protection from ransomware, the seriousness of this type of malware warrants an additional layer of protection (so long as it is compatible with your existing security software).
- Acronis Ransomware Protection - This free software helps protect from ransomware by monitoring for ransomware-like activity. Because it works by detecting behavior patterns, it can detect zero-day ransomware attacks (ransomware for which security software has yet to write signatures to detect). While some anti-ransomware software protects only certain folders, Acronis RP protects the entire system.
DNS stands for Domain Name Server. Normally, the domain name server is provided by your ISP (Internet Service Provider). The function of the domain name server is to provide your computer with the IP (Internet Protocol) Addresses of all the websites you type in. For example, if you type www.google.com into your web browser, your computer does not immediately know how to find Google's website. It must send that address to the DNS which then looks up the associated IP Address which is then used to find Google's server.
So what is a Safe DNS? A Safe DNS is one which blocks out harmful or unwanted websites and is used to replace your standard DNS. This adds yet another layer of protection by preventing the user from even accessing these websites to begin with. The DNS can be changed from either the individual computer or on the router. When the Safe DNS is used at the router level, it will protect all deviced connected on that network. However, portable devices will not be protected when taken to other networks unless the Safe DNS is applied to each device individually. Refer to these websites or your router's documentation for how to change the DNS.
- OpenDNS - OpenDNS provides categories to block. Suggested categories to block:
Level 1: Ad-ware, Web Spam, Phishing Protection
Level 2: Pornography, Nudity, Sexuality, Tasteless
Level 3: Academic Fraud, Alcohol, Dating, Drugs, Gambling, German Youth Protection, Hate/Discrimination, Lingerie/Bikini, Parked Domains, Tobacco
Adult Themes is a category used for very restrictive networks. Do not check if you want to allow wrestling sites.
Proxy/Anonymizers can be useful sites to hide privacy, but also can be used to circumvent existing filtering. Check this category if you want to ensure these sites are not used to by-pass content filtering.
Windows 10 Privacy:
With the release of Windows 10, there have been concerns regarding Microsoft's collection of and access to information that some may not entrust to others. Even changing many of the built-in privacy settings may not prevent Window 10 from sending telemetry back to Microsoft. There is also the potential issue of reduced PC and networking performance as the computer has to send this data back. Below are programs designed to customize internal settings to prevent Windows 10 from sending this data.
- O&O ShutUp10 - O&O ShutUp10 provides access to many options to control the way Windows 10 gathers and uses data. Simply clicking on an option will provide details of what each setting does. I recommend beginning by clicking Actions > Only Apply Recommended Options and then reviewing the options for further customization. If you want Windows to synchronize your settings across all your devices (and possibly restore these settings in the event of a systrem reinstallation), you may want to disable the protection under "Synchronization of Windows Settings."
Web Browser Extensions:
There are several add-ons or extensions for web browsers (such as Microsoft Edge, Google Chrome, and Mozilla Firefox) which can enhance the security and privacy of surfing the web. Here are some recommended add-ons to help increase your online privacy. These are listed in order of importance. Although ALL of them can be installed together. *Note* - Some of these are not available for ALL web browsers, but you will need to install them for EACH web browser you use and want the protection for.
- McAfee SiteAdvisor - Warns about potentially dangerous sites. *Note* - SiteAdvisor is not necessary if your security suite already provides this functionality, however, installing SiteAdvisor should not conflict with you existing security suite in the event you want multiple checks for dangerous websites (a second opinion), although this may somewhat degrade performance.
- Ad-Block Plus - Will block ads and pop-ups on websites. This add-on works by using lists. Choosing which lists to use will affect the range of ads blocked. The standard "EasyList" is a good place to start. *Note* - Some websites may need to be allowed in order to function properly.
- Ghostery - Will filter tracking used by websites for various purposes, including advertising. Recommended to enable Global Blocking across all domains listed. *Note* - Some websites may need to be added to the trusted sites list in order to function correctly.
- HTTPS Everywhere - Will attempt to connect to websites using a secure (encrypted) connection when available instead of the standard non-encrypted pages.
Encryption software can encrypt files and drive partitions to prevent the data from being read by anyone who does not have a password. It is particularly important to ensure that sensitive information remains on encrypted disk drives or within encrypted file containers. BitLocker is available on new versions of the Professional versions of Windows, but if you'd like more functionality and improved encryption algorithms, the following are recommended. My personal recommendation is to use BitLocker for full disk encryption and the third-party option below to produce a super-secure encrypted secondary partition using a triple-cascade (3 layers of encryption) to store sensitive data. This partition can be mounted (unlocked) when needed and unmounted (locked) when not in use to provide a significant level of security for sensitive data. If you use a local-pasword manager (see below under Password Managers), I recommend storing it on an encrypted partition.
- VeraCrypt - VeraCrypt provides disk and file-container encryption with several algorithms to choose from, including dual and triple cascade options (using two or three different encryption algorithms). There is also support for keyfiles, which provide a form of dual-factor authentication. If you'd like an option that is essentially a presently supported version and further developed edition of TrueCrypt, VeraCrypt is an excellent choice. VeraCrypt is based on TrueCrypt 7.1a.
One of the most basic recommendations for security is to use unique, long, complex passwords for all accounts. However, many users choose to use a single, simple password for all their sites. This is a serious mistake in security because if one site is compromised, all others could potentially be as well. Password managers provide a practical way for managing unique, long, and complex passwords for all your accounts. There are two basic types of password managers cloud-based and local. Which one should you use? Personally, I recommend both, but for slightly different purposes.
Cloud-based password managers are convenient when using multiple devices, because adding or updating a password for a website will then syncrhonize to all of your other devices. However, since the passwords are stores in the cloud, there is the potential for them to be compromised. This is one reason you want to use a well-trusted password manager which supports solid encryption, two-factor authentication, and preferably dual-passwords (one to login to the account, the other to open the password manager itself, such as Norton Password Manager). Your security software (such as Norton) may come with a password manager which you may want to use. I personally recommend storing only website passwords in cloud-based password managers. I would discourage storing local passwords (such as Windows login, Wi-Fi, router passwords, smartphone and tablet passwords, etc.) and banking passwords in cloud-based password managers.
Local password managers only store a database of passwords on your computer. The benefit of this is that there should be increased security in the sense that they are not stored in the cloud, however this also depends on how secure your computer is. The downside is that the database must be copied to all devices from which you want to access the passwords from. I would recommend using a local password manager for local passwords and banking passwords, or as a master password list which also includes all website passwords as well (having two password managers will also provide a form of backup in case one fails, though it requires more effort to maintain two). I also recommend storing local password databases on encrypted partitions (such as with VeraCrypt -- see above under Encryption Software).
- 1Password - 1Password is a cloud-based password manager which supports two-factor authentication and can check for leaked or compromised passwords using the Have I Been Pwned website.
- KeePass - KeePass is an open-source local password manager which supports a lot of plugins. KeePass also supports keyfiles, providing a form of dual-factor authentication. For serious security, I recommend using the Multi-Cipher plugin which provides an additional layer of encryption using a 2nd password. If stored on a triple-cascade encrypted partition (such as with VeraCrypt -- see above under Encryption Software), this will provide 5 layers of encryption, using 4 algorithms (AES will likely be used twice), and 3 passwords. This provides substantial security for sensitive data such as banking passwords, however this approach requires more effort to open. Many users will likely prefer to forego the Multi-Cipher and just use one password for the database, but it is still recommended to keep it on an encrypted partition.
When email is transmitted over the internet, it is normally through plaintext which can potentially be intercepted and read by unauthorized parties. While using an email service which provides secure (HTTPS) logins and sessions is important and helpful, this still does not ensure that either the email service provider is not accessing your emails or that the email is intercepted by other parties when the email gets passed along to whereever it is going.
End-to-end encryption is the preferred method to ensuring secure communications between two parties. This is accomplished by using an asymmetric encryption algorithm. What happens is that two keys are used: a private and public key. What one key encrypts, only the other key can decrypt. Should you use end-to-end encryption with email, you will produce two keys. The private key you will keep and never share. The public key you share with people you want to be able to send and receive secure emails to and from. Also, the other person will generate their own set of private and public keys. He or she will keep the private key and share the public key with you. If you want to send that person a secure email, you encrypt the email with the other person's public key. When he or she receives the email, it may be decrypted with his/her private key. The converse is also true: if that person wants to send you a secure email, the email is encrypted with your public key and then decrypted with your private key once you receive it.
The two main difficulties with this approach is: (1) the complexity of how it works deters people from using it, and (2) both parties need to install an setup their own private/public key and have it working with their email client. However, it does provide a method for essentially secure communications via email. If you would like to use end-to-end encryption over email, the programs below are recommended.
- GNU Privacy Guard - GNU Privacy Guard is a free, open-sourced program which allows for end-to-end encryption. Linked is the Windows version of the program. For other versions and more information, see this website.
*Note* - PGP was the original email end-to-end encryption program, purchased by Symantec in 2010. It is a retail option.
VPNs (Virtual Private Networks) provide a substantial increase in security and anonymity when browsing the web. Essentially, a VPN can provide security in two ways: (1) by hiding your IP address from other computers you are connecting to, and (2) by encrypting all data between your computer and the VPN server(s), hiding data transmissions from any possible snooping between those points, most notably from ISPs (Internet Service Providers) and from unsecure public networks such as open Wi-Fi connections.
Note - A consideration about using VPNs for sensitive transmissions, such as banking: While using a VPN should increase security and privacy of sensitive transmissions, the VPN provider needs to be trusted and in the event one of their servers is compromised, there is the potential for transmissions to be compromised. For this reason, discretion should be used when to use, and not to use a VPN. Also, VPN connections should be disabled during gaming due to increased lag.
- NordVPN - NordVPN has thousands of servers world-wide, providing good performance, offers a number of different VPN connections, such as double VPN, and has a no-log policy. NordVPN is a subscription service for a fee.
Secure File Erasing:
Due to the way data is stored and managed, deleting files does not actually delete them, it only removes the link to the file, marking that space as unused. This data can be overwritten at some point, but remains on the drive until overwriting occurs. This can be useful for data recovery, but also provides a security risk when deleting sensitive information. A secure erase program can write over files or free space to ensure they are completely gone. These programs offer different ways of erasing and different numbers of passes to help ensure advanced recovery techniques cannot recover the data. 3-pass should be sufficient for general purposes and 7-pass for sensitive data. 35-pass is available, but is likely excessive. Essentially, more passes makes it less likely that data can be recovered.
- Eraser - Eraser can securely overwrite files, folders, or free space using an numbers of algorithms and passes. Eraser works by configuring a job and then either setting it to schedule or running on-demand.
Other Malware scanners for indepth cleaning: