With the advent of so much suspicious software on the
Internet freely working its way onto individual computers, a solution was
bound to surface. Microsoft has introduced Windows Defender to champion
the removal of spyware and other unwanted software from your computer.
Windows 7 uses Windows Defender by default to aid in the identification
and removal of spyware and malicious programs from your computer. You may
remember Microsoft AntiSpyware as a software program for removing and
quarantining spyware on early releases of Windows. Microsoft has greatly
enhanced this program and renamed it Windows Defender.1. Working with Windows Defender
Microsoft purchased an antispyware tool originally created by
GIANT Company Software, called GIANT AntiSpyware. This
product originally aided in the fight against spyware on Windows 95 and
Windows 98. When Microsoft purchased the product, it did not keep
support for these older versions of Windows.
Microsoft announced the release of Windows Defender (then called
Microsoft AntiSpyware) at the 2005 RSA security
conference. With the announcement, it stated that the product was freely
available to all valid licensed users of the Windows 2000, XP, and
Server 2003 products. It championed Microsoft AntiSpyware as a product
to help users worldwide in the fight against spyware and malware.
Windows Defender offers even greater capability than the older versions,
helping to ward off infection by employing several real-time security
agents monitoring well-known areas of Windows that spyware and malware
change regularly.
Microsoft has also integrated support for Microsoft SpyNet into the Windows Defender product. This
support allows users to report spyware and malware to Microsoft in an
effort to help update a centralized database that Microsoft houses to
thwart the spread of spyware and malware. Microsoft uses these reports
to determine the validity of the code submitted. This helps all computer
users fight the spread of malicious programs across the Internet.
Microsoft significantly redesigned its antispyware product in the
release of Windows Defender. It has rewritten the core engine in C++,
replacing the original GIANT engine written in Visual Basic. This change
alone allows for considerably greater performance because it is now
compiled code. Windows Defender also offers an easier user interface,
and now runs as a service under the Windows 7 operating system, giving
you greater protection because it runs all the time, not just when you
log on and use your computer. To ensure that you have a valid license
for the operating system, Windows Defender uses the Windows Genuine Advantage validation routine when updating
content.
Windows Defender for Windows Vista was the first iteration of a
code rewrite since Microsoft purchased the original GIANT product.
Previous releases were rebrandings of the original GIANT product, with
some added functionality. Microsoft has also introduced more points of
entry into the Windows Defender program than previously available in the
rebranded product releases, making it easier to find and manage the
product in Windows 7.
Microsoft integrated Windows Defender into the Internet Explorer
browser engine to offer protection from files downloaded during your
browser session. Windows Defender scans programs in real time. This
feature allows greater flexibility in the fight against malicious code
on your computer. It also helps in identifying and removing accidental
download of malicious code without your knowledge. Windows Defender also
allows you to schedule scanning and removal of unwanted programs. This
gives you the option of choosing a specific time that works better with
your usage of the computer.
To keep the detection database up-to-date, you have the option of
allowing Windows Defender to complete automatic updates. This lets you
continue working without having to update your antispyware definitions
manually. However, you should still check the program periodically to
verify that it has updated itself correctly.
2. Configuring Windows Defender
You can start Windows Defender by clicking Start→Control
Panel. In Control Panel, click Small Icons or Large Icons on the View By
list and then click Windows Defender (you can return to the default
Category view from the View By list as well). Figure 1 shows an example of
the Windows Defender management window.
You can always access the Windows Defender main page by clicking
the Home button on the toolbar. In the main window, you will see the
status of protection against malicious and unwanted software. In the
lower portion of the window, you will see the status of the product,
including the last scan date, scan type, scan schedule, real-time
protection status, and definitions version. Windows Defender offers you
several default options for how to handle potential spyware. These
default options are based on definitions.
Windows Defender has five different alert levels, each associated
with an action. Windows Defender follows actions dictated by alert
levels. Table 1 provides an
overview of the different alert levels, their associated descriptions,
and the actions Windows Defender takes in the default configuration
state.
Table 1. Windows Defender alert levels
| Alert
level | Associated
with | Action
taken |
|---|
| Severe | Widespread or
exceptionally malicious programs, similar to viruses or worms,
which negatively affect your privacy and the security of your
computer, and can damage your computer. | Windows Defender removes
this type of software immediately. |
| High | Programs that might
collect your personal information and negatively affect your
privacy or damage your computer—for example, by collecting
information or changing settings, typically without your
knowledge or consent. | Windows Defender removes
this type of software immediately. |
| Medium | Programs that might
affect your privacy or make changes to your computer that could
negatively impact your computing experience—for example, by
collecting personal information or changing settings. | Windows Defender alerts
you. Review the alert details to see why the software was
detected. If you do not like how the software operates or if you
do not recognize and trust the publisher, consider blocking or
removing the software. |
| Low | Potentially unwanted
software that might collect information about you or your
computer or change how your computer works, but is operating in
agreement with licensing terms displayed when you installed the
software. | Windows Defender alerts
you. Review the alert. This software typically is benign when it
runs on your computer, unless it was installed without your
knowledge. If you are not sure whether to allow the program to
run, review the alert details or see if you recognize and trust
the publisher of the software. |
| Not Yet Classified | Programs that typically
are benign unless they are
installed on your computer without your knowledge. | Windows Defender alerts
you. Review the alert. If you recognize and trust the software,
allow it to run. If you do not recognize the software or the
publisher, review the alert details to decide how to take
action. If you are a SpyNet community member, check the
community ratings to see whether other users trust the
software. |
If you click the Tools button on the toolbar and then click
Options on the Tools and Settings page, you’ll be able to change the
default configuration settings to meet your needs. The options are
divided into seven broad categories:
The “Automatic scanning” settings, shown in Figure 2, allow you to change
how the automatic scanning of your computer works. You have the
following options:
To enable or disable automatic scanning, select or clear the
“Automatically scan my computer” checkbox as appropriate.
Use the Frequency list to control the frequency at which
Windows Defender scans the computer. You can choose Daily to scan
daily, or you can choose to scan on a specific day of the week, such
as Sunday.
Use the “Approximate time” list to choose the approximate time
at which Windows Defender will scan the computer. The actual time of
the scan will depend on whether the computer is started and the
current activity level. If your computer is off during a scheduled
scan time, Windows Defender will try to scan your computer the next
time you turn it on.
Use the Type list to choose the type of scan you desire. You
can perform a quick (partial) scan or a full computer scan.
To enable or disable automatic updating before scanning,
select or clear the “Check for updated definitions before scanning”
checkbox as appropriate.
The “Default actions” settings, shown in Figure 3, allow you to customize the
default actions to take when Windows Defender detects potential spyware.
The default action is based on the settings in the spyware definition
file. You can configure severe-alert, high-alert, medium-alert, and
low-alert items separately so that the items are allowed, removed, or
quarantined. Be sure to select “Apply recommended actions” to ensure
recommended actions are applied after items are detected.
The “Real-time protection” options, shown in Figure 4, allow you to
customize the way in which real-time protection works. First, you can
turn this feature either on or off. Second, you have the ability to
customize the security agents that are run as part of real-time
protection.
The available security agents are:
- Downloaded files and attachments
Monitors files and programs that are designed to work with
web browsers. Turning on this option allows you to control the
behavior of these files and programs, and removes their capability
to spy on you without your knowledge. This helps maintain the
integrity of the computer by blocking, or alerting you, about
potentially dangerous types of downloads. This also helps maintain
the integrity of the browser by blocking potentially malicious
browser add-ons from installing and running. Together, these
features help maintain a first line of defense against malware or
malicious content coming through the browser.
- Programs that run on your computer
Monitors how programs react when started and while running
on the computer. This feature allows Windows Defender to watch how
programs interact with the operating system. Windows Defender
maintains a record of actions by programs processing on the
computer and to stop a program if suspicious behavior begins. This
helps prevent spyware and malware from collecting information
about your computer and also eliminates unwanted background
processing on the computer.
Each real-time protection option works in conjunction with the
alerts defined within Windows Defender. This allows Windows Defender to
operate behind the scenes to protect the computer in real time. These
options happen automatically without the need for user intervention to
handle mundane tasks associated with elimination of threats to the
computer.
The “Excluded files and folders” option, shown in Figure 5, allow you to
identify locations that should not be scanned. For example, if a file is
being incorrectly flagged as malware, you can tell Windows Defender not
to scan the file; if scans are taking too long you can speed them up by
excluding folders that rarely change. To add a file or folder exclusion,
follow these steps:
Click Start→Control Panel. In Control Panel, click Small Icons
or Large Icons on the View By list and then click Windows Defender
(you can return to the default Category view from the View By list
as well).
In Windows Defender, click Tools and then click
Options.
Under Options, click “Excluded files and folders.”
Click Add. Use the Browse for Files or Folders dialog box to
select the file or folder to exclude and then click OK.
Click Save to save your changes.
The “Excluded file types” option, shown in Figure 6, allow you to identify
types of files that should not be scanned. For example, you may want to
exclude certain types of picture files from scans to speed up the
scanning process and you can use this option to identify the types of
picture files that should not be scanned. Note that you probably don’t
want to exclude any document and executable file types, as they are the
most likely types of files to contain malware or spyware. To add a file
type exclusion, follow these steps:
Click Start→Control Panel→Small Icons or Large Icons on the
View By list→Windows Defender (you can return to the default
Category view from the View By list as well).
In Windows Defender, click Tools→Options.
Under Options, click “Excluded file types.”
Enter the file extension that you want to exclude, such as
.JPG or .TIF, and then click Add.
NOTE
Here, I’m using .BMP, .JPG and .TIF as examples. I’m not
advising you to exclude them. Files with seemingly innocuous
extensions can contain malware.
Click Save to save your changes.
The “Advanced” options, shown in Figure 7, allow you to control the way
scanning works. By default, “Scan archive files,” “Use heuristics,” and “Create restore point” are selected, and this is generally
the configuration you’ll want to use. By allowing Windows Defender to
scan archived files and folders, you ensure that archived files and
folders, such as those that are stored in a .zip file, are scanned. Because some malware
programs will try to hide in archived files and folders, scanning
archives is a good idea. It is also a good idea to allow Windows
Defender to use heuristics to detect new types of malware and to ensure
that a restore point is created before applying actions to detected
items. If you also want to scan e-mail, removable drives or both, you
can select the related options as well.
NOTE
Using Heuristics ensures that you are notified about potentially
dangerous software that hasn’t yet been classified by Windows
Defender. By selecting this option, you can help Windows Defender
detect new types of malware and malware that is embedded in otherwise
benign software.
The “Administrator” options, shown in Figure 8, control whether Windows
Defender is enabled and whether items from all users are displayed. By
default, Windows Defender is turned on and anyone who logs on locally to
the computer can use it. This is the configuration you should use to
ensure that your computer is protected from malware.
You can also control whether Windows Defender should display items
for only the currently logged-on user or all users. By default, only
history, allowed items, and quarantined items for the currently
logged-on user are available. This setting is designed to protect user
privacy. However, you’ll get a better picture of what’s happening on
your computer if you can see items from all users. If you have
administrative permissions and want to see items for all users, select
“Display items from all users of this computer.” Note that Windows
Defender scans all files as appropriate, regardless of whether you
select or clear this option.
When you have finished changing your settings, click the Save
button. This ensures that your configuration settings are saved for
future use. This also keeps you from having to change the options
again.
Which options you select in Windows Defender depend on how you use
your computer. Take the time to consider the implications of turning
these options on or off. If you want to turn off a setting that is
normally turned on, realize the gap in protection you are opening on
your computer, and take related action to protect your computer in
another manner, if possible.
You are the first and last lines of defense against malicious
programs on your computer. Pay close attention to the content you access
with your browser. Also, take the time to scan your computer regularly
for spyware content to help Windows Defender protect your computer. As
with antivirus programs, no one antimalware program can identify and
eliminate all spyware. Because of this, you may want to supplement scans
made by Windows Defender with online scans using a different antimalware
engine.
