Windows 7 : Using Windows Defender (part 1) - Configuring Windows Defender

3/6/2011 3:09:09 PM
With the advent of so much suspicious software on the Internet freely working its way onto individual computers, a solution was bound to surface. Microsoft has introduced Windows Defender to champion the removal of spyware and other unwanted software from your computer. Windows 7 uses Windows Defender by default to aid in the identification and removal of spyware and malicious programs from your computer. You may remember Microsoft AntiSpyware as a software program for removing and quarantining spyware on early releases of Windows. Microsoft has greatly enhanced this program and renamed it Windows Defender.

1. Working with Windows Defender

Microsoft purchased an antispyware tool originally created by GIANT Company Software, called GIANT AntiSpyware. This product originally aided in the fight against spyware on Windows 95 and Windows 98. When Microsoft purchased the product, it did not keep support for these older versions of Windows.

Microsoft announced the release of Windows Defender (then called Microsoft AntiSpyware) at the 2005 RSA security conference. With the announcement, it stated that the product was freely available to all valid licensed users of the Windows 2000, XP, and Server 2003 products. It championed Microsoft AntiSpyware as a product to help users worldwide in the fight against spyware and malware. Windows Defender offers even greater capability than the older versions, helping to ward off infection by employing several real-time security agents monitoring well-known areas of Windows that spyware and malware change regularly.

Microsoft has also integrated support for Microsoft SpyNet into the Windows Defender product. This support allows users to report spyware and malware to Microsoft in an effort to help update a centralized database that Microsoft houses to thwart the spread of spyware and malware. Microsoft uses these reports to determine the validity of the code submitted. This helps all computer users fight the spread of malicious programs across the Internet.

Microsoft significantly redesigned its antispyware product in the release of Windows Defender. It has rewritten the core engine in C++, replacing the original GIANT engine written in Visual Basic. This change alone allows for considerably greater performance because it is now compiled code. Windows Defender also offers an easier user interface, and now runs as a service under the Windows 7 operating system, giving you greater protection because it runs all the time, not just when you log on and use your computer. To ensure that you have a valid license for the operating system, Windows Defender uses the Windows Genuine Advantage validation routine when updating content.

Windows Defender for Windows Vista was the first iteration of a code rewrite since Microsoft purchased the original GIANT product. Previous releases were rebrandings of the original GIANT product, with some added functionality. Microsoft has also introduced more points of entry into the Windows Defender program than previously available in the rebranded product releases, making it easier to find and manage the product in Windows 7.

Microsoft integrated Windows Defender into the Internet Explorer browser engine to offer protection from files downloaded during your browser session. Windows Defender scans programs in real time. This feature allows greater flexibility in the fight against malicious code on your computer. It also helps in identifying and removing accidental download of malicious code without your knowledge. Windows Defender also allows you to schedule scanning and removal of unwanted programs. This gives you the option of choosing a specific time that works better with your usage of the computer.

To keep the detection database up-to-date, you have the option of allowing Windows Defender to complete automatic updates. This lets you continue working without having to update your antispyware definitions manually. However, you should still check the program periodically to verify that it has updated itself correctly.

2. Configuring Windows Defender

You can start Windows Defender by clicking Start→Control Panel. In Control Panel, click Small Icons or Large Icons on the View By list and then click Windows Defender (you can return to the default Category view from the View By list as well). Figure 1 shows an example of the Windows Defender management window.

Figure 1. Checking the status of Windows Defender

You can always access the Windows Defender main page by clicking the Home button on the toolbar. In the main window, you will see the status of protection against malicious and unwanted software. In the lower portion of the window, you will see the status of the product, including the last scan date, scan type, scan schedule, real-time protection status, and definitions version. Windows Defender offers you several default options for how to handle potential spyware. These default options are based on definitions.

Windows Defender has five different alert levels, each associated with an action. Windows Defender follows actions dictated by alert levels. Table 1 provides an overview of the different alert levels, their associated descriptions, and the actions Windows Defender takes in the default configuration state.

Table 1. Windows Defender alert levels
Alert levelAssociated withAction taken
SevereWidespread or exceptionally malicious programs, similar to viruses or worms, which negatively affect your privacy and the security of your computer, and can damage your computer.Windows Defender removes this type of software immediately.
HighPrograms that might collect your personal information and negatively affect your privacy or damage your computer—for example, by collecting information or changing settings, typically without your knowledge or consent.Windows Defender removes this type of software immediately.
MediumPrograms that might affect your privacy or make changes to your computer that could negatively impact your computing experience—for example, by collecting personal information or changing settings.Windows Defender alerts you. Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.
LowPotentially unwanted software that might collect information about you or your computer or change how your computer works, but is operating in agreement with licensing terms displayed when you installed the software.Windows Defender alerts you. Review the alert. This software typically is benign when it runs on your computer, unless it was installed without your knowledge. If you are not sure whether to allow the program to run, review the alert details or see if you recognize and trust the publisher of the software.
Not Yet ClassifiedPrograms that typically are benign unless they are installed on your computer without your knowledge.Windows Defender alerts you. Review the alert. If you recognize and trust the software, allow it to run. If you do not recognize the software or the publisher, review the alert details to decide how to take action. If you are a SpyNet community member, check the community ratings to see whether other users trust the software.

If you click the Tools button on the toolbar and then click Options on the Tools and Settings page, you’ll be able to change the default configuration settings to meet your needs. The options are divided into seven broad categories:

  • Automatic scanning

  • Default actions

  • Real-time protection options

  • Excluded files and folders

  • Excluded file types

  • Advanced options

  • Administrator options

The “Automatic scanning” settings, shown in Figure 2, allow you to change how the automatic scanning of your computer works. You have the following options:

  • To enable or disable automatic scanning, select or clear the “Automatically scan my computer” checkbox as appropriate.

  • Use the Frequency list to control the frequency at which Windows Defender scans the computer. You can choose Daily to scan daily, or you can choose to scan on a specific day of the week, such as Sunday.

  • Use the “Approximate time” list to choose the approximate time at which Windows Defender will scan the computer. The actual time of the scan will depend on whether the computer is started and the current activity level. If your computer is off during a scheduled scan time, Windows Defender will try to scan your computer the next time you turn it on.

  • Use the Type list to choose the type of scan you desire. You can perform a quick (partial) scan or a full computer scan.

  • To enable or disable automatic updating before scanning, select or clear the “Check for updated definitions before scanning” checkbox as appropriate.

Figure 2. Configuring automatic scanning options

The “Default actions” settings, shown in Figure 3, allow you to customize the default actions to take when Windows Defender detects potential spyware. The default action is based on the settings in the spyware definition file. You can configure severe-alert, high-alert, medium-alert, and low-alert items separately so that the items are allowed, removed, or quarantined. Be sure to select “Apply recommended actions” to ensure recommended actions are applied after items are detected.

The “Real-time protection” options, shown in Figure 4, allow you to customize the way in which real-time protection works. First, you can turn this feature either on or off. Second, you have the ability to customize the security agents that are run as part of real-time protection.

The available security agents are:

Downloaded files and attachments

Monitors files and programs that are designed to work with web browsers. Turning on this option allows you to control the behavior of these files and programs, and removes their capability to spy on you without your knowledge. This helps maintain the integrity of the computer by blocking, or alerting you, about potentially dangerous types of downloads. This also helps maintain the integrity of the browser by blocking potentially malicious browser add-ons from installing and running. Together, these features help maintain a first line of defense against malware or malicious content coming through the browser.

Programs that run on your computer

Monitors how programs react when started and while running on the computer. This feature allows Windows Defender to watch how programs interact with the operating system. Windows Defender maintains a record of actions by programs processing on the computer and to stop a program if suspicious behavior begins. This helps prevent spyware and malware from collecting information about your computer and also eliminates unwanted background processing on the computer.

Figure 3. Configuring default actions

Figure 4. Configuring real-time protection options

Each real-time protection option works in conjunction with the alerts defined within Windows Defender. This allows Windows Defender to operate behind the scenes to protect the computer in real time. These options happen automatically without the need for user intervention to handle mundane tasks associated with elimination of threats to the computer.

The “Excluded files and folders” option, shown in Figure 5, allow you to identify locations that should not be scanned. For example, if a file is being incorrectly flagged as malware, you can tell Windows Defender not to scan the file; if scans are taking too long you can speed them up by excluding folders that rarely change. To add a file or folder exclusion, follow these steps:

  1. Click Start→Control Panel. In Control Panel, click Small Icons or Large Icons on the View By list and then click Windows Defender (you can return to the default Category view from the View By list as well).

  2. In Windows Defender, click Tools and then click Options.

  3. Under Options, click “Excluded files and folders.”

  4. Click Add. Use the Browse for Files or Folders dialog box to select the file or folder to exclude and then click OK.

  5. Click Save to save your changes.

Figure 5. Excluding files and folders from scans

The “Excluded file types” option, shown in Figure 6, allow you to identify types of files that should not be scanned. For example, you may want to exclude certain types of picture files from scans to speed up the scanning process and you can use this option to identify the types of picture files that should not be scanned. Note that you probably don’t want to exclude any document and executable file types, as they are the most likely types of files to contain malware or spyware. To add a file type exclusion, follow these steps:

  1. Click Start→Control Panel→Small Icons or Large Icons on the View By list→Windows Defender (you can return to the default Category view from the View By list as well).

  2. In Windows Defender, click Tools→Options.

  3. Under Options, click “Excluded file types.”

  4. Enter the file extension that you want to exclude, such as .JPG or .TIF, and then click Add.


Here, I’m using .BMP, .JPG and .TIF as examples. I’m not advising you to exclude them. Files with seemingly innocuous extensions can contain malware.

  1. Click Save to save your changes.

Figure 6. Excluding file types from scans

The “Advanced” options, shown in Figure 7, allow you to control the way scanning works. By default, “Scan archive files,” “Use heuristics,” and “Create restore point” are selected, and this is generally the configuration you’ll want to use. By allowing Windows Defender to scan archived files and folders, you ensure that archived files and folders, such as those that are stored in a .zip file, are scanned. Because some malware programs will try to hide in archived files and folders, scanning archives is a good idea. It is also a good idea to allow Windows Defender to use heuristics to detect new types of malware and to ensure that a restore point is created before applying actions to detected items. If you also want to scan e-mail, removable drives or both, you can select the related options as well.


Using Heuristics ensures that you are notified about potentially dangerous software that hasn’t yet been classified by Windows Defender. By selecting this option, you can help Windows Defender detect new types of malware and malware that is embedded in otherwise benign software.

Figure 7. Configuring advanced options

The “Administrator” options, shown in Figure 8, control whether Windows Defender is enabled and whether items from all users are displayed. By default, Windows Defender is turned on and anyone who logs on locally to the computer can use it. This is the configuration you should use to ensure that your computer is protected from malware.

You can also control whether Windows Defender should display items for only the currently logged-on user or all users. By default, only history, allowed items, and quarantined items for the currently logged-on user are available. This setting is designed to protect user privacy. However, you’ll get a better picture of what’s happening on your computer if you can see items from all users. If you have administrative permissions and want to see items for all users, select “Display items from all users of this computer.” Note that Windows Defender scans all files as appropriate, regardless of whether you select or clear this option.

Figure 8. Configuring administrator options

When you have finished changing your settings, click the Save button. This ensures that your configuration settings are saved for future use. This also keeps you from having to change the options again.

Which options you select in Windows Defender depend on how you use your computer. Take the time to consider the implications of turning these options on or off. If you want to turn off a setting that is normally turned on, realize the gap in protection you are opening on your computer, and take related action to protect your computer in another manner, if possible.

You are the first and last lines of defense against malicious programs on your computer. Pay close attention to the content you access with your browser. Also, take the time to scan your computer regularly for spyware content to help Windows Defender protect your computer. As with antivirus programs, no one antimalware program can identify and eliminate all spyware. Because of this, you may want to supplement scans made by Windows Defender with online scans using a different antimalware engine.

  •  Windows 7 : Protecting Your Computer with Windows Defender and Windows Firewall - Introducing Action Center
  •  Windows 7 : Navigating the Computer Security Maze
  •  Windows 7 : Troubleshooting Common Problems on Small Networks
  •  Windows 7 : Advanced Networking Concepts
  •  Windows 7 : Networking with TCP/IP (part 2) - Understanding IPv6 & Configuring IPv4, IPv6, and Other Protocols
  •  Windows 7 : Networking with TCP/IP (part 1) - Understanding IPv4 & Using Private IPv4 Addresses and Networking Protocols
  •  Windows 7 : Mapping Your Networking Infrastructure (part 2) - Viewing the Network Map & Viewing and Managing Your Network Connections
  •  Windows 7 : Mapping Your Networking Infrastructure (part 1) - Using the Network and Sharing Center
  •  Windows 7 : Understanding Home and Small-Business Networks
  •  Troubleshooting Windows 7 Programs and Features
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
    programming4us programming4us