This article describes the procedures you can take to make sure that your new computer is safe to connect to the Internet the first time. Subsequently, you will need to know what software to add so that it can carry out its work efficiently.

Part 1 deals with security software and procedures
[Part 2, coming later, describes best working practices to set up your PC for work and leisure]


Who this advice is for
I wrote this article because someone I knew bought a new laptop and then connected it directly to the Net, using Internet Explorer, to get their email and so forth before adding an antivirus - and wasn't even going to install a firewall. The person in question was a sane (?), experienced computer user who uses the Net four hours a day or so in their work - not a complete beginner. When they told me I was stunned, and actually couldn't speak for a second or two. Mainly because I'd assumed they knew far more about computers, security and the Net than they obviously did.

So even experienced PC and Net users are likely to do crazy things with new equipment. They simply don't realise the level of attacks out there on the Net now. If you connect up straightaway like this, your machine will start its life with trojans - some of which might bury themselves very deeply, given a clean strike at a new PC with no protection whatsoever.

In a test I made with a PC that was about to be wiped, in ten minutes on the Net with no software firewall, using an ISP's free USB broadband router (which has no built-in hardware firewall), just getting email and so on, the PC picked up four trojans - around one every three minutes. So it's more than likely my friend's new laptop is already infected. The only thing they might possibly have done worse is connect via IM, instant messaging. That is a direct conduit for some of the worst trojans around.

Those things are out there probing for open machines - you don't have to visit a single website to be infected. The attackers are automated bots roaming the Net, probing for weaknesses all the time. Of course, if you visit less than reputable sites then your risk level increases a hundredfold - but simply switching on and connecting to the web makes you a target. And if you connect using a vulnerable browser and no firewall of any type (especially if you use IM of course), you are likely to become the owner of one of the 20% of PCs thought to be a botnet slave - a tool used by a remote master for perpetrating various criminal acts. These people don't need to run their own PCs for illegal attacks - they've got yours and thousands like it. They have their own remote access software on your PC.


The antivirus misconception
You can see from this tale of my friend that people seem to think an antivirus program is the most important. I'm afraid this is totally wrong since you WILL get trojans onboard if you connect without a firewall to protect you, and since they are not clickable files or similar, your antivirus program WILL NOT stop them.

By far the most important job on a new PC or laptop is to install a firewall - this stops the things getting onboard in the first place. Of course, once you start to download files onto your PC - and that's files of any kind, including email - then you are into antivirus and antispyware territory. At this stage you need both types of protection, a firewall and anti-malware software. By downloading files, you get them in yourself, by 'smuggling' them past the firewall - it can't keep out unwanted threats if you specifically tell it the file is to be downloaded. Once it's on your PC then your anti-malware programs take over.

For example some of the worst files to download are screensavers - they are the favourite tool of trojan authors, as they are an executable file that can easily hold camouflaged code; you bring them in yourself, past any firewall; and they run automatically when the machine is on but idle and you are away from it. Perfect!


Antivirus or antispyware ?
The worst threats both in risk and in volume now are spyware. Many virus writers now create spyware as this makes them money. Spyware has a commercial agenda of some sort - it is similar to a virus but aims to steal your data. It does this by accessing your files or logging your keystrokes when entering a password, then tries to 'phone home' with this data. As stated, spyware of this type is far more prevalent and a greater threat than viruses.

Therefore we need antispyware protection just as much as we need antivirus protection. Many security programs cover both now, although they didn't in the past. Because they tend to cover all types of threat now, they are often called 'anti-malware' apps. The always-on type are best, and in addition you can run scanners as needed.


How to connect safely the first time
We're going to look at how to connect safely the first time, and what software to use in order to protect your new PC. We have to make some assumptions in order to narrow the field to a reasonable size:

1: We're going to assume that this advice is for a family member or office worker who uses a PC regularly but has little technical knowledge.

Since such a user is often unlikely to realise that you should do certain things before you connect to the Net, or that you can get software of the highest quality for free, we will also assume that you are advising them by phone or email on exactly how to proceed. You can only advise them to use free software at this stage because they are confused by the options and need time to make up their minds.

2: I have selected what I consider the best software for the task at hand: a high level of performance plus ease of use. It may well be that something else is 5% better but that is for experts to argue over - and experts to use. The software I recommend is usable by most people and does not need technical skill in the user. You can always find the current best choice in free software by going to the security section on the best freeware website, techsupportalert.com Many of these applications are better than their commercial equivalents, or are free versions of a full commercial product where the authors need a very large userbase in order to ensure their offerings are the best.

You should also realise that there is no such thing as the single 'best' program - it depends on best for  precisely what; on who it's for; on what day it is tested, since tomorrow things might change; on what computer it will run on; and a dozen other things. Computer enthusiasts argue about this till the cows come home, but all you need to do is pick free software that scores in the top 5 in reputable tests or reviews, since the differences are likely to be marginal and they will be more than good enough for the job.

It's more important to fit the software to the user and the PC than try to pick the best outright, since it may not suit the user. I can think of several examples of this, and firewalls are among the best here - one or two excellent ones are of no use at all to average users as they need a space shuttle pilot to set them up correctly.


Don't connect your new PC
When you unwrap your new PC or laptop, you MUST resist the temptation to connect to the Net and get surfing. Never connect to the Net without at least one firewall.

You should have a decent new router between you and the Net: maybe a broadband WiFi router, or a cable DSL router. These all contain a 'hardware firewall' now - your first level of defence. It rejects a large percentage of bot probes and attacks. A hardware firewall is any black box you plug into, that contains its own software firewall. However it is different from your on-PC one because it must run totally silent, ie without any assistance or instructions from you. It has a basic level of defence which nevertheless is important - it keeps a lot of trash off your network.

Then of course you need your software firewall: the second line of defence that performs two vital tasks - it stops nasties getting in, and it stops them dialling out. Unless it stops trojans 'phoning home' then it isn't a firewall. Trojans will always get into your PC because that is what they do: they disguise themselves as something else, in order to gain entry. Trojans *will* get in - you must be able to deal with them: to stop them dialling out, and to remove them.

The only way to stop them dead is sandboxing but that is beyond the level of protection that we can advise for our family member or office staffer. Sandboxing and virtual machine sessions are the best way without doubt - but there is no way that it's for anyone other than enthusiasts at present, since you have to remember to switch it on, take the extra time hit at the start, remember to save downloaded files, and so on. And if you are tempted to do without, for just a quick check on your email, you could be in trouble. Sandboxing isn't foolproof and is not the right option for your Mum or your co-worker.


Why Windows built-in firewall is not a good choice
A firewall is a software defence against direct bot probes and attacks that are designed to enable malware to enter a computer and then 'phone home'. If it doesn't stop the bots getting in, or it doesn't stop them dialling out - it's not a firewall. Simple as that. You could call it something else such as a defensive device or something - but a firewall it's not.

Windows 'firewall' is only half of a firewall because it has some defensive components that stop bots getting in, but it is missing the other half that stop them dialling out. Trojans will get in because that's what they do. For the last eight years the industry has known about and been quite clear on this issue: a firewall has two functions, stopping in and out traffic - there aren't any questions about this, or debate, or anything. The Windows firewall is not safe to use and should be disabled as soon as a real one is installed.

Unwrap your laptop
So: unwrap your laptop / PC, plug in the charger - but don't switch on yet. Have you got a hardware firewall? You should try to get one before you connect with your new PC. The free USB router you may have got with your ADSL (broadband) account is not safe to connect with as it has no firewall built in.

How about a software one? No. So how will you get one - connect to the Net, using the built-in Internet Explorer browser, and download one?

No, no, no. Please don't do that. If you have another PC, then use that to download two items:

Method 1 - with 2 PCs
1. Do not switch on your new PC or laptop in case it connects immediately.
2. ON ANOTHER PC, download Firefox or Opera browser, and Online Armor personal firewall. All are free. Put them on a USB stick or CD.
3. To be ultra-safe, switch off your DSL router. Otherwise, ensure your new PC or laptop is disconnected from the web. With a laptop that has an external WiFi on-off button, make sure it's off. On a PC, disconnect the LAN cable if fitted. If it has a WiFi card, then disconnect by shutting down the router.
4. Install the browser, then the firewall.

5. Disable Windows firewall by going to Settings >> Control Panel >> Firewall >> Off (you don't need or want two software firewalls running).

6. Connect to the web.
7. Download an antivirus and antispyware program.
8. Install them, update them, and run scans.
9. Update Java. Run JavaRa and remove the installer and old Java versions.

10. You're done.

Method 2 - only your new PC / laptop is available
1. Turn off your DSL router.
2. Boot up your new computer and check it out.
3. Get a magazine CD or other source of browsers and firewalls if you can.
4. Otherwise, we need to get some software quickly, with minimum time online. Get Internet Explorer up on the screen. Enter the Mozilla URL in the address bar.
5. Switch on your DSL router and try to connect. Keep trying and as soon as it hooks up, grab Firefox, then shut down the router.
6. Install Firefox. Get it onscreen and enter the Online Armor URL in the address bar.
7. Boot up the router again - connect with Firefox - get the firewall software - shut down the router.
8. Install the firewall. At this stage, if behind two firewalls, you are 99% safe. Behind a software firewall only, I'd put that at 90 or 95% safe.
9. Disable Windows firewall by going to Settings >> Control Panel >> Firewall >> Off (you don't need or want two software firewalls running).
10. Boot up the router and download antivirus and antispyware programs.
11. Install them, update them, and run scans.
12. Update Java. Run JavaRa and remove the installer and old Java versions.
13. You're done.


Firewall questions
If your router has no hardware firewall, you need to be extra cautious and carry out these procedures exactly as detailed. Buy a real router ASAP. If you have a hardware firewall, though, you can take it easier with these procedures. ISPs' free USB routers have no firewall and are bad news.

When you first connect, using new firewall software, it keeps asking again and again for instructions - a pop-up window appears and everything stops. This is the outbound protection that some 'firewall' providers did not include in the past because it makes the software hard for average users to comprehend. You have to train it. It gets better.

There is a difficult question here about whether to allow the traffic or not. The answer has to be no, you don't allow it - but make sure you DO NOT have the 'Remember my instructions' box checked. Then, if you can't connect to carry out a genuine task, you'll know that you need to allow that traffic. To do so you will have to start a new session in order to clear the firewall's memory - shut down your browser and open it again.

This is a serious omission in firewall documentation since they should provide lists and screenshots of OK traffic and suspect traffic. It's been this way for the last ten years and I don't see it changing anytime soon. This documentation should be available as a zip download - online help isn't much use. However, as we all know, documentation and ideas relating to documentation are always the last on the list. Or ignored.


How to manage Online Armor firewall
I recommend you use a top firewall application even if it's initially hard to manage for non-technical users. That's because it works. Easier-to-use firewalls don't work as well, and in my opinion a firewall is the most critical security application of all. These top firewalls generally include a HIPS function, which is the part that stops unknown programs from running. They have ultimate functionality but may be hard to use for some people. For example some users cannot handle them, so they are the wrong choice for children, and seniors who are not fluent PC users. A silent firewall, as detailed at the end, will be better.

Many top programs have a free version, in which the only restrictions are that some widgets are disabled - and normally these aren't vital or possibly even needed.

This is why I currently recommend Online Armor. There are easier firewalls to set up and use initially, but in the end, the protection of a better solution is needed. For example you could use the Windows built-in affair, or Kerio Sunbelt Personal Firewall in 'silent' mode - but these only work at around 50% efficiency or thereabouts. No pain, no gain. You will have to put up with a few minutes of frustration in order to get decent protection. It's a simple process after all, if you go about it the right way:

1. Install Online Armor.
2. Allow it to run a full PC scan.
3. When you start to browse, it will continually stop your traffic and request an answer from you - Permit or Block.
4. If you just actioned a web-related task, and you recognise the name of the application 'dialling out', then allow it. For example if you just tried to access a website, and Online Armor (OA) blocks the process and asks you if Firefox traffic is allowed, the obvious answer is Yes. And you should also check the 'Remember My Decision' box, so you don't get asked again. Now, Firefox has full permissions and you don't get asked again. How easy is that? And - please don't use Internet Explorer. If you are reading this, you must be interested in improving your security - just take the hint. The safe option is to go to the Firewall tab in Online Armor and block IE from web access.
5. If you are working with web-related tasks and the traffic stops, and the OA pop-up asks if certain traffic is allowed, you can probably allow it and check Remember.
6. If you didn't expect any traffic, then you should say No - but MAKE SURE the 'Remember' box is NOT CHECKED whenever you say No.
7. If a task is jammed up - you'll know that it needed that blocked traffic in order to complete. You'll have to run it again. This time, obviously - allow it. Also, check the Remember box. You may need to restart the browser to accomplish this.
8. OA also stops any / all programs on the PC starting up and running if it doesn't know them. You must allow each one in turn until it knows all the apps on your PC. Painful? Yes - but you are secure.
9. In general, if you're not sure, then you should say No. But you MUST NOT HAVE THE 'REMEMBER' BOX CHECKED IF YOU SAY NO.
10. If you do, it then permanently blocks what may be a needed process. To fix that and allow a neccessary process to run, you'll have to open the main OA window and go to the configs, and re-allow what you just blocked.
11. When you install a new program, OA blocks the install. You need to allow everything that happens, even when you don't recognise it, otherwise the install will not work. To be absolutely safe, you could disconnect your Internet connection and then Allow everything to run (and Remember it) during the install. Then, reconnect.

If you follow this you can't go far wrong. Until OA is trained, it's a painful process for the non-technical. But it protects you. Your choice.