SECURE WINDOWS FOR FREE
✓ Expose secretly running malware ✓ Get real-time virus updates ✓ Make browsing 100% secure
Everyone knows you need protection against hacker attacks, malware and numerous other threats. What you might not realise is Windows 10 includes a broad set of built-in tools that provide just that.
They’re all bundled together within the Windows Security app – but if the name is unfamiliar, that’s understandable. Prior to the September 2018 update, Windows’ various security settings were collectively accessed via the “Windows Defender Security Center”. That in turn was an evolution of the Windows Defender tool that had been built into Windows 8, which took over the antivirus duties previously performed by the standalone Security Essentials tool. You can probably see why Microsoft eventually decided to go with a simple, all-encompassing name.
In the latest version of Windows 10, Windows Security looks and works like part of the Settings app, and indeed the Security section of that app provides a page of direct links to all the different security features. Some of these are well known and self-explanatory, while others are unsung. Let’s look at some key features – and pick out a few settings that can be changed from their defaults to enhance your protection.
VIRUS & THREAT PROTECTION
Top billing goes to Windows’ built-in antivirus component, which for now retains the Defender name. And deservedly so – while old editions of the software provided only so-so protection, AV-Test’s most recent independent tests awarded Defender perfect scores across the board for protection, performance and usability ( pcpro.link/320avtest).
Since real-time scanning is enabled by default, that excellent protection kicks in as soon as you try to access a malicious file – and Defender also automatically carries out regular quick scans of key system files, along with periodic full scans of your whole hard disk.
In its wisdom, Microsoft has chosen to make these scheduled scans mostly invisible, but at the top of the main “Virus & threat protection” settings window you’ll see the details of when the last scan was successfully completed. If it’s been a while since the last successful scan, you can launch one manually by pressing the “Quick scan” button, or clicking the “Scan options” link and selecting a full scan or a custom scan of specific items ( see tweak one).
The next link down is “Allowed threats”, which lets you review items that you’ve allowed on your system after
Defender has flagged them as suspicious. This can happen, for example, with thirdparty automation scripts or potentially unwanted downloads. Sometimes you’ll see a description of the supposed threat, but not any details of the file that triggered the alert: if you want to check your previously allowed items, you can find them by opening the Registry Editor and browsing to HKEY_ LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows Defender\Exclusions.
ADVANCED SETTINGS
Defender doesn’t give you a lot of controls to play with: the aim is clearly to handle security behind the scenes as much as possible. However, click on the “Virus & threat protection settings” link and you’ll find a few switches to toggle.
The first lets you switch off real-time protection ( see tweak two), which can be handy if you need to work with (say) a folder full of files that Defender doesn’t like. The text above the switch warns that Windows will automatically turn it back on again after “a short time”; in practice, we’ve found it’s re-enabled when you reboot, or immediately after the next signature update, which will normally be within 24 hours.
To permanently disable real-time scanning, you’ll need to use the Task Scheduler to run the command in tweak two each time you log in. Frankly, though, we’d advise against this, as it leaves you exposed to malware attacks.
Similarly, there’s no obvious reason why you’d ever want to use the next switch down to disable “Cloud-delivered protection”.
This feature complements traditional signature-based detection methods by pooling live security data from connected Windows users and using cloud-based AI analysis to identify brand-new threats. It works in tandem with the next option down, “Automatic sample submission”, which kicks in when Defender can’t conclusively identify a file as either safe or malicious and sends a copy of it to Microsoft’s servers for more aggressive analysis. Windows will warn you if any personal information is included in the upload, but if you’re concerned about your privacy then you can disable this feature entirely.
Tamper Protection is another feature that’s mostly worth leaving on: when it’s enabled, Windows Security will ignore settings specified by certain Registry keys, PowerShell commands and group policies. This defeats a lot of older exploits that used to use these methods to disable Defender.
There are reasons why you might want to turn Tamper Protection off for a while: it allows you to take more control over the way Windows handles scans and threats. Open a PowerShell console as Administrator, enter
Get-MpPreference and it will spew out 81 variables, covering things that can’t be controlled directly from the Windows Security window such as automatic scan frequency, remediation behaviour and quarantine options. They’re all explained at
pcpro.link/320get-mp, and with Tamper Protection turned off you can use the
Set-MpPreference cmdlet to change any of these settings
( see tweak three).
Ransomware protection
Ransomware has been a huge concern in recent years, but most attacks can be blocked off by a Windows Security feature called “Controlled folder access” (which we’ll shorten to CFA). This prevents unrecognised programs from modifying files in your personal folders
without your explicit authorisation, thereby ensuring that the dodgy app you just downloaded can’t change, encrypt or delete your documents.
CFA will protect your Documents, Pictures, Videos, Music, Favourites and Desktop folders by default. However, you can also add any other locations you want to protect ( see tweak four), including external drives and even network shares – although, of course, these may still be accessible from other systems.
Authorising an application to access these folders is a similar process. When you click
“Allow an app through Controlled folder access”, you’ll see details of any apps that were recently blocked, with the option to unblock them. Alternatively, you can select “Browse all apps” and navigate through your hard disk to find the EXE file you want to approve. This can be a pain, but it’s not something you’ll have to do frequently.
Less useful is the “Ransomware data recovery information” at the bottom of the page, which is basically an advert for the OneDrive cloud storage and syncing service. It’s true that if your files are lost then you may be able to recover them from OneDrive, but the same can be said of any cloud storage service and backup system; it’s misleading and unhelpful for Microsoft to imply that OneDrive is your only recourse.
Reputation-based protection
Now that you have your antivirus and ransomware protection configured how you like it, we suggest you skip forward to the “App & browser control” component of the Windows Security app and hit “Reputationbased protection settings”.
The top two options on this page control SmartScreen and will be enabled by default. “Check apps and files” shows an alert if you’re trying to run a downloaded file that isn’t known to Windows; you might as well leave this on, as if you trust the download you can dismiss the SmartScreen warning (by clicking the “More info” link then the “Run anyway” button).
SmartScreen for Microsoft Edge does a similar thing, but the alert kicks in when you try to visit an untrusted website, such as one that’s been reported for hosting malware or looks like it’s being used for phishing. This setting only applies to Edge, though; rival apps such as Chrome and Firefox have their own systems for blocking malicious sites. Whichever you use, there’s no harm in leaving this option switched on. Lower down, you’ll find an option to use SmartScreen for Microsoft Store apps. You’d really hope that Microsoft wouldn’t be offering untested software via its store, but at least this option is turned on by default.
As its name suggests, “Potentially unwanted app [PUA] blocking” ( see tweak
six) tells Defender to block not only processes that are actively destructive, but also ones that you might just not want on your system. It can scan apps as they run, and if you’re using Edge you can also tick the box to have items inspected at the point of download.
Six different types of software are targeted: programs that show ads, apps that use your resources to mine cryptocurrencies (without giving you a share), items that come bundled into an unrelated app installer, programs that monitor your activity for marketing purposes, anything that tries to detect or evade a legitimate security product, as well as programs that have been flagged up for any other reason by other security specialists. On enterprise platforms, BitTorrent software is considered unwanted too, although it’s permitted on consumer editions of Windows.
With PUA detection enabled, items in the above categories will be blocked in the same way as viruses. They won’t be deleted without your say-so, however, so you can come back into the PUA settings, click “Protection history” and click to allow anything that’s wanted.
Isolated browsing
If you’re using Windows 10 Pro then on the main “App & browser” control page, below “Reputation-based protection”, you’ll see an security feature named “Isolated browsing” ( see tweak seven). This launches the Edge browser inside a virtual machine, so you can check out untrusted sites in the confidence that they won’t be able to access or infect your actual Windows system.
Unfortunately, “Isolated browsing” isn’t available in Windows 10 Home as that edition of the OS lacks Microsoft’s Hyper-V hypervisor. For the same reason, it needs a CPU that supports hardware virtualisation, but almost all modern models from AMD and Intel qualify, so that’s unlikely to be a sticking point.
Once Windows reboots, Edge will work as normal, but the main menu will contain a new option to open a protected Application Guard browser session (you can also press
Shift+Ctrl+A). The new window looks and works identically to regular Edge – even your extensions are carried across. To help you tell them apart, the secure browser appears in the taskbar with a little shield overlaid on its icon.
The key difference is that the Application Guard window doesn’t have access to your local hard disk or network locations. If you download files from the web, by default they’ll be stored in a virtual file system that’s purged every time you reboot. For security reasons, it also doesn’t carry across your personal information, passwords, browser history or other data from the main browser.
If all this sounds excessively limiting, fear not. Once the component is installed, you’ll see a new link in the Windows
Security app labelled “Change Application Guard settings”. From here you can enable copying and pasting between secure Edge and the main operating system, as well as enabling access to the printer, camera, microphone and hardware-accelerated graphics. If you enable the “Save files” option, anything you save to the virtual file system will be retained even after a reboot.
The one thing that’s conspicuously missing is any way to move downloads from the virtual environment onto your real file system – that’s considered too risky. However, you can give the secure browser access to your hard disk by opening the
Local Group Policy Editor, navigating to Computer Configuration | Administrative Templates | Windows Components | Windows Defender Application Guard and then enabling the policy entitled “Allow files to download and save to the host operating system”.
Even if you mostly use Chrome or Firefox, it’s always useful to have a secure browser on hand, so if Defender Application Guard is available on your system, we strongly recommend you enable it.
The best of the rest
“Memory integrity protection” ( see tweak
eight) tells Windows to run high-security processes – notably device drivers – in a secure enclave, so regular programs can’t interfere with them. Like isolated browsing, memory integrity protection requires a CPU with hardware virtualisation support, but it doesn’t need Hyper-V, which means you can use it on Windows 10 Home as well as Pro.
Even if you have a compatible CPU, you may find that you can’t enable memory integrity because there are device drivers in your system that don’t support it. However, the culprits are likely to be for older devices that you might no longer be using – or newer drivers might now available.
Also on the “Device security” page, you can check the status of your computer’s TPM security chip, assuming it has one. One
major function of the TPM chip is to drive the Secure Boot function ( see tweak nine) in your BIOS, which blocks any OS that isn’t digitally signed by Microsoft from booting.
Final steps
Finally, let’s talk about physical security. The “Account protection” page provides a useful shortcut to the sign-in page in the Settings app; here you can exchange your guessable password for a numeric PIN or even a physical USB key, or if your device has a fingerprint reader, IR camera or touchscreen you can use these for breezy, hard-to-fake authentication.
You can’t make Windows wake up again automatically when you come back, but if you’re confident of your physical security, you can tell the OS not to require a password by running the command netplwiz from the Start menu or a command prompt. In the dialog that appears, untick the “Users must enter a username and password to use this computer” box. If it isn’t there, go to the Settings app and deselect “Require Windows Hello sign-in for Microsoft accounts”.