While Mac partisans and tech pundits
like to present a tortured view of how difficult it is to secure a
Windows PC, the truth is far less dramatic. Previous to Windows 8,
there were a few simple steps you could take to technically secure your
PC—enabling automatic updates and installing an antivirus solution—and
that, combined with some good old-fashioned common sense was all that
was required.
In Windows 8, you’ll be ecstatic to know, it’s even easier.
Under the hood, of course, Microsoft’s
decades-long commitment to system security continues. This version of
Windows includes the same anti-malware technology, firewall, User
Account Control, and other security features that made Windows 7 the
most secure version of Windows yet. And then they turned it up a notch
by adding two crucial new features: Antivirus is now included in the
OS, finally, so you won’t need to add that separately. And the
SmartScreen protection feature that the company debuted in Internet
Explorer 9 is now part of Windows, so you’re protected even if you use
competing browsers.
Windows Defender
Microsoft has included an integrated
anti-spyware and anti-malware solution called Windows Defender since
Windows Vista. Defender was good at what it did—in fact, most Windows
users simply aren’t even aware of its existence, which is proof of its
efficiency—but it’s always been lacking one crucial feature: It didn’t
include antivirus functionality. So we recommended an external and free
utility called Microsoft Security Essentials (MSE) for this purpose:
MSE looked and worked just like Defender, but it added that one crucial
feature, completing the Windows security picture.
Now, Windows Defender includes the same antivirus
functionality that used to be part of Microsoft Security Essentials.
It’s built into Windows 8, it’s enabled by default, and you get it for
free, just for buying into Windows 8.
This is exciting because both of us have used MSE
for years, and we trust it to protect not only our own PCs, but more
crucially those of our families and friends. And we’ve experienced no
major issues yet. Not once.
So our advice is simple. Assuming you’re not
spending your time in the nether regions of the web, downloading
illegal software and goodness knows what else, Windows Defender is
enough. It’s lightweight and quiet, and it won’t bother you with
annoying pop-up dialogs. You won’t need other security applications or
even more expensive security suites. You know, assuming that common
sense is employed.
TIP Okay,
there is one more thing you can continue doing from time to time: Use a
second anti-malware utility. (You should never use two antivirus
solutions, however, because they will interfere with each other.) It’s
not necessary to leave the second anti-malware utility running in real
time, but it’s a good idea to run it once in a while, just to make sure
something hasn’t slipped by.
But we know you want to know a bit more about Windows Defender.
Shown in Figure 1,
Windows Defender has a simple interface. From here, you can trigger a
malware and virus scan, check for updates, view the history of
Defender’s activities, or access various options. It works just as
Defender did in Windows 7, except that it’s now checking, in real time,
for viruses as well as spyware and other malware.
There’s not a heck of a lot to do here.
Configured properly, Defender’s real-time protection against viruses
and malware will be enabled, and its virus and malware definitions—part
of its ability to detect errant software—should be up to date. You can
manually update the definitions from the Update tab, but it’s unlikely
there’s an issue here unless the PC has been offline for weeks or
longer.
Potentially harmful items that have been found
are cataloged on the History tab. Here, you’ll see different buckets
for quarantined, allowed, and all detected items. If there are any
items here, you can further remediate them if you’d like—perhaps by
removing them entirely—but there’s usually no reason to bother.
The Settings tab has, as expected, a number of
configuration options and is worth looking at. For example, you can
configure Defender to scan removable drives during a full scan. This is
desirable if you regularly use an external disk, like a USB hard drive,
when you’re home. You can also configure Defender to automatically
remove quarantined items after a set time period—by default it does
nothing—and determine whether to participate in Microsoft’s Active
Protection Service, or MAPS, which is used to make Defender more
effective for everyone. Do your part: We recommend at least a basic
membership.
Boot-Time Security
Windows Defender, like its predecessor,
is great at what it does. But there’s one problem with an integrated
antivirus and anti-malware solution like Defender, and that is that
Windows 8 must be running for it to work. There are certain situations
in which you may wish to secure your PC’s hard disk—just as when it’s
booting—or need to run a security scan against the hard disk when
Windows isn’t running. And while one might argue that these
capabilities aren’t technically Windows 8 features per se, you need to
know about them.
First, as PCs have become more sophisticated, the
architecture on which Windows runs has evolved. And one of the biggest
changes that Windows 8 has been designed to accommodate is the long
overdue switch from the primitive BIOS (basic input/output system)
environments that have graced (disgraced?) PCs since the 1980s. BIOS is
a type of firmware, a tiny bit of software that runs before Windows
when the PC first powers on. And while it’s possible to run Windows 8
on a BIOS-based computer—basically every single PC made before 2012—a
new generation of more sophisticated PCs and devices are instead using
BIOS’s replacement. It’s called UEFI, or the Unified Extensible
Firmware Interface.
UEFI provides many advantages over BIOS, but from
a security perspective the big deal is that PCs based on this firmware
type can support a new technology called Secure Boot. Based on industry
standards, Secure Boot ensures that a system hasn’t been tampered with
while offline. (That is, while Windows isn’t running.)
It sounds Orwellian but the purpose of Secure
Boot is valid: It targets a growing class of electronic attacks that
insert code before Windows boots and try to prevent the OS from loading
security software like Windows Defender at boot time, leaving the
system vulnerable to further attack. Secure Boot ensures that only
properly authorized components are allowed to execute at boot time. It
is literally a more secure form of booting.
All Windows 8 PCs and devices will be configured
from the factory to support Secure Boot and have this firmware feature
enabled. But if you are going to install Windows 8 on a previous PC,
you can check to see whether this feature is supported and then enable
it before installing the OS.
As a feature of the PC firmware, Secure Boot
isn’t configured in Windows; it’s configured in the UEFI firmware
interface. This interface will vary from PC to PC, but it’s generally
available via a Boot or Security screen in the firmware and is toggled
via an option that will be labeled UEFI Boot. This can be set to
Enabled or Disabled.
The other security issue that arises at boot time
occasionally is the need to scan an offline system. That is, you may
want to run a Windows Defender security scan against a Windows 8 hard
disk, but when Windows isn’t running. This can be a vital capability if
your system is infested with a bootkit or rootkit,
malicious forms of software that are both hard to detect and almost
impossible to remove . . . when Windows is running. But if you can
attack bootkits and rootkits while Windows is offline, then voila! Problem solved.
Fortunately, Microsoft makes a standalone version
of Windows Defender called the Windows Defender Offline. As you might
expect, it is based on Windows Defender, and looks almost identical to
that tool. But you install it to a bootable optical disc or USB memory
stick and then boot the PC from that. Windows Defender Offline is shown
in Figure 2.
Strictly speaking, there’s no reason to run
Windows Defender Offline unless you know you have a problem. But don’t
wait to create a bootable Windows Defender Offline disc or USB key
until you have a problem: This is a tool you should have at the ready,
just in case. You can download Windows Defender Offline from the
Microsoft website at tinyurl.com/defenderoffline.
CROSSREF
Some related security features, BitLocker and EFS, can be used to
protect the contents of a Windows PC’s hard drive.
