Categories
Self-organization

Windows defender now offers ultra secure sandbox mode here’s how to turn it on

Windows defender now offers ultra secure sandbox mode here’s how to turn it on

Windows 10’s built-in antivirus can now run in a sandbox. Even if an attacker compromises the antivirus engine, they wouldn’t have access to the rest of the system. As Google’s Tavis Ormandy puts it, “this is game changing.”

In fact, Windows Defender is the first complete antivirus product that can run in a sandbox. None of the paid (or free) antivirus products you can download boast this feature.

This news comes from the official Microsoft Secure blog. As Microsoft puts it:

Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’s content parsers that could enable arbitrary code execution. While we haven’t seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously…

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm.

In other words, the Windows Defender antivirus process that analyzes downloaded files and other content will run with very few permissions. Even if there was a bug in the antivirus process and a maliciously crafted file managed to compromise the antivirus itself, that now-dangerous antivirus process wouldn’t provide any access to the rest of your system. The attack would have failed.

Sure, an antivirus still needs a lot of access to your system. But the main antivirus process that runs with a lot of permissions won’t analyze files. It hands content off to a low-privilege sandboxed process, which does the dirty and dangerous work in a secure area.

Microsoft’s blog post goes on to describe how this feature was implemented without any noticeable performance drops:

Performance is often the main concern raised around sandboxing, especially given that antimalware products are in many critical paths like synchronously inspecting file operations and processing and aggregating or matching large numbers of runtime events. To ensure that performance doesn’t degrade, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time, only perform these interactions in key moments where their cost would not be significant, for example, when IO is being performed.

There’s much more detail than that in Microsoft’s blog post, so check it out if you’re interested.

When Will You Get It?

While this feature is exciting, it isn’t enabled by default on Windows 10 systems—yet. Microsoft says it will “gradually enable” this feature for Windows Insiders and analyze how it works in the real world.

Warning: Microsoft isn’t confident enough in this feature to enable it by default for everyone yet, so you may experience bugs after enabling this. We enabled it on our system and everything seemed to work fine, though.

To enable this feature today, launch a Command Prompt or PowerShell window as Administrator, run the following command, and then restart your PC:

This command works on Windows 10 version 1703, also known as the Creators Update, and newer versions of Windows 10. That version of Windows 10 was released in April 2017, so your PC almost certainly has that version or newer by now.

Windows defender now offers ultra secure sandbox mode here’s how to turn it on

If you want to undo this change, run the same command, replacing the “1” with a “0,” and reboot your PC once again. If you have problems booting your PC for some reason, try booting into Safe Mode and then running the command.

After enabling sandboxing, you will see a special content process named MsMpEngCP.exe with less permissions running alongside the standard MsMpEng.exe antimalware process.

The sandboxed Windows Defender process, as seen in Microsoft’s Process Explorer.

We were once pretty critical of Microsoft’s antivirus, but we think the latest versions are pretty good. We recommend using Windows Defender to keep your PC secure without any of the upsells and bugs that third-party antivirus software brings to the table. And it’s included by default with Windows 10, so all Windows users finally have a solid antivirus.

We just wish Microsoft’s antivirus was more aggressive about blocking crapware by default.

Windows Defender can protect itself from attacks with its own sandbox. Here’re the steps to enable Windows Defender sandbox in Windows 10.

Windows Defender can now run in a sandbox providing you with better security and reliability. In fact, Windows Defender is the first antivirus to run in a sandboxed environment. However, you have to manually enable the Windows Defender sandbox feature.

Steps to Enable Windows Defender Sandbox in Windows 10

These are the steps to turn on Windows Defender sandbox in Windows 10.

  1. Open the Start menu.
  2. Search for “cmd“.
  3. Right-click on “Command Prompt” and select the “Run as administrator” option.
  4. In the Command Prompt, copy and paste the below command and press “Enter“.

As soon as you execute the command, Windows will make the necessary changes. If the process is a success you will see the “SUCCESS: Specified value was saved” message.

Windows defender now offers ultra secure sandbox mode here’s how to turn it on

Verify Windows Defender Sandbox Status

As the command prompt doesn’t give any sensible message to let you know if the Windows Defender is running in a sandbox, we are going to use Process Explorer, a portable application from Microsoft. You can think of Process Explorer as Task Manager on steroids.

Download Process Explorer and open it. Take a look at the process list you should see MsMpEngCP.exe running alongside the MsMpEng.exe antimalware service process.

Disable Defender Sandbox

As I said before, the Windows Defender secure sandbox is a new feature that is still in testing. So, if your system is behaving oddly after enabling the Secure Sandbox then you should probably disable it for the time being.

To disable Windows Defender sandbox, all you have to do is execute the below command and restart your system. In the command, all we did is replace 1 in the above command with 0 .

Windows Defender Can Now Run In a Sandbox, But Why?

Being an antivirus, Windows Defender needs to run with the highest privileges to scan, detect, and remove any and all infections. Windows Defender has its own user account in Windows 10.

Given that Windows defender runs with the highest possible permissions, some clever attacker can craft malware that can compromise Windows Defender and infect the system. Since Windows Defender has the highest privileges, the attack surface would be bigger and worse.

By running Windows Defender in a sandbox, even if the Windows Defender is compromised or has a bug in it, the malware couldn’t affect the system. It stays within the sandbox. The best thing is, according to Microsoft, the Windows Defender secure sandbox feature is implemented without any performance drop or loss.

That is all. I hope that helps. If you are stuck or need some help, comment below and I will try to help as much as possible.

Microsoft Windows built-in anti-malware tool, Windows Defender, has become the very first antivirus software to have the ability to run inside a sandbox environment.

Sandboxing is a process that runs an application in a safe environment isolated from the rest of the operating system and applications on a computer. So that if a sandboxed application gets compromised, the technique prevents its damage from spreading outside the closed area.

Since antivirus and anti-malware tools run with the highest level of privileges to scan all parts of a computer for malicious code, it has become a desired target for attackers.
The need for sandboxing an antivirus tool has become necessary after multiple critical vulnerabilities were discovered in such powerful applications, including Windows Defender, in past years that could have allowed attackers to gain full control of a targeted system.

That’s why Microsoft announced to add a sandbox mode to its Windows Defender. So, even if an attacker or a malicious app exploiting a flaw in Defender compromises the antivirus engine, the damage can’t reach out to other parts of the system.

“Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’ content parsers that could enable arbitrary code execution,” Microsoft said in a blog post.

Google Project Zero’s researcher Tavis Ormandy, who found and disclosed several of these types of flaws in the past year, lauded the Microsoft’s effort on Twitter, saying it was “game-changing.”

“Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm,” Microsoft said.

According to Microsoft, implementing sandboxing in Windows Defender was a challenge for its engineers because the process had the potential to cause performance degradation and required a number of fundamental changes.

However, the research community has taken it as a welcoming step by Microsoft that has raised the bar on security for commercial antivirus and anti-malware solutions out there.

How to Turn On Sandbox Feature in Windows Defender Antivirus

For now, Windows Defender running on Windows 10, version 1703 (also known as the Creators Update) or later, support the sandbox feature, which is not enabled by default, but you can turn the feature on by running following command on your system:

  1. Open Start and Search for “CMD” or “Command Prompt”
  2. Right Click on it and select “Run as administrator.”
  3. Type: “setx /M MP_FORCE_USE_SANDBOX 1” and then press ENTER
  4. Then restart your computer, that’s it

Microsoft is gradually rolling out a Windows Insider preview supporting the sandboxing feature in Defender Antivirus, and the feature will soon become widely available, though it is not sure when this will happen.
To read the original article:

Laisser un commentaire Annuler la réponse

Vous devez être connecté pour publier un commentaire.

Microsoft boosts security

Microsoft is working on making Windows Defender, the built-in antivirus tool in Windows 10, more secure with a new mode that allows it to run within a sandbox, a feature that’s been present in many of its competitors.

By running in a sandbox, Windows Defender will operate separately from the rest of your PC, so hackers and malicious files cannot gain access to your vital files via the software.

The move follows Microsoft explaining in a blog post that due to the nature of Windows Defender, which needs to have access to your whole system to scan it for viruses, “Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’s content parsers that could enable arbitrary code execution.”

Obviously, a security tool that is itself a security liability isn’t much use, which is why Microsoft will be implementing the sandbox mode. “Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm,” explains the blog.

When can I get it?

The addition of a sandbox mode brings Windows Defender into line with other anti-virus software which has sandboxing tools.

If you rely on Windows Defender to protect your PC, then you’ll probably be keen to get the feature as soon as possible. At the moment, Microsoft has brought the feature to early versions of Windows 10 for people using the Windows Insider program.

This is so that Microsoft can monitor the effectiveness, and potential impacts to system performance, of the new feature before making it available to everyone.

However, Microsoft has also made it possible for non-Windows Insiders to enable the feature. To do so, type in ‘Command Prompt’ in the Start menu search bar, then right-click ‘Command Prompt’ and select ‘Run as administrator’. Then, type in the following command and press enter:

You’ll then want to restart your PC.

With Windows Defender coming installed for free with Windows 10, huge amounts of people around the world will be relying on it to keep them safe, so we’re pleased to see Microsoft is working hard on making sure the software offers advanced security features like this.

  • Not convinced by Windows Defender? Here’s our picks of the best Windows 10 antivirus

Windows defender now offers ultra secure sandbox mode here’s how to turn it on

Microsoft Windows built-in anti-malware tool, Windows Defender, has become the very first antivirus software to have the ability to run inside a sandbox environment.

Sandboxing is a process that runs an application in a safe environment isolated from the rest of the operating system and applications on a computer. So that if a sandboxed application gets compromised, the technique prevents its damage from spreading outside the closed area.

Since antivirus and anti-malware tools run with the highest level of privileges to scan all parts of a computer for malicious code, it has become a desired target for attackers.

Windows defender now offers ultra secure sandbox mode here’s how to turn it on

The need for sandboxing an antivirus tool has become necessary after multiple critical vulnerabilities were discovered in such powerful applications, including Windows Defender, in past years that could have allowed attackers to gain full control of a targeted system.

That’s why Microsoft announced to add a sandbox mode to its Windows Defender. So, even if an attacker or a malicious app exploiting a flaw in Defender compromises the antivirus engine, the damage can’t reach out to other parts of the system.

“Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’ content parsers that could enable arbitrary code execution,” Microsoft said in a blog post.

Google Project Zero’s researcher Tavis Ormandy, who found and disclosed several of these types of flaws in the past year, lauded the Microsoft’s effort on Twitter, saying it was “game-changing.”

“Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm,” Microsoft said.

Windows defender now offers ultra secure sandbox mode here’s how to turn it on

However, the research community has taken it as a welcoming step by Microsoft that has raised the bar on security for commercial antivirus and anti-malware solutions out there.

How to Turn On Sandbox Feature in Windows Defender Antivirus

For now, Windows Defender running on Windows 10, version 1703 (also known as the Creators Update) or later, support the sandbox feature, which is not enabled by default, but you can turn the feature on by running following command on your system:

  1. Open Start and Search for “CMD” or “Command Prompt”
  2. Right Click on it and select “Run as administrator.”
  3. Type: “setx /M MP_FORCE_USE_SANDBOX 1” and then press ENTER
  4. Then restart your computer, that’s it

Microsoft is gradually rolling out a Windows Insider preview supporting the sandboxing feature in Defender Antivirus, and the feature will soon become widely available, though it is not sure when this will happen.

Windows Defender Can Run in a Secure Sandbox to Keep PC Safe

It is not a good idea to use a computer without a piece of antivirus software. That’s why Windows Defender is as a core feature in Windows 10.

Without a doubt, Defender and some third-party applications like it provide an important layer of protection against some threats like ransomware. However, you may not know that they can bring new security risks. Thus, Microsoft is adding a sandbox mode to Windows Defender.

Similar stories

Windows Defender Antivirus is a Windows built-in antimalware product. It is pre-installed on your Windows computer. It always keeps up-to-date to cover the newest threats and modify the detection logic to improve its abilities to protect your computer from viruses. So, you’d better turn on Windows Defender Antivirus and make sure you are using the latest version.

How to update Windows Defender? Usually, Windows can automatically upgrade it when a new version is released. However, there are also some other Windows Defender update methods. MiniTool Software will show them in this post.

How to Upgrade Windows Defender Antivirus?
Automatic update Windows Defender
Trigger an update for Windows Defender
Manually download Windows Defender and install it

Windows Defender Antivirus is an antimalware feature on Windows 10 and it can protect your computer and the files on the device from viruses, spyware, ransomware and some other types of malware and hackers.However, when you need to set up the computer without network, perform a task which may be blocked by Windows Defender Antivirus, or need to comply with the organization security policies, you will have to disable Windows Defender Antivirus.

In the following guide, we will show you 3 ways to disable Windows Defender Antivirus permanently or temporarily on Windows 10.

In Windows 10 operating system, an antivirus program is built-in and it is Windows Defender. It combines all the essential security features under one dashboard to protect your machine from viruses, spyware, malware, ransomware, rootkits and other security threats.

With it, your PC is under the protection. If you have installed any other antivirus program like Avast, Windows Defender is not turning on. In short, this utility is excellent enough.

Although this antivirus program does a pretty good job, it may detect the file, folder or a process/program you trust as malicious, which makes you agonizing. To stop it from alerting you or block this type of behavior from occurring, you can add Windows Defender exclusions.

Windows Defender (also called Windows Defender Security Center in Windows 10 1703 or later), a fully integrated part of Windows, is an antivirus program. And it can offer real-time protection from various threats like spyware, malware, and viruses to your PC. Once it scans and finds potential threats, this program will stop them.

However, many users have reported that their Windows Defender can’t turn on in Windows 10/8/7 when they try to run this program for virus defense by clicking Turn on button.

In Windows 10 and 8, there is a built-in antivirus program – Windows Defender. It is a great security service provided by Microsoft in Windows and it is used to protect the system from external threats including spyware, malware, etc.

However, you always experience some problems when using Windows Defender, for example, Windows Defender not turning on, error code 0x80073afc, 0x80070015, error 577, Windows Defender blocked by Group Policy, etc.

Besides, you may be bothered by another error code 0x80004004 while you are trying to update Windows Defender on your PC. On your computer screen, you get the error message “Virus and spyware definitions couldn’t be updated” and the error code: 0x80004004 can be seen.

Microsoft Defender, which is formerly known as Windows Defender before Windows 10 May 2020 Update or Windows Defender Antivirus in Windows 10 Creators Update and later, is a Windows snap-in anti-malware tool.

When you open a file on your computer, this tool will scan it for malware and report you if it finds threats. On the other hand, you can also initiatively scan a file or folder for malware with Microsoft Defender when you suspect that there are threats in some certain file or files.

But do you know how to make Microsoft Defender scan a file or folder for malware? It is very easy to do this work. We will show you a guide in the following part.

Windows Defender is a built-in antivirus program of Windows. When do you need to run Windows Defender Offline scan? How to perform Windows Defender Offline scan? This post shows you the answers. Besides Windows Defender, you can also visit MiniTool to look for more ways and tips to safeguard your PC

يمكن الآن تشغيل برنامج مكافحة الفيروسات ويندوز ديفندر Windows Defender والمدمج في ويندوز Windows 10 في وضع الحماية ، حتى إذا قام أحد المهاجمين بتعريض محرك الحماية من الفيروسات للخطر ، فلن يتمكن من الوصول إلى بقية النظام ، وكما يقول Tavis Ormandy من Google ، “هذه هي اللعبة تتغير”.

برنامج Windows Defender مع وضع الحماية الآمنة بدرجة فائقة ، وإليك كيفية تشغيله

برنامج Windows Defender مع وضع الحماية الآمنة بدرجة فائقة ، وإليك كيفية تشغيله

وفي الواقع ، يعتبر برنامج Windows Defender أول منتج مضاد فيروسات كامل يمكن تشغيله في sandbox ، ولا تتباهى هذه الميزة بأي من منتجات مكافحة الفيروسات المدفوعة (أو المجانية) التي يمكنك تنزيلها ، ويأتي هذا الخبر من مدونة Microsoft Secure الرسمية كما تقول مايكروسوفت :

حدد الباحثون الأمنيون داخل وخارج ميكروسوفت Microsoft من قبل الطرق التي يستطيع بها المهاجم أن يستفيد من نقاط الضعف في موزعي محتوى ويندوز ديفندر Windows Defender Antivirus مما قد يؤدي إلى تنفيذ تعليمات برمجية عشوائية ، وعلى الرغم من أننا لم نشهد هجماتًا في الواقع تستهدف ويندوز ديفندر انتي فايرس Windows Defender Antivirus ، فإننا نأخذ هذه التقارير على محمل الجد . ويعمل تشغيل Windows Defender Antivirus في وضع الحماية على ضمان حدوث أعمال ضارة في البيئة المعزولة ، مما يحمي بقية النظام من الضرر.

برنامج Windows Defender مع وضع الحماية الآمنة بدرجة فائقة ، وإليك كيفية تشغيله

او بمعنى آخر ، سيتم تشغيل عملية مكافحة فيروسات ويندوز ديفندر Windows Defender التي تقوم بتحليل الملفات التي تم تنزيلها والمحتويات الأخرى باستخدام أذونات قليلة جدًا ، وحتى إذا كان هناك خلل في عملية مكافحة الفيروسات وتمكن ملف تم إنشاؤه بطريقة ضارة من اختراق الفيروسات نفسها ، فإن عملية مكافحة الفيروسات الخطيرة الآن لن توفر أي وصول إلى بقية النظام ، كان الهجوم قد فشل ، وهناك تفاصيل أكثر تفصيلاً من ذلك في مشاركة مدونة مكيروسوفت Microsoft ، لذا تحقق من ذلك إذا كنت مهتمًا.

متى سوف تحصل عليها؟

على الرغم من أن هذه الميزة مثيرة ، إلا أنها لا يتم تمكينها افتراضيًا في أنظمة Windows 10— حتى الآن ، وتقول Microsoft أنها ستقوم “بتمكين” هذه الميزة تدريجيًا لمستخدمي Windows Insiders وتحليل كيفية عملها في العالم الحقيقي.

برنامج Windows Defender مع وضع الحماية الآمنة بدرجة فائقة ، وإليك كيفية تشغيله

ويعمل هذا الأمر على Windows 10 الإصدار 1703 ، والمعروف أيضًا باسم Creators Update ، والإصدارات الأحدث من Windows 10 ، وتم إصدار هذا الإصدار من نظام التشغيل Windows 10 في أبريل 2017 ، لذا فإن جهاز الكمبيوتر الخاص بك يحتوي على هذا الإصدار أو الأحدث بشكل شبه مؤكد.

Windows Defender is now the world’s most secure antivirus software. Even if malware compromises Defender’s virus detection module, the malware cannot go on to take over control of the host device. Defender’s impenetrable shield is a “sandbox” – a virtual machine that exists in RAM, isolated from other components. Does that make it the best at malware detection? Read on for the scoop.

Should Your Antivirus Run in a Sandbox?

Viruses often target antivirus software because the latter has elevated privileges on the host machine that a virus can use to evil effect. Microsoft security researchers came up with a clever way to isolate the vulnerable part of Defender in a sandbox.

Defender consists of several security apps, including “content parsers” that analyze unknown files. Running these apps in a sandbox gives them very few privileges on the host machine. Even if a Defender parser is compromised by malware, it cannot be used to do harm on the host machine. When the parser is no longer needed, it and the sandbox simply dissolve back into free RAM, along with any virus infection.

Is this level of security necessary? Microsoft seems to take the “abundance of caution” position in its announcement of Defender’s new sandbox feature: Security researchers both inside and outside of Microsoft have previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antivirus’s content parsers that could enable arbitrary code execution. While we haven’t seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously…”

Windows defender now offers ultra secure sandbox mode here’s how to turn it on

And, “Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm.”

The main Defender app still needs high-level privileges, access to many areas of the host machine. But it passes the low-level, dangerous job of analyzing unknown files to its sandboxed parsers, so there is no direct contact between the highly-privileged Defender and suspicious software. This strategy effectively makes Defender immune to virus infections.

For now, though, Microsoft is cautiously rolling out this new sandboxing feature. In their announcement, it says they are “in the process of gradually enabling this capability for Windows Insiders and continuously analyzing feedback to refine the implementation. The article also mentions a way to manually turn on Defender’s sandboxing, if you are running Windows 10 version 1703 (released March 2017) or later.

Thinking Inside the Box

Security researchers outside of Microsoft are impressed. Even the notorious security gadfly, Google’s Tavis Ormandy, calls sandboxed Defender “game-changing.” Ormandy was one of the researchers who identified bugs in Defender that might enable an attacker to take over the host machine, including one he openly denounced as “crazy bad.”

No other antimalware suite offers sandbox protection right now, but I expect a rush to implement it across the antimalware industry. Sandboxing is an elegant, tried-and-true way to protect a favorite target of malware – the antimalware software that opposes it. Defender is hardly the first antivirus program found to contain bugs that could be exploited by malware. Some examples from the past couple of years include “Multiple Vulnerabilities in Avast Antivirus” (April 2017), “Security vulnerabilities in Symantec and Norton ‘as bad as it gets’ warns researcher” (June 2016), and
“Google Security Researcher Finds Serious Vulnerability In Kaspersky’s TLS Interception Tool” (January, 2017).

Time to Switch?

So am I recommending that everyone dump their existing third-party security tools? No, and here’s why. I started this article by saying that “Windows Defender is now the world’s most secure antivirus software.” But I didn’t say it was the best. The fact that Defender’s parsing module is secure is cool, but that doesn’t make it the best at detection and protection. In fact, Microsoft has never intended Defender to be the best anti-malware solution. By their own admission, Defender is supposed to establish a baseline for anti-malware tools, a set of minimum features that every third-party security suite is expected to match or exceed.

That said, Defender has come a long way since the early days when it consistently ranked dead last in independent malware detection tests. In the latest test results from AV-Comparatives, Defender scored very well on detection, but led the league in false positives.

The free versions of AVG, Avast, and Bitdefender all got top marks from AV-Comparatives, but it’s important to note that these lab tests really don’t represent what I see as real world usage. According to their factsheet, they ran their tests under Microsoft Windows 10 Pro “with up-to-date third-party software (such as Adobe Flash, Adobe Acrobat Reader, Java, etc.). Due to this, finding in-the-field working exploits and running malware is much more challenging than e.g. under an non-up-to-date system with unpatched/vulnerable third-party applications.”

So what is the practical upshot of this news? Third-party developers do not want to be known as “not even as good as Windows Defender.” Therefore, I predict that sandboxing will be the next “big thing” in security suites. Kudos to Microsoft for setting that high bar. Kudos, too, to Tavis Ormandy and other security researchers who expose vulnerabilities in complacent companies’ products and goad them into developing solutions.

Are you confident that Windows Defender will provide adequate protection, or do you use a third-party security tool? Your thoughts on this topic are welcome. Post your comment or question below.

We’ve got a beginner’s guide to Windows 10 security that will help you keep your device safe.

Windows defender now offers ultra secure sandbox mode here’s how to turn it on

Boosting Windows 10 security is easier than you think.

As the Windows 10 May 2021 update rolls out to devices, it’s a good time to secure your Windows 10 machine. Whether you have a new device or one you’ve recently upgraded (you can still download Windows 10 for free , by the way, now that support for Windows 7 has ended ), making sure you’re system is fully protected doesn’t have to be complicated.

You can quickly enable some of the basic security features of the operating system — and disable some of the more annoying ones — without compromising your device, all within a few minutes.

Here’s how to do it.

Stay current on the latest Microsoft news, plus reviews and advice on Windows PCs.

Create your save point

The first thing you should do with a new Windows 10 machine is enable a system restore. Think of it like a save point for your machine. If things go south while you’re trying to set up a safer machine , you get to come back to this nice fresh install and start with a clean slate. Since it’s disabled by default in Windows 10, you’ll need to manually enable it by following these steps:

1. Go to the Windows Cortana search box and type system restore.

2. Select the Control Panel and click Create a restore point.

3. When the System Properties dialog box appears, click the System Protection tab.

4. Select the drive you’ve got Windows installed on. For most people this is going to be the C drive.

5. Click Configure.

6. Click Turn on system protection, then click OK.

From here on out, you can always come back to the System Properties box and click System Restore to bring your machine back to this moment in time.

Kill the bloatware

One of the most obnoxious things about getting a new Windows machine is that it’s never really new. Even if your hands are the first to pull it out of its shiny box, both Microsoft and the manufacturer have already invariably stuffed your machine with barely-functional, unwanted, or trial-version software that will sit unused in your computer, taking up valuable memory space until it eventually becomes outdated and presents a quiet set of vulnerabilities. Let’s kill those programs:

1. Go to Start, then to Settings, then to Apps.

2. You should be looking at a list of all of your installed apps under your Apps & Features section. A right-click on any of them should present you with the option to uninstall them.

Freshman orientation for your software

Now that you’ve done some bloatware pest control, you’ll want to secure your other software and drivers by making sure they’re up to date . Doing this can eliminate the risk of infection by entire classes and families of viruses and malware. The easiest way to do this is by downloading the Windows Update Assistant and following its prompts.

If you have any trouble with the automated process, there’s a manual option:

1. Go to Start, then to Settings.

2. Select Update & Security, then select Windows Update.

Make sure all of your Windows 10 software is up to date to avoid security mishaps.

Locals only

By default, logging in to Windows 10 means using your Microsoft account — the same one you use for your Microsoft email. A feature of this type of login is that any changes you make to your settings while on your new Windows 10 machine will be automatically synced across all of your other Windows 10 devices.

That might seem like a convenient perk. It’s not. It’s essentially removing a bulkhead against multidevice compromise in the event something (or someone) affects your Microsoft account. So let’s make sure you’ve got a unique local account login to use only on your new Windows 10 machine:

1. Save any work currently open, then close the program you’re using.

2. Go to Start, then Settings.

3. Click Accounts, then click Your email and accounts on the left-side column.

4. Click the link that says Sign in with a local account instead.

5. When the prompt appears, type the password you currently use to log into your Microsoft account (the same password you currently use to unlock your laptop), and click Next.

6. A new prompt will ask you to create a username, password and password hint. Once you’ve entered the text, click Next.

7. Click Sign out and finish.

This will bring you back to the machine’s login screen, where you can enter your new password to log back in. At which point, you’ll likely also notice a much faster login.

Shut down stalkerware

Windows 10 automatically tracks your location and monitors your behavior in order to sell advertising. Here’s how to turn both of those features off to better protect your privacy:

1. Go to Start, then Settings.

2. Click Privacy, the icon that looks like a padlock.

3. Click Location, then click the On switch to turn location tracking off.

4. To disable ad tracking:

5. Go back to the Privacy screen you were just at.

6. Turn off the setting for Let apps use advertising ID to make ads more interesting to you based on your app activity.

Enable your firewall and antivirus

If you’ve used Windows for a while now, you’re familiar with the Windows Defender Security Center. It’s a good first step toward monitoring the overall health of your computer, but it’s not going to be enough. One other layer of security is already built into Windows 10, and you should take advantage of it by enabling firewall and antivirus protection. Here’s how:

1. Go back to your Control Panel, then to System and Security.

2. Click Windows Defender Firewall, then click Turn Windows Defender Firewall on or off in the sidebar.

3. Click the button that says Turn on Windows Defender Firewall under both the public network and private network settings.

4. Tick the box that says Notify me when Windows Defender Firewall blocks a new app.

Once your firewall is up, head over to CNET’s roundup of the best antivirus software for Windows 10 and shop around until you find one that suits your needs. You can also check out How to run Microsoft’s Windows Defender on Chrome and Firefox .