Free Tools To Secure Windows Against Malware

Proactively Disarming Most Malware

Tools like antivirus software try to solve a problem after the fact, meaning they detect the virus or malware after they're already in your PC. Antiviruses exist only because the underlying operating systems aren't very secure by default and make the existence of viruses or malware possible in the first place.

But that doesn't mean the operating systems are fully to blame for that, as sometimes, some security compromises are necessary to benefit usability. Also, software bugs will always exist, and attackers will always take advantage of them. However, the point is to make the systems as secure as possible by default, to limit the vast majority of easy attacks on PCs.

One of the main reasons Windows Vista and Windows 7 were much more secure than Windows XP is that Microsoft limited, by default, software's capabilities within the OS. The User Access Control (UAC) system implemented in Vista limited how apps could interact with one another and, therefore, how malware could interact with apps.

This level of control made Windows Vista and future versions of Windows much more secure. But UAC doesn't go far enough. Expert attackers can still bypass it when the users are, by default, in an Administrator account instead of a Standard account.

Switching to a Standard account in Windows also means that, if that particular Standard account is infected with viruses or other malware, it won't affect other accounts on the computer, and the damage will be more contained. If the users are in the Administrator account when they get infected, the malware could affect the whole Windows installation.

Windows requires at least one Administrator account, which means that if you create only one account at installation, it will be the Administrator account. That account will give you, as well as malware (that manages to bypass the UAC), full privileges to the operating system.

On the other hand, if malware infects a Standard account, it will be limited by the privileges of that Standard account, and won't be able to do much else. Therefore, making a separate Standard account should significantly increase your protection and disarm most malware by default.

Switching To A Standard Account

Ideally, you should create both the Administrator account and the Standard account when you have a fresh installation of Windows. Then, use only the Standard account, and keep the Administrator account clean. The Administrator account will require you to set up a password, which you'll be prompted to enter every time you do something in your PC that requires Administrator privileges (such as installing a new program).

If you've already installed plenty of software on your default account and don't want to start over with a new account, here's what to do:

  1. Create a new Administrator account.
  2. Enter that account.
  3. Go to Control Panel.
  4. Go to "Change an account type."
  5. Click on the original Administrator account, and change its type to Standard.

This will turn your previous default Administrator account into a Standard account, making it much safer than before. It will switch UAC settings to the highest level and will now require the password of the second Administrator account whenever you need to perform an Administrator-level task (such as installing an application).


EMET is one of my favorite security tools because it protects against a wide array of vulnerabilities in software that arise from poorly written code (which can be found in most apps). It offers many protections against zero-day vulnerabilities that malware authors like to use to infect people's PCs by bypassing built-in Windows security systems such as the UAC.

One of the nice things about EMET is that it's not the type of software to bug you about stuff; it's mostly just "set it and forget it." By default, you can choose the "Recommended settings," but unless you use Java, which usually crashes under EMET, then you can probably safely use EMET with Maximum security settings as well. If you find it causes too many problems with some of your apps, you can revert back to the "Recommended security settings" later on.

Automatic OS And App Updates

How To

Enable automatic OS and app updates by opening the Control Panel. Then open Windows Update, select Change Settings and choose Install updates automatically.

It's always a good idea to keep your operating system and applications up-to-date because vulnerabilities are discovered in them all the time, and the companies behind the apps and operating systems patch them up as soon as they can. Unfortunately, that sometimes takes many months, and that's just from the time the vendor itself discovered a particular vulnerability. However, the vulnerability could have been discovered a long time before that by skilled attackers.

This is where EMET can help greatly. But even so, it's a good idea to stay up-to-date and get the fixes as soon as possible to protect your system from vulnerabilities that many other malware creators can use after the vulnerabilities become widely known. To ensure you don't forget to install the updates, it's best to have them set to install automatically. The same goes for any apps that you might use; it's preferable to update them as soon as possible.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • humus
    EMET does not support Windows XP.
  • humus
    SuperAntiSpyware and ESET On-Line Scanner - both are free and effective stand alone tools.
  • mjmacka
    @EMET Microsoft doesn't support Windows XP anymore. There is no way to secure that OS. You should be running a newer version of Windows or Linux instead of XP.
  • John J Miller
    to those that say switch to Win 7 or 8... there are some of us out here who can't afford the required hardware needed to run either one correctly.
  • computertech82
    Avira is rated #1 this year. SuperAntiSpyware is pretty good at malware, usually better than malwarebytes.
  • alpha27
    heh im running mse, comodo and avast, I think my cpu handles them well...heh i7
  • jacobian
    Rather sadly, much of the history of Windows security vulnerabilities is due to poor security practices among the users and software developers. Not using administrator account by default could have saved many headaches, and we had Windows 2000, a fine multi-user OS, since when, 1999? (I don't mention NT4 since it wasn't meant to be a consumer-level OS)
  • gerr
    16034431 said:
    to those that say switch to Win 7 or 8... there are some of us out here who can't afford the required hardware needed to run either one correctly.

    If Windows 8.1 can run on that, you must really have an old system.
  • atwspoon
    to those that say switch to Win 7 or 8... there are some of us out here who can't afford the required hardware needed to run either one correctly.

    Wait what? name a system in the past 10 years that cannot run Windows 7. I have installed the OS on numerous laptops and premade desktops from 2006-present. If your machine is more than 10 years old, you're doing it wrong.

    "If you want to run Windows 7 on your PC, here's what it takes:

    1 gigahertz (GHz) or faster 32-bit (x86) or 64-bit (x64) processor

    1 gigabyte (GB) RAM (32-bit) or 2 GB RAM (64-bit)

    16 GB available hard disk space (32-bit) or 20 GB (64-bit)

    DirectX 9 graphics device with WDDM 1.0 or higher driver"
  • gravewax
    to those that say switch to Win 7 or 8... there are some of us out here who can't afford the required hardware needed to run either one correctly.
    win 7 and 8 have very low hardware requirements. if you have a machine purchased in the last 15 years it mostly probably will run just fine, if in the last 10 it will almost certainly work.