Proactively Disarming Most Malware
Tools like antivirus software try to solve a problem after the fact, meaning they detect the virus or malware after they're already in your PC. Antiviruses exist only because the underlying operating systems aren't very secure by default and make the existence of viruses or malware possible in the first place.
But that doesn't mean the operating systems are fully to blame for that, as sometimes, some security compromises are necessary to benefit usability. Also, software bugs will always exist, and attackers will always take advantage of them. However, the point is to make the systems as secure as possible by default, to limit the vast majority of easy attacks on PCs.
One of the main reasons Windows Vista and Windows 7 were much more secure than Windows XP is that Microsoft limited, by default, software's capabilities within the OS. The User Access Control (UAC) system implemented in Vista limited how apps could interact with one another and, therefore, how malware could interact with apps.
This level of control made Windows Vista and future versions of Windows much more secure. But UAC doesn't go far enough. Expert attackers can still bypass it when the users are, by default, in an Administrator account instead of a Standard account.
Switching to a Standard account in Windows also means that, if that particular Standard account is infected with viruses or other malware, it won't affect other accounts on the computer, and the damage will be more contained. If the users are in the Administrator account when they get infected, the malware could affect the whole Windows installation.
Windows requires at least one Administrator account, which means that if you create only one account at installation, it will be the Administrator account. That account will give you, as well as malware (that manages to bypass the UAC), full privileges to the operating system.
On the other hand, if malware infects a Standard account, it will be limited by the privileges of that Standard account, and won't be able to do much else. Therefore, making a separate Standard account should significantly increase your protection and disarm most malware by default.
Switching To A Standard Account
Ideally, you should create both the Administrator account and the Standard account when you have a fresh installation of Windows. Then, use only the Standard account, and keep the Administrator account clean. The Administrator account will require you to set up a password, which you'll be prompted to enter every time you do something in your PC that requires Administrator privileges (such as installing a new program).
If you've already installed plenty of software on your default account and don't want to start over with a new account, here's what to do:
- Create a new Administrator account.
- Enter that account.
- Go to Control Panel.
- Go to "Change an account type."
- Click on the original Administrator account, and change its type to Standard.
This will turn your previous default Administrator account into a Standard account, making it much safer than before. It will switch UAC settings to the highest level and will now require the password of the second Administrator account whenever you need to perform an Administrator-level task (such as installing an application).
EMET is one of my favorite security tools because it protects against a wide array of vulnerabilities in software that arise from poorly written code (which can be found in most apps). It offers many protections against zero-day vulnerabilities that malware authors like to use to infect people's PCs by bypassing built-in Windows security systems such as the UAC.
One of the nice things about EMET is that it's not the type of software to bug you about stuff; it's mostly just "set it and forget it." By default, you can choose the "Recommended settings," but unless you use Java, which usually crashes under EMET, then you can probably safely use EMET with Maximum security settings as well. If you find it causes too many problems with some of your apps, you can revert back to the "Recommended security settings" later on.
Automatic OS And App Updates
Enable automatic OS and app updates by opening the Control Panel. Then open Windows Update, select Change Settings and choose Install updates automatically.
It's always a good idea to keep your operating system and applications up-to-date because vulnerabilities are discovered in them all the time, and the companies behind the apps and operating systems patch them up as soon as they can. Unfortunately, that sometimes takes many months, and that's just from the time the vendor itself discovered a particular vulnerability. However, the vulnerability could have been discovered a long time before that by skilled attackers.
This is where EMET can help greatly. But even so, it's a good idea to stay up-to-date and get the fixes as soon as possible to protect your system from vulnerabilities that many other malware creators can use after the vulnerabilities become widely known. To ensure you don't forget to install the updates, it's best to have them set to install automatically. The same goes for any apps that you might use; it's preferable to update them as soon as possible.