How to Protect Windows Without Antivirus: DIY Security Tips

By Ava McKinneyOnline Safety

Self-Defense Without Antivirus: Protecting Windows on Your Own

Do you really need antivirus software to protect yourself from viruses? Not necessarily. Antivirus programs have plenty of drawbacks, so if you’re willing to use your head, you can minimize your risk of infection on your own. All it takes is following digital hygiene rules and making a few important system tweaks. Let’s talk about those settings.

Why Not Just Use Antivirus?

You’re probably familiar with the problems of antivirus software. For me, the biggest issue is privacy risks. These are openly disclosed in every antivirus user agreement—from the default Windows Defender to well-known paid solutions.

Plus, antivirus software never guarantees 100% protection. So even if you don’t plan to ditch it, extra security never hurts.

Important warning: Some of the tools mentioned here make deep changes to Windows and won’t warn you if you do something wrong. Used incorrectly, you could easily damage your system. But in the hands of a pro, these utilities become powerful weapons against vulnerabilities.

Tuning Windows for Security

Remember, a virus is just a program that runs on your OS. The first step to fighting viruses is to set up your environment correctly.

Use a Limited User Account

Create a user account with limited privileges. Yes, you’ve heard this a million times, but people still insist on running as admin. If you want to go without antivirus, get in the habit of creating a regular user account right after installing Windows and drivers. This will block most malware that can’t escalate privileges. And of course, always keep your system up to date with the latest patches.

Running as a standard user also protects system files and settings from unauthorized changes. If malware tries to modify system files, it’ll hit access restrictions.

Reduce Your Attack Surface

Even with the latest patches, you can’t be sure there are no vulnerabilities in your OS or software. Zero-day bugs happen, and we’ve all heard stories of unexpected exploits affecting huge numbers of users.

If you don’t use a component or service, disable it. Don’t use OneDrive? Remove it! Don’t use Microsoft Edge? Get rid of it! No printer? Turn off the print service. Windows comes with a ton of software and services you’ll never use, so grab a scalpel and cut out the excess.

You can remove things from the system itself or directly from the installation image, so you don’t have to repeat the process after reinstalling Windows. I prefer to combine both methods.

MSMG Toolkit

Despite its old-school interface, MSMG Toolkit is a very useful tool for creating your own custom Windows builds. It lets you remove tons of unnecessary (and even some necessary) stuff, including pre-installed apps and telemetry. You can also disable hardware checks during Windows 11 setup, for example.

MSMG also lets you add things like DirectX, Visual C++ Redistributable Runtimes, and more. The best part: it works at the installer image level, so you get an .iso file you can put on a flash drive and install a pre-tweaked version of Windows for yourself or someone else.

AutoSettings

AutoSettings is a PowerShell script from the forum forum.ru-board.com, created by users westlife and LeX333666. Since it’s just a script, you can read through it to make sure there’s nothing malicious. But there’s a ton of useful stuff. If MSMG Toolkit can’t handle a setting, AutoSettings probably can.

The script has presets for fine-tuning what it does, plus an interface to see what’s enabled or disabled in your system at any time.

There’s a warning that Windows 11 isn’t supported, but in reality, the author just hasn’t tested all the latest features yet. The existing settings work great! Plus, you can modify the script and add your own tweaks.

Firewall Setup

Now for network protection. Windows has a built-in firewall. Many people are skeptical, but it’s actually pretty good—especially if you configure it properly.

Third-party firewalls often include HIPS (Host-based Intrusion Prevention System), which protects the firewall itself from tampering, including by malware. Windows has its own integrity monitoring mechanisms, but it’s not a classic HIPS—keep that in mind.

Third-Party Firewalls?

Why not use a third-party firewall? For me, it’s the same old paranoia: installing something new means trusting another company.

You might mention open-source Portmaster, which seems trustworthy. But have you noticed there’s no offline installer? The community has long asked for a regular installer that doesn’t phone home, but it still doesn’t exist. I find that odd and don’t risk using Portmaster. Plus, it has performance issues on fast connections.

For extra control over the built-in firewall, try Malwarebytes Windows Firewall Control.

Windows Firewall Control

This is just a convenient control panel for the Windows firewall. Here’s how I set it up: I block all incoming connections, delete all firewall rules, and enable notifications for any network activity. If a program or OS component tries to access the internet, Windows Firewall Control will alert you, and you decide what to do. If a stealer gets on your machine, at least it won’t be able to contact its command server and send your data away.

The downside: it’s closed source. But if you’re paranoid, you can install Windows Firewall Control, set everything up, then uninstall it. The rules you created will stay in the system as long as you decline the offer to revert changes.

UEFI Settings

Don’t forget about bootkits—UEFI tweaks can help protect against them. Here’s what you should do:

  • Regularly update your UEFI firmware. Unfortunately, UEFI is a security weak spot: new vulnerabilities are found regularly, and old ones aren’t always patched quickly.
  • Consider disabling Secure Boot. Secure Boot checks the signature of EFI modules to ensure they haven’t been tampered with. In theory, this should improve security, but in practice, Secure Boot itself often has vulnerabilities.

Helpful Software

Of course, OS tweaks alone aren’t enough—you’ll still need some third-party software, either for security or to help keep things secure.

Librewolf Browser

Your browser is a critical app for both security and privacy. It can be tracked or attacked via exploit packs and scripts, so choose your browser and plugins carefully.

I like the Firefox fork Librewolf. It removes code for telemetry, centralized updates, and other features that could harm privacy. You can still install any plugin available in the standard Firefox catalog.

Here’s a minimal set of plugins I recommend for a more resilient browser:

  • Noscript – blocks JavaScript;
  • uBlock Origin – blocks ads, trackers, and malicious site components;
  • Firefox Multi-Account Containers – lets you run each tab in a separate, isolated container.

All plugins are open source, so you don’t have to worry about your data leaking.

If you prefer Chromium-based browsers, there are options for you too, like Ungoogled Chromium.

Sandboxie

We often face a dilemma: run a new app out of curiosity, or skip it for safety? Sandboxie solves this problem by letting you create isolated environments for potentially vulnerable or dangerous apps. It uses a filtering driver for virtualization, providing solid protection—especially if you’re already using a standard user account.

Sandboxie is paid, but there are free features that may be enough for you. The code is fully open and available on GitHub.

Apps like browsers and PDF readers can always be run in Sandboxie, just in case there’s an unpatched vulnerability. And of course, use Sandboxie for unknown or suspicious apps downloaded from the darker corners of the internet.

Even better, set up automatic cleanup of the sandbox. When programs close, all changes are wiped. This also boosts privacy: for example, if you browse in a sandbox, cookies become much less effective for tracking you.

Portable App Versions

Installing apps often requires admin rights, which increases the risk of compromise—especially if you’re installing software from unknown sources. You can minimize (but not eliminate) the risk by using portable versions of programs. They don’t require installation, and even if they contain malicious functionality, a virus won’t get far in your system. A properly configured firewall will also prevent your data from leaking out.

ESET Sysinspector

This is a great monitor for components installed on your system. How is ESET Sysinspector different from antivirus? It doesn’t require installation, doesn’t integrate into the system, and isn’t always running. The workflow: launch it, check if there are any signs of unwanted guests in Windows, then close it.

This is much better than being under constant surveillance by a classic antivirus. Plus, ESET Sysinspector doesn’t need an internet connection, so it can’t steal your data. The downside: it’s closed source.

Conclusion

By following the tips in this article, you can significantly improve your protection against various attacks. For the most part, built-in Windows features and a small set of open-source programs are enough—none of which run continuously in your system. Of course, you can and should develop and adapt this approach to fit your own needs and preferences.

Leave a Reply