Ultimate Guide: How to Protect Your PC from Malware and Ransomware

The definitive cybersecurity guide for Windows users — covering malware taxonomy, ransomware prevention, Windows Defender hardening, network and email security, incident response procedures, removal tools and a practical weekly security checklist with 40+ real-world commands.

1. What Is Malware?

Malware (malicious software) is any program or code intentionally designed to damage, disrupt or gain unauthorized access to a computer system. It ranges from annoying adware to devastating ransomware that can paralyze entire organizations.

Understanding malware is the first step to defending against it. Every security measure in this guide exists to block, detect or remove one or more malware categories.

2. Malware Types & Taxonomy

Virus: Attaches to legitimate files or programs and replicates when the host is executed. Requires user action to spread.
Worm: Self-replicating malware that spreads across networks without user interaction, exploiting vulnerabilities.
Trojan: Disguises itself as legitimate software. Once installed it opens backdoors, steals data or downloads additional malware.
Ransomware: Encrypts files or locks the system, demanding payment for the decryption key.
Spyware: Silently collects user activity — keystrokes, browsing habits, credentials — and transmits it to attackers.
Adware: Displays intrusive ads, redirects browsers and degrades performance. Often bundled with free software.
Rootkit: Hides deep in the OS (kernel or firmware) to maintain persistent, undetectable access.
Keylogger: Records every keystroke to capture passwords, credit card numbers and private messages.
Fileless Malware: Operates entirely in memory, leveraging legitimate tools (PowerShell, WMI) to avoid detection by traditional antivirus.
Botnet Agent: Turns the infected PC into a remote-controlled "zombie" used for DDoS attacks, spam or crypto-mining.

3. What Is Ransomware?

Ransomware is the most financially damaging malware category. Modern variants use double extortion — encrypting files and threatening to publish stolen data.

3.1 How Ransomware Works

Delivery — phishing email, malicious download, exploit kit or compromised website.
Execution — the payload runs, often escalating privileges silently.
Encryption — files are encrypted with AES/RSA; extensions are renamed.
Ransom note — a demand for cryptocurrency payment appears on screen.
Exfiltration (double extortion) — sensitive data is uploaded to attacker servers before encryption.

3.2 Why You Should Never Pay

No guarantee files will be decrypted.
Funds future attacks.
Marks you as a willing payer for repeat targeting.
May violate sanctions laws in some jurisdictions.

4. Common Attack Vectors

Phishing emails — malicious attachments (.docm, .xlsm, .zip, .iso) or links to credential-harvesting sites.
Drive-by downloads — visiting a compromised or malicious website triggers automatic download.
Malvertising — legitimate ad networks serve infected ads.
USB / removable media — infected drives execute payloads via autorun.
Software supply chain — compromised updates from trusted vendors (e.g., SolarWinds).
Remote Desktop Protocol (RDP) — brute-forced or exposed RDP ports are a top ransomware entry point.
Pirated software / cracks — keygens and cracks routinely bundle trojans.
Social engineering — phone calls, fake tech support or impersonation.

5. Windows Defender & Security Center

5.1 Verify Defender Is Active

# Check Defender status (PowerShell, elevated)
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, AntispywareEnabled, IoavProtectionEnabled

# Update definitions
Update-MpSignature

5.2 Scan Types

# Quick scan
Start-MpScan -ScanType QuickScan

# Full scan
Start-MpScan -ScanType FullScan

# Custom scan of a specific path
Start-MpScan -ScanType CustomScan -ScanPath "D:\Downloads"

# Offline scan (reboots into WinRE to scan before Windows loads)
Start-MpWDOScan

5.3 Configure Exclusions (Use Sparingly)

# Add a folder exclusion (only for trusted dev paths)
Add-MpPreference -ExclusionPath "C:\DevTools"

# List current exclusions
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath

6. Controlled Folder Access (Ransomware Shield)

This Windows feature blocks untrusted applications from modifying files in protected folders — the single best built-in ransomware defence.

# Enable Controlled Folder Access
Set-MpPreference -EnableControlledFolderAccess Enabled

# Add folders to protect
Add-MpPreference -ControlledFolderAccessProtectedFolders "D:\Projects"
Add-MpPreference -ControlledFolderAccessProtectedFolders "C:\Users\Eduardo\Documents"

# Allow a trusted application through
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\MyApp\app.exe"

# Check status
Get-MpPreference | Select-Object EnableControlledFolderAccess

GUI path: Windows Security → Virus & threat protection → Ransomware protection

7. Firewall Hardening

# Verify firewall is on for all profiles
netsh advfirewall show allprofiles state

# Enable all profiles
netsh advfirewall set allprofiles state on

# Block all inbound by default, allow outbound
netsh advfirewall set allprofiles firewallpolicy blockinbound,allowoutbound

# Block RDP inbound (close the #1 ransomware vector)
netsh advfirewall firewall add rule name="Block RDP" dir=in action=block protocol=tcp localport=3389

# Block a suspicious application
netsh advfirewall firewall add rule name="Block App" dir=out action=block program="C:\suspect\app.exe"

# List all rules matching a name
netsh advfirewall firewall show rule name=all | findstr /i "Block"

8. Browser Security

Keep the browser updated — browsers are the primary attack surface.
Remove unused extensions — each extension expands the attack surface.
Use an ad blocker — uBlock Origin blocks malvertising.
Enable Safe Browsing / SmartScreen — warns before visiting known malicious sites.
Disable JavaScript on untrusted sites — use NoScript or similar for high-risk browsing.
Use HTTPS-only mode — most browsers now offer this setting.
Clear local data regularly — Ctrl+Shift+Delete.

9. Email & Phishing Defence

9.1 Red Flags

Urgency or threats ("Your account will be locked in 24 hours").
Mismatched sender domain (display name says "Microsoft" but email is from microsft-support@random.com).
Unexpected attachments — especially .docm, .xlsm, .zip, .iso, .exe, .js, .vbs.
Links that resolve to a different domain when hovered.
Poor grammar, generic greetings ("Dear Customer").

9.2 Best Practices

Never open attachments from unknown senders.
Hover links before clicking — verify the actual URL.
When in doubt, navigate directly to the official website instead of clicking the link.
Disable Outlook macro auto-execution: File → Options → Trust Center → Macro Settings → Disable all macros with notification.
Report phishing emails to your IT team or email provider.

10. Passwords & Two-Factor Authentication

10.1 Strong Passwords

Minimum 14 characters mixing uppercase, lowercase, numbers and symbols.
Use a passphrase: Correct-Horse-Battery-Staple-42!
Never reuse passwords across services.
Use a password manager (Bitwarden, 1Password, KeePassXC).

10.2 Two-Factor Authentication (2FA)

Enable 2FA on all critical accounts (email, banking, cloud storage, admin panels).
Prefer authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) over SMS.
Consider hardware security keys (YubiKey, Titan) for highest-value accounts.
Store backup codes offline in a safe location.

11. User Privileges & UAC

Use a standard user account for daily work.
Only elevate to admin when installing trusted software.
Keep UAC at the highest notification level.
Disable the built-in Administrator and Guest accounts.

# Disable Guest account
net user Guest /active:no

# Check who is in the Administrators group
net localgroup Administrators

# Set UAC to always notify (registry)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 2 /f

12. Software Updates & Patch Management

Unpatched software is the most exploited attack surface after phishing.

Enable automatic Windows Update.
Update browsers, PDF readers, Java, .NET and media players immediately.
Use winget upgrade --all to batch-update third-party software.
Remove end-of-life software that no longer receives patches.

# Check Windows update status (PowerShell)
Install-Module PSWindowsUpdate -Force -Scope CurrentUser
Get-WindowsUpdate

# Upgrade all packages via winget
winget upgrade --all --accept-source-agreements

13. Network Security

13.1 Wi-Fi Hardening

Use WPA3 (or WPA2-AES minimum) encryption.
Change default router admin credentials.
Disable WPS (Wi-Fi Protected Setup).
Hide SSID if not needed for guest access.
Update router firmware regularly.

13.2 DNS Protection

# Set DNS to Cloudflare malware-blocking DNS (PowerShell, elevated)
Set-DnsClientServerAddress -InterfaceAlias "Wi-Fi" -ServerAddresses ("1.1.1.2","1.0.0.2")

# Or use Quad9 (blocks known malicious domains)
Set-DnsClientServerAddress -InterfaceAlias "Wi-Fi" -ServerAddresses ("9.9.9.9","149.112.112.112")

13.3 Disable Unnecessary Services

# Disable SMBv1 (used by WannaCry and other worms)
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol -NoRestart

# Disable Remote Desktop if not needed
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 1

14. Backup Strategy (3-2-1 Rule)

Backups are your last line of defence against ransomware. If everything else fails, a clean backup restores your data without paying.

3 copies of your data.
2 different storage media (SSD + cloud, or NAS + external HDD).
1 offsite copy (cloud storage or a drive at a different location).

14.1 Windows Backup Commands

# Enable System Restore
Enable-ComputerRestore -Drive "C:\"

# Create a restore point
Checkpoint-Computer -Description "Before software install" -RestorePointType MODIFY_SETTINGS

# Create a full system image
wbadmin start backup -backupTarget:E: -include:C: -allCritical -quiet

14.2 Air-Gapped Backups

For maximum ransomware resilience, keep at least one backup disconnected from networks. Ransomware actively targets mapped drives, NAS shares and cloud sync folders.

15. Encryption & BitLocker

Full-disk encryption protects data if the device is lost or stolen.

# Enable BitLocker on C: (Windows Pro/Enterprise)
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -RecoveryPasswordProtector

# Check BitLocker status
manage-bde -status C:

# Back up the recovery key to Azure AD or a file
manage-bde -protectors -get C:

Store your BitLocker recovery key separately from the encrypted device (e.g., printed in a safe, or in Azure AD).

16. Application Control & Whitelisting

Windows Defender Application Control (WDAC) — restrict which executables can run.
AppLocker (Enterprise) — granular rules by publisher, path or hash.
Software Restriction Policies — block execution from user-writable paths (%TEMP%, Downloads).

# Block scripts from running in Downloads (AppLocker example, GPO)
# Path: Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker

# Quick registry block for unsigned scripts (PowerShell)
Set-ExecutionPolicy AllSigned -Scope LocalMachine

17. Signs of Infection

Sudden, extreme slowdown or high CPU/disk usage with no clear cause.
Unknown processes in Task Manager consuming resources.
Pop-ups, browser redirects or new toolbars you didn't install.
Disabled antivirus or inability to access security sites.
Files renamed with unusual extensions (.encrypted, .locked, .cerber).
Ransom note files (README.txt, DECRYPT_INSTRUCTIONS.html) appearing in folders.
Network connections to unusual IP addresses (check with netstat -b).
Friends or contacts reporting spam sent from your accounts.

18. Incident Response Procedure

Disconnect — unplug Ethernet, disable Wi-Fi. Prevent lateral spread.
Do NOT shut down — RAM may contain decryption keys or forensic evidence. Hibernate if needed.
Identify the threat — note file extensions, ransom note names, suspicious processes.
Photograph / screenshot — document the ransom note and any error messages.
Scan from safe environment — boot from a rescue USB (Kaspersky Rescue Disk, Hiren's BootCD) or use Windows Defender Offline.
Check decryption tools — visit No More Ransom for free decryptors.
Restore from backup — if decryption fails, format and restore from a clean, verified backup.
Change all passwords — assume credentials are compromised.
Report — notify your IT department, and file a report with authorities (FBI IC3, CISA, local police).
Post-incident review — identify the entry vector and close the gap.

19. Malware Removal Tools & Techniques

19.1 Built-in Windows Tools

# Windows Defender offline scan
Start-MpWDOScan

# Microsoft Safety Scanner (on-demand, no install)
# Download from: https://docs.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download

# Check running connections for suspicious activity
netstat -b -n | findstr "ESTABLISHED"

# List all running processes with full path
Get-Process | Select-Object Name, Path, Id | Sort-Object Name | Format-Table -AutoSize

19.2 Recommended Third-Party Tools

Malwarebytes — excellent on-demand scanner, complements Windows Defender.
Kaspersky Rescue Disk — bootable Linux ISO for scanning before Windows loads.
AdwCleaner — removes adware, PUPs, browser hijackers.
Autoruns (Sysinternals) — reveals all auto-start entries including hidden malware persistence.
Process Explorer (Sysinternals) — advanced task manager with VirusTotal integration.
ESET Online Scanner — free, no-install cloud-based scanner.

19.3 Safe Mode Removal

Boot into Safe Mode with Networking (Shift+Restart → Troubleshoot → Startup Settings → F5).
Run Malwarebytes and Defender scans.
Use Autoruns to disable suspicious startup entries.
Delete quarantined files and reboot normally.

20. Ransomware Recovery

20.1 Free Decryption Tools

No More Ransom Project — database of free decryptors for hundreds of ransomware families.
ID Ransomware — upload a ransom note or encrypted file to identify the variant.

20.2 Restore from Backup

Verify the backup is clean (scan it from a rescue environment).
Format the infected drive.
Reinstall Windows (cloud download or USB media).
Restore files from backup.
Reinstall applications and update everything before reconnecting to the network.

20.3 Shadow Copies

# Check if Volume Shadow Copies survive (many ransomwares delete them)
vssadmin list shadows

# Restore a file from shadow copy (if available)
# Right-click file/folder > Properties > Previous Versions

21. Advanced Threats & Zero-Days

Zero-day exploits — vulnerabilities unknown to the vendor. Mitigate with exploit protection, ASLR and DEP.
Fileless malware — lives in memory, uses PowerShell/WMI. Constrained Language Mode and AMSI help detect it.
Supply chain attacks — verify software hashes, use signed packages, monitor update channels.
Living-off-the-land (LOLBins) — attackers use legitimate Windows binaries (certutil, mshta, regsvr32). Application control blocks misuse.

# Enable Windows Exploit Protection defaults
Set-ProcessMitigation -System -Enable DEP, ASLR, CFG

# Enable PowerShell Constrained Language Mode (reduces fileless attack surface)
[Environment]::SetEnvironmentVariable('__PSLockDownPolicy', '4', 'Machine')

# Enable script block logging for PowerShell forensics
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 /f

22. Weekly Security Checklist

Verify Windows Defender is active and definitions are current.
Run a quick scan (full scan monthly).
Install all pending Windows and software updates.
Review Controlled Folder Access notifications.
Check Event Viewer for security warnings.
Verify backup completed successfully.
Review browser extensions — remove any you don't recognize.
Change passwords for any accounts flagged in breach notifications.
Check netstat -b for unexpected outbound connections.
Review firewall rules for unauthorized changes.

23. FAQ

Is Windows Defender enough or do I need a third-party antivirus?

For most home users, Windows Defender combined with safe browsing habits is sufficient. It consistently scores well in independent tests (AV-TEST, AV-Comparatives). However, adding an on-demand scanner like Malwarebytes provides a valuable second opinion.

Should I pay the ransom?

No. There is no guarantee of decryption, it funds criminal operations, and it marks you for repeat attacks. Restore from backups instead.

Can malware infect my PC just by visiting a website?

Yes — drive-by downloads exploit browser or plugin vulnerabilities. Keep your browser updated, use an ad blocker, and enable SmartScreen/Safe Browsing.

How do I know if an email attachment is safe?

If you didn't expect it, don't open it. Verify with the sender through a different channel. Never enable macros in documents from unknown sources.

Does a VPN protect against malware?

A VPN encrypts your internet traffic but does not scan for or block malware. It protects privacy on public Wi-Fi but is not a substitute for antivirus.

Is it safe to use public Wi-Fi?

Use a VPN on public Wi-Fi, avoid logging into sensitive accounts, and ensure sites use HTTPS. Better yet, use your mobile hotspot for banking and similar tasks.

How often should I change my passwords?

Change passwords immediately after a breach. Otherwise, use strong unique passwords with 2FA — NIST no longer recommends routine rotation for its own sake.

24. Glossary

2FA / MFA: Two-Factor / Multi-Factor Authentication — requires a second verification method beyond the password.
AMSI: Antimalware Scan Interface — a Windows API that allows security products to inspect scripts and memory.
BitLocker: Windows full-disk encryption feature that protects data at rest.
Botnet: A network of compromised computers controlled remotely by an attacker.
Controlled Folder Access: A Windows Defender feature that blocks untrusted apps from modifying protected folders.
Drive-by Download: Automatic malware download triggered simply by visiting a compromised website.
Exploit Kit: A toolkit that scans for known browser/plugin vulnerabilities and delivers malware payloads.
Fileless Malware: Malware that operates entirely in memory, using legitimate system tools to avoid detection.
LOLBin: Living-off-the-Land Binary — a legitimate Windows executable misused by attackers.
Phishing: Fraudulent attempts to obtain sensitive information by impersonating a trusted entity.
Ransomware: Malware that encrypts files and demands payment for the decryption key.
Rootkit: Malware that hides deep in the operating system to maintain persistent, stealthy access.
SmartScreen: Microsoft's URL and download reputation filter built into Edge and Windows.
UAC: User Account Control — prompts for permission before making changes requiring admin access.
Zero-Day: A vulnerability unknown to the software vendor, with no available patch at time of exploitation.

25. References & Further Reading

26. Conclusion

Protecting your PC from malware and ransomware is a layered, ongoing discipline — no single tool provides complete protection:

Prevention — updates, strong passwords, 2FA, user education, application control.
Detection — Windows Defender, firewall monitoring, Event Viewer, network analysis.
Response — disconnect, scan, identify, remove, restore from backup.
Recovery — verified backups (3-2-1 rule) are your ultimate safety net.

Start today: verify Defender is active, enable Controlled Folder Access, set up an air-gapped backup, and review your passwords. These four actions alone block the majority of real-world attacks.