Home arrow How To Set Up A New PC
How To Set Up A New PC

How to set up a new PC or laptop

Security software for a new PC or laptop

This article describes the procedures you can take to make sure that your new computer is safe to connect to the Internet the first time. Subsequently, you will need to know what software to add so that it can carry out its work efficiently.

Part 1 deals with security software and procedures
[Part 2, coming later, describes best working practices to set up your PC for work and leisure]

Who this advice is for
I wrote this article because someone I knew bought a new laptop and then connected it directly to the Net, using Internet Explorer, to get their email and so forth before adding an antivirus - and wasn't even going to install a firewall. The person in question was a sane (?), experienced computer user who uses the Net four hours a day or so in their work - not a complete beginner. When they told me I was stunned, and actually couldn't speak for a second or two. Mainly because I'd assumed they knew far more about computers, security and the Net than they obviously did.

So even experienced PC and Net users are likely to do crazy things with new equipment. They simply don't realise the level of attacks out there on the Net now. If you connect up straightaway like this, your machine will start its life with trojans - some of which might bury themselves very deeply, given a clean strike at a new PC with no protection whatsoever.

In a test I made with a PC that was about to be wiped, in ten minutes on the Net with no software firewall, using an ISP's free USB broadband router (which has no built-in hardware firewall), just getting email and so on, the PC picked up four trojans - around one every three minutes. So it's more than likely my friend's new laptop is already infected. The only thing they might possibly have done worse is connect via IM, instant messaging. That is a direct conduit for some of the worst trojans around.

Those things are out there probing for open machines - you don't have to visit a single website to be infected. The attackers are automated bots roaming the Net, probing for weaknesses all the time. Of course, if you visit less than reputable sites then your risk level increases a hundredfold - but simply switching on and connecting to the web makes you a target. And if you connect using a vulnerable browser and no firewall of any type (especially if you use IM of course), you are likely to become the owner of one of the 20% of PCs thought to be a botnet slave - a tool used by a remote master for perpetrating various criminal acts. These people don't need to run their own PCs for illegal attacks - they've got yours and thousands like it. They have their own remote access software on your PC.

The antivirus misconception
You can see from this tale of my friend that people seem to think an antivirus program is the most important. I'm afraid this is totally wrong since you WILL get trojans onboard if you connect without a firewall to protect you, and since they are not clickable files or similar, your antivirus program WILL NOT stop them.

By far the most important job on a new PC or laptop is to install a firewall - this stops the things getting onboard in the first place. Of course, once you start to download files onto your PC - and that's files of any kind, including email - then you are into antivirus and antispyware territory. At this stage you need both types of protection, a firewall and anti-malware software. By downloading files, you get them in yourself, by 'smuggling' them past the firewall - it can't keep out unwanted threats if you specifically tell it the file is to be downloaded. Once it's on your PC then your anti-malware programs take over.

For example some of the worst files to download are screensavers - they are the favourite tool of trojan authors, as they are an executable file that can easily hold camouflaged code; you bring them in yourself, past any firewall; and they run automatically when the machine is on but idle and you are away from it. Perfect!

Antivirus or antispyware ?
The worst threats both in risk and in volume now are spyware. Many virus writers now create spyware as this makes them money. Spyware has a commercial agenda of some sort - it is similar to a virus but aims to steal your data. It does this by accessing your files or logging your keystrokes when entering a password, then tries to 'phone home' with this data. As stated, spyware of this type is far more prevalent and a greater threat than viruses.

Therefore we need antispyware protection just as much as we need antivirus protection. Many security programs cover both now, although they didn't in the past. Because they tend to cover all types of threat now, they are often called 'anti-malware' apps. The always-on type are best, and in addition you can run scanners as needed.

How to connect safely the first time
We're going to look at how to connect safely the first time, and what software to use in order to protect your new PC. We have to make some assumptions in order to narrow the field to a reasonable size:

1: We're going to assume that this advice is for a family member or office worker who uses a PC regularly but has little technical knowledge.

Since such a user is often unlikely to realise that you should do certain things before you connect to the Net, or that you can get software of the highest quality for free, we will also assume that you are advising them by phone or email on exactly how to proceed. You can only advise them to use free software at this stage because they are confused by the options and need time to make up their minds.

2: I have selected what I consider the best software for the task at hand: a high level of performance plus ease of use. It may well be that something else is 5% better but that is for experts to argue over - and experts to use. The software I recommend is usable by most people and does not need technical skill in the user. You can always find the current best choice in free software by going to the security section on the best freeware website, techsupportalert.com Many of these applications are better than their commercial equivalents, or are free versions of a full commercial product where the authors need a very large userbase in order to ensure their offerings are the best.

You should also realise that there is no such thing as the single 'best' program - it depends on best for  precisely what; on who it's for; on what day it is tested, since tomorrow things might change; on what computer it will run on; and a dozen other things. Computer enthusiasts argue about this till the cows come home, but all you need to do is pick free software that scores in the top 5 in reputable tests or reviews, since the differences are likely to be marginal and they will be more than good enough for the job.

It's more important to fit the software to the user and the PC than try to pick the best outright, since it may not suit the user. I can think of several examples of this, and firewalls are among the best here - one or two excellent ones are of no use at all to average users as they need a space shuttle pilot to set them up correctly.

Don't connect your new PC
When you unwrap your new PC or laptop, you MUST resist the temptation to connect to the Net and get surfing. Never connect to the Net without at least one firewall.

You should have a decent new router between you and the Net: maybe a broadband WiFi router, or a cable DSL router. These all contain a 'hardware firewall' now - your first level of defence. It rejects a large percentage of bot probes and attacks. A hardware firewall is any black box you plug into, that contains its own software firewall. However it is different from your on-PC one because it must run totally silent, ie without any assistance or instructions from you. It has a basic level of defence which nevertheless is important - it keeps a lot of trash off your network.

Then of course you need your software firewall: the second line of defence that performs two vital tasks - it stops nasties getting in, and it stops them dialling out. Unless it stops trojans 'phoning home' then it isn't a firewall. Trojans will always get into your PC because that is what they do: they disguise themselves as something else, in order to gain entry. Trojans *will* get in - you must be able to deal with them: to stop them dialling out, and to remove them.

The only way to stop them dead is sandboxing but that is beyond the level of protection that we can advise for our family member or office staffer. Sandboxing and virtual machine sessions are the best way without doubt - but there is no way that it's for anyone other than enthusiasts at present, since you have to remember to switch it on, take the extra time hit at the start, remember to save downloaded files, and so on. And if you are tempted to do without, for just a quick check on your email, you could be in trouble. Sandboxing isn't foolproof and is not the right option for your Mum or your co-worker.

Why Windows built-in firewall is not a good choice
A firewall is a software defence against direct bot probes and attacks that are designed to enable malware to enter a computer and then 'phone home'. If it doesn't stop the bots getting in, or it doesn't stop them dialling out - it's not a firewall. Simple as that. You could call it something else such as a defensive device or something - but a firewall it's not.

Windows 'firewall' is only half of a firewall because it has some defensive components that stop bots getting in, but it is missing the other half that stop them dialling out. Trojans will get in because that's what they do. For the last eight years the industry has known about and been quite clear on this issue: a firewall has two functions, stopping in and out traffic - there aren't any questions about this, or debate, or anything. The Windows firewall is not safe to use and should be disabled as soon as a real one is installed.

Unwrap your laptop
So: unwrap your laptop / PC, plug in the charger - but don't switch on yet. Have you got a hardware firewall? You should try to get one before you connect with your new PC. The free USB router you may have got with your ADSL (broadband) account is not safe to connect with as it has no firewall built in.

How about a software one? No. So how will you get one - connect to the Net, using the built-in Internet Explorer browser, and download one?

No, no, no. Please don't do that. If you have another PC, then use that to download two items:
  • A proper browser such as Firefox or Opera
  • A good software firewall such as Online Armor
You can put them on a USB stick and transfer them to your new computer. No other PC available? If you really cannot find anyone to help you then let's go to the next step - but be advised, by far the best way is to have someone download those two applications for you and give them to you on a USB stick.

Of course, they themselves might have a virus - but if you go online unprotected you're guaranteed several, so take your choice.

There could be other alternatives - for example virtually all computer magazine CDs have browsers and so on available in their utilities section.

With no one else to help, and no way to acquire a proper browser and firewall before you connect to the Net, then fire it up and connect. Immediately go to Mozilla and download the latest Firefox browser:


Shut off your web connection straightaway, as soon as you've done this. You can do it by disabling your WiFi card on the computer; or disabling networking; or even by switching off the DSL router. Install Firefox and make it the default browser (or Opera if you prefer that). You may be able to accomplish this in seconds - and you will need to :)

What's wrong with Internet Explorer?
The fact is that IE is neither the best browser nor the most secure. Because we have to consider legal issues it's not really possible to comment further. IE is however excellent as a lightweight on-PC browser for opening local files - and that is its best use. It loads very quickly and handles files well. Leave it for that job, please. A percentage of exploits (malware of some kind) specifically targets the many weaknesses of IE and gets onto your PC directly through IE. On my PCs, Internet Explorer is not allowed out through the firewall - simple as that.

Once you've loaded Firefox, then go to the Online Armor site and download that. You know the routine now - shut off the web connection immediately, and install it. After this stage you are safe to reconnect and get hold of antivirus and antispyware programs. If you also have a hardware firewall, you are secure for the time being, and can browse, get your mail, check the celeb news and the TV schedule. A secure browser and two good firewalls will stop 99.9% of problems.

Why you need two firewalls
Simple: because two versions of something are inevitably better than one, as there is no single solution that handles all problems. This applies to antispyware software, firewalls, and many other things. It also probably applies to antivirus software except that because of the way they work, you cannot have two installed at the same time - you can only have one. You must choose between Avast and AVG for example - you can't install both as they conflict.

I have never seen or heard of any confirmed example of two firewalls, one of each of the software and hardware types, 'conflicting' or not working properly together. They don't work in such a way that they can conflict. Think of them as your front door (the hardware firewall) and a room door (the software firewall). Those doors don't conflict and neither do firewalls.

However you can't have two software firewalls installed, certainly, as this would be the same as installing two antivirus programs. They will conflict badly as each is trying to do the same job with the same files at the same time. To continue with the door analogy, it would be like hanging two doors in the same opening - unlikely to be successful and pointless in any case.

You can have two versions of something installed as long as they work in different ways, and on different parts of the system. Thus two firewalls are perfectly acceptable since they are hardware and software types, but two antivirus programs aren't. Antispyware programs are an interesting case - if you are talking about on-demand scanners (programs that are individually started, run, then shut down) then certainly, the more the merrier - there are no conflicts as there can't be. It used to be the case that two or more always-on antispyware apps could and should be run concurrently as they tended to work in different ways, and none was 100% efficient in any case. This has changed now since antispyware is built in to most of the top antivirus apps, and on-demand scanners are used to fill any gaps.

Antivirus and antispyware
Now we need anti-malware programs - an antivirus (aka a/v) and antispyware (aka a/s) app or apps. I currently recommend Avast a/v and A-squared a/s. Avast is a permanently-on solution, and A-squared is an on-demand scanner. Download them - install them - update them online - and run full scans. The Avast antivirus is on all the time and can also be used to run a scan. You should also run a frequent antispyware scan using A-squared.

If you use something like Outlook Express for your email, Avast will often fire up and warn you about trojans and viruses in any spam you get. A percentage of spam is sent in order to get malware onto your PC. An email client such as Thunderbird (free) is more secure, and dumps most of the dangerous spam before you get to see it.

The first stage of this security solution is a real drag, there's no other way to describe it. Downloading, installing, updating, scanning - it can seem to take a long time. But the benefit is you don't lose your credit card details or give out free access to your website. Better safety = more pain at first. More security = less functionality. And that's the way it is, but you have to have it. You know it makes sense.

Once your software firewall is trained, and knows what you permit, then your security software takes care of business. You need to run a weekly scan, and the firewall pop-up messages can be annoying sometimes - but that's the price of safety.

Update your Java
Another thing you need to do at some stage, the earlier the better, is update your Java install. This certainly applies to brand new laptops and PCs. Java is a plugin helper added to the operating system that enables important functionality in your browser. For example interactive websites, uploads to sites, webforms, and remote access systems may well need the latest version of Java or they won't work. In addition, older versions of Java might be insecure and should not be used in any case.

Java for PC is also known as the JRE, Java Runtimes, Java Runtime Environment, Java VM, Java Virtual Machine, JVM, and more. Sun Computer, who own and support it, do a good job but obviously their brand department and naming policy are a tiny bit flaky. Download the latest version here:


You should also uninstall any old Java versions from the PC, plus the Sun Java installer. These all remain on the PC after a new version is installed, and as well as taking up unnecessary space (hundreds of megabytes in fact), they are also a security vulnerability - as they are still present and can be exploited. Sun also need to do some work in this area. You can uninstall these old versions etc manually but I think the best way is to use a convenient utility to do it, JavaRa:


For example if you find you can't upload photos to Alamy, with a new PC or laptop - or whatever - this is your problem. Update your Java.

File encryption

It's also well worth considering how to protect your personal files and data - especially if you have other's data such as website access details. Remember that the reason spyware exists is to get your data and sell it or use it for profit.

The simplest way to encrypt your files on a Windows machine is with Axcrypt. You can encrypt an entire folder full of files easily, and have those files automatically decrypt when you view them. They are useless to anyone else.

All the security software mentioned here is free. That doesn't affect its quality in any way, as in many cases it is the best around at any price. You can simply search the name to find and download it, or go to the top software review site to read about it and get the download link:

Security checklist for new PCs connecting to the Net

Method 1 - with 2 PCs
1. Do not switch on your new PC or laptop in case it connects immediately.
2. ON ANOTHER PC, download Firefox or Opera browser, and Online Armor personal firewall. All are free. Put them on a USB stick or CD.
3. To be ultra-safe, switch off your DSL router. Otherwise, ensure your new PC or laptop is disconnected from the web. With a laptop that has an external WiFi on-off button, make sure it's off. On a PC, disconnect the LAN cable if fitted. If it has a WiFi card, then disconnect by shutting down the router.
4. Install the browser, then the firewall.
5. Disable Windows firewall by going to Settings >> Control Panel >> Firewall >> Off (you don't need or want two software firewalls running).
6. Connect to the web.
7. Download an antivirus and antispyware program.
8. Install them, update them, and run scans.
9. Update Java. Run JavaRa and remove the installer and old Java versions.
10. You're done.

Method 2 - only your new PC / laptop is available
1. Turn off your DSL router.
2. Boot up your new computer and check it out.
3. Get a magazine CD or other source of browsers and firewalls if you can.
4. Otherwise, we need to get some software quickly, with minimum time online. Get Internet Explorer up on the screen. Enter the Mozilla URL in the address bar.
5. Switch on your DSL router and try to connect. Keep trying and as soon as it hooks up, grab Firefox, then shut down the router.
6. Install Firefox. Get it onscreen and enter the Online Armor URL in the address bar.
7. Boot up the router again - connect with Firefox - get the firewall software - shut down the router.
8. Install the firewall. At this stage, if behind two firewalls, you are 99% safe. Behind a software firewall only, I'd put that at 90 or 95% safe.
9. Disable Windows firewall by going to Settings >> Control Panel >> Firewall >> Off (you don't need or want two software firewalls running).
10. Boot up the router and download antivirus and antispyware programs.
11. Install them, update them, and run scans.
12. Update Java. Run JavaRa and remove the installer and old Java versions.
13. You're done.

Firewall questions
If your router has no hardware firewall, you need to be extra cautious and carry out these procedures exactly as detailed. Buy a real router ASAP. If you have a hardware firewall, though, you can take it easier with these procedures. ISPs' free USB routers have no firewall and are bad news.

When you first connect, using new firewall software, it keeps asking again and again for instructions - a pop-up window appears and everything stops. This is the outbound protection that some 'firewall' providers did not include in the past because it makes the software hard for average users to comprehend. You have to train it. It gets better.

There is a difficult question here about whether to allow the traffic or not. The answer has to be no, you don't allow it - but make sure you DO NOT have the 'Remember my instructions' box checked. Then, if you can't connect to carry out a genuine task, you'll know that you need to allow that traffic. To do so you will have to start a new session in order to clear the firewall's memory - shut down your browser and open it again.

This is a serious omission in firewall documentation since they should provide lists and screenshots of OK traffic and suspect traffic. It's been this way for the last ten years and I don't see it changing anytime soon. This documentation should be available as a zip download - online help isn't much use. However, as we all know, documentation and ideas relating to documentation are always the last on the list. Or ignored.

How to manage Online Armor firewall
I recommend you use a top firewall application even if it's initially hard to manage for non-technical users. That's because it works. Easier-to-use firewalls don't work as well, and in my opinion a firewall is the most critical security application of all. These top firewalls generally include a HIPS function, which is the part that stops unknown programs from running. They have ultimate functionality but may be hard to use for some people. For example some users cannot handle them, so they are the wrong choice for children, and seniors who are not fluent PC users. A silent firewall, as detailed at the end, will be better.

Many top programs have a free version, in which the only restrictions are that some widgets are disabled - and normally these aren't vital or possibly even needed.

This is why I currently recommend Online Armor. There are easier firewalls to set up and use initially, but in the end, the protection of a better solution is needed. For example you could use the Windows built-in affair, or Kerio Sunbelt Personal Firewall in 'silent' mode - but these only work at around 50% efficiency or thereabouts. No pain, no gain. You will have to put up with a few minutes of frustration in order to get decent protection. It's a simple process after all, if you go about it the right way:

1. Install Online Armor.
2. Allow it to run a full PC scan.
3. When you start to browse, it will continually stop your traffic and request an answer from you - Permit or Block.
4. If you just actioned a web-related task, and you recognise the name of the application 'dialling out', then allow it. For example if you just tried to access a website, and Online Armor (OA) blocks the process and asks you if Firefox traffic is allowed, the obvious answer is Yes. And you should also check the 'Remember My Decision' box, so you don't get asked again. Now, Firefox has full permissions and you don't get asked again. How easy is that? And - please don't use Internet Explorer. If you are reading this, you must be interested in improving your security - just take the hint. The safe option is to go to the Firewall tab in Online Armor and block IE from web access.
5. If you are working with web-related tasks and the traffic stops, and the OA pop-up asks if certain traffic is allowed, you can probably allow it and check Remember.
6. If you didn't expect any traffic, then you should say No - but MAKE SURE the 'Remember' box is NOT CHECKED whenever you say No.
7. If a task is jammed up - you'll know that it needed that blocked traffic in order to complete. You'll have to run it again. This time, obviously - allow it. Also, check the Remember box. You may need to restart the browser to accomplish this.
8. OA also stops any / all programs on the PC starting up and running if it doesn't know them. You must allow each one in turn until it knows all the apps on your PC. Painful? Yes - but you are secure.
9. In general, if you're not sure, then you should say No. But you MUST NOT HAVE THE 'REMEMBER' BOX CHECKED IF YOU SAY NO.
10. If you do, it then permanently blocks what may be a needed process. To fix that and allow a neccessary process to run, you'll have to open the main OA window and go to the configs, and re-allow what you just blocked.
11. When you install a new program, OA blocks the install. You need to allow everything that happens, even when you don't recognise it, otherwise the install will not work. To be absolutely safe, you could disconnect your Internet connection and then Allow everything to run (and Remember it) during the install. Then, reconnect.

If you follow this you can't go far wrong. Until OA is trained, it's a painful process for the non-technical. But it protects you. Your choice.

Using a silent firewall

If you genuinely can't get on with a real firewall like Online Armor, then you need a silent one. However a silent firewall can only block inbound threats - obviously, it can't block outbound threats because it has to ask you what is permitted and what isn't, and if you turn this off, then there is no outbound protection.

If you must use a silent firewall, with no outbound protection, then here are my choices:

1. Ghostwall
This is totally silent. You can also set up rules for blocking some outbound threats, if you know what you are doing. In addition Ghostwall is very configurable, for the knowledgeable, and has the best reputation for not interfering with online games and similar traffic. This would be my #1 choice for young PC users, and teens who are not too conscientious about security issues (ie most of them).

2. Sunbelt Kerio personal firewall
This is an older firewall of a similar type to Ghostwall. I prefer Ghostwall.

3. Windows firewall
It has reasonable inbound protection but zero outbound protection. As with all Windows utilities, you must decide whether perhaps a 3rd-party specialist might possibly be a better choice.

Where to find the programs mentioned
You can google them or go to www.techsupportalert.com for reviews and links. Also see at the foot of this article:
Web Business Managers