Microsoft

SolutionBase: Take an inside look at Windows Defender in Vista

Even Vista is vulnerable to exploits that need patching. Windows Defender's spyware-busting features can help further protect systems from compromise. Scott Lowe provides a detailed look at the Windows Defender included in Vista.

When Microsoft got into the antispyware market, some pundits decried the move as profiting from holes in Windows at the same time that the company was pushing other new security measures. However, like it or not, Windows does have flaws and even Vista falls victim to zero-day exploits that need patching. When used in concert with Vista's other security features — such as User Access Control — Windows Defender's spyware-busting features can help further protect systems from compromise. In this article, I'll provide a detailed look at the Windows Defender included in Vista.

What is Windows Defender?

Although this article is primarily focused on Windows Defender as it relates to Vista, Windows Defender is not a Vista-only product. Windows Defender — in addition to running on Vista — also supports Windows XP SP2, Windows Server 2003, and, presumably, the forthcoming Windows Server 2008. Microsoft has chosen not to support Defender on Windows 2000 and earlier versions of Windows.

Although Windows Defender runs on operating systems besides Vista, Defender has unique capabilities when it's running under Vista. For example, under Vista, Defender can:

  • Scan only files that have changed since the last scan, as opposed to all files on the system. This can make scans much faster, not to mention extend the life of your hard drive.
  • Perform scans under a security-enhanced account.
  • Scan files as you execute programs.

Windows Defender is a free product that is included in Vista, and is available for the operating systems indicated above.

What Windows Defender isn't

Windows Defender isn't a virus scanner; it's important to understand that fact up front. Microsoft does provide virus-scanning tools in the form of Windows Live OneCare and Microsoft Forefront Client Security. OneCare is a consumer-oriented product, whereas Forefront is aimed at the enterprise. Unlike Defender, neither product is free; but both paid products provide protection against both viruses and spyware.

Managing Windows Defender

Windows Defender management is accomplished from Start | All Programs | Windows Defender. The Defender management home page, shown in Figure A, is pretty sparse and just indicates current spyware status, as well as providing a look at the version of your spyware definitions and some other general parameters.

Figure A

Windows Defender management home page in Vista.

At the top of the management home page, note that there four options available:

  • Home: From whatever management page you're on, this button brings you back to the Defender management home page.
  • Scan: With Quick Scan, Full Scan, and Custom Scan options, this button provides you with a way to perform on-demand spyware scans. These options are discussed later.
  • History: The History option gives you a historical look at what's happened to your system with regard to spyware. You can see what infections have been found and blocked. The History option is discussed later in this article.
  • Tools: This is where the brunt of your Windows Defender configuration takes place. The items available from the Tools menu are discussed in the next section.

The meatiest of the various options, the Tools and Settings page, shown in Figure B, provides you with six options:

  • Options: Choose how you want Defender to run.
  • Microsoft SpyNet: SpyNet takes a community approach to defending against spyware. Basically, SpyNet keeps track of how people respond to new threats and allows Microsoft to react better to new spyware that the community deems most dangerous.
  • Quarantined items: When an infected item is found on your computer, Defender can quarantine the item until you decide whether to either remove or restore the potentially infected software.
  • Software Explorer: Sometimes, spyware sneaks onto your computer as a part of a running service. Other times, spyware can enter the system through a running network service. In any case, the Software Explorer gives you a granular look at every service running on your computer.
  • Allowed items: If you have a problem with Defender flagging a particular product as spyware, but you need that product, you can add it to Defender's Allow list so that Defender will ignore the software.
  • Windows Defender Web site: Takes you to Microsoft's Windows Defender Web site.

Figure B

The Tools and Settings page contains six options.

Options page

Defender's Options page, shown in Figure C, has a number of options that relate to how Defender operates. For example, from this page, you can dictate whether or not Defender should automatically periodically scan your computer.

Figure C

The second page of Defender's options.

Further, you can decide what action to take depending on the severity level of an alert. Settings you can configure include:

  • Automatically scan my computer (recommended): This option is self-explanatory. If you enable this selection, the options below (Frequency, etc.) become available.
  • Frequency: How often would you like to scan your system? You can opt to scan daily or on any day of the week.
  • Approximate time: At about what time would you like the automatic scan to begin? The default is 2 A.M., but you can choose any hour of the day.
  • Type: What type of scan would you like to perform? Your options are Quick scan and Full System scan. A Quick scan checks the places on your hard disk that are most likely to be infected by spyware. A Full System scan, on the other hand, checks all files on your hard disk as well as all currently running programs. A Full scan will take much longer than a Quick scan, and will cause your computer to slow down until the scan is complete. If you are using Defender's real-time scanning capability, I recommend that you run a Quick scan each day. If you're in a particularly sensitive environment, you can do a Full scan and just schedule it for early morning.
  • Check for updated definitions before scanning: Although better than performing no scan, running a scan without the latest spyware definitions is less than ideal. Force Defender to obtain the latest definitions before each scan by selecting this checkbox.
  • Apply default actions to items detected during a scan: In the middle of an automated scan taking place in the wee hours, you don't want Defender to pop up a dialog box that requires user intervention. Therefore, select this checkbox to configure Defender to perform the default action for a particular piece of spyware that might be found during a scan.
  • Default actions: For each of three levels of spyware severity — Low, Medium, and High — Windows Defender can be configured to take one of three actions when faced with a positive hit. There are two severity levels that are not present on this list. The first is called Severe, and is a notch above High, meaning that it's pretty bad stuff. The second unlisted severity level is Not Yet Classified. All five severity levels are described in Table A, which was taken from Microsoft's Defender documentation. For High, Medium, and Low severity items, you can choose from up to three action options:
  1. Default action (definition-based): Allow Defender to automatically take the action recommended in the signature file.
  2. Ignore: Ignore the problem. This is not a recommended course of action, particularly for medium or high alerts.
  3. Remove: Remove and quarantine the offending file for later review.

Table A

Alert level

What it means

What to do

Severe

Widespread or exceptionally malicious programs, similar to viruses or worms, which negatively affect your privacy and the security of your computer, and can damage your computer.

Remove this software immediately.

High

Programs that might collect your personal information and negatively affect your privacy or damage your computer, for example, by collecting information or changing settings, typically without your knowledge or consent.

Remove this software immediately.

Medium

Programs that might affect your privacy or make changes to your computer that could negatively impact your computing experience, for example, by collecting personal information or changing settings.

Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.

Low

Potentially unwanted software that might collect information about you or your computer or change how your computer works, but is operating in agreement with licensing terms displayed when you installed the software.

This software is typically benign when it runs on your computer, unless it was installed without your knowledge. If you're not sure whether to allow it, review the alert details or check to see if you recognize and trust the publisher of the software.

Not yet classified

Programs that are typically benign unless they are installed on your computer without your knowledge.

If you recognize and trust the software, allow it to run. If you do not recognize the software or the publisher, review the alert details to decide how to take action. If you're a SpyNet community member, check the community ratings to see if other users trust the software.

Windows Defender security levels and descriptions (From Microsoft)

Windows Defender provides a number of real-time protection options. Real-time protection adds significant protection to your system, as the various agents keep watch over common spyware infection vectors and take active steps to block the introduction of spyware on your system. This proactive approach to combating spyware is a step beyond simply performing a regular scan, which is much more passive in nature. Defender's real-time protection options become available when you scroll down the Options page.

  • Use real-time protection (recommended): Selecting this checkbox enables this important spyware security feature. I highly recommend that you do so.
  • Choose which security agents you want to run: Table B, from Microsoft, explains the purpose behind each of the agents provided with Windows Defender. You can pick and choose which agents you want to run on your system.

Table B

Agent

Description

Auto Start

Monitors lists of programs that are allowed to automatically run when you start your computer. Spyware and other potentially unwanted software can be set to run automatically when Windows starts. That way, it can run without your knowledge and collect information. It can also make your computer start or run slowly.

System Configuration (Settings)

Monitors security-related settings in Windows. Spyware and other potentially unwanted software can change hardware and software security settings, and then collect information that can be used to further undermine your computer's security.

Internet Explorer Add-ons

Monitors programs that automatically run when you start Internet Explorer. Spyware and other potentially unwanted software can masquerade as Web browser add-ons and run without your knowledge.

Internet Explorer Configurations (Settings)

Monitors browser security settings, which are your first line of defense against malicious content on the Internet. Spyware and other potentially unwanted software can try to change these settings without your knowledge.

Internet Explorer Downloads

Monitors files and programs that are designed to work with Internet Explorer, such as ActiveX controls and software installation programs. These files can be downloaded, installed, or run by the browser itself. Spyware and other potentially unwanted software can be included with these files and installed without your knowledge.

Services and Drivers

Monitors services and drivers as they interact with Windows and your programs. Because services and drivers perform essential computer functions (such as allowing devices to work with your computer), they have access to important software in the operating system. Spyware and other potentially unwanted software can use services and drivers to gain access to your computer or to try to run undetected on your computer like normal operating system components.

Application Execution

Monitors when programs start and any operations they perform while running. Spyware and other potentially unwanted software can use vulnerabilities in programs that you have installed to run malicious or unwanted software without your knowledge. For example, spyware can run itself in the background when you start a program that you frequently use. Windows Defender monitors your programs and alerts you if suspicious activity is detected.

Application Registration

Monitors tools and files in the operating system where programs can register to run at any time, not just when you start Windows or another program. Spyware and other potentially unwanted software can register a program to start without notice and run, for example, at a scheduled time each day. This allows the program to collect information about you or your computer or gain access to important software in the operating system without your knowledge.

Windows Add-ons

Monitors add-on programs (also known as software utilities) for Windows. Add-ons are designed to enhance your computing experience in areas such as security, browsing, productivity, and multimedia. However, add-ons can also install programs that will collect information about you or your online activities and expose sensitive, personal information, often to advertisers.

Protection Agent descriptions (from Microsoft)

The last page of Defender's options is accessible by scrolling further down the main Options page. Here, you'll find the following advanced and administrative options:

  • Scan the contents of archived files and folders for potential threats: Not all programs will dig into .zip and .cab files to look for infections. Doing this kind of scan can tax system resources, but if you run scans in the off-hours, it shouldn't be bad. I highly recommend that you don't disable this option.
  • Use heuristics to detect potentially harmful or unwanted behavior by software that hasn't been analyzed for risks: When a new virus or spyware program is released into the wild, it takes vendors some time to get new signatures out to users. That said, many viruses and spyware infections look alike and Defender can attempt to take proactive steps to block a file that has a high risk of being infected.
  • Create a restore point before applying actions to detected items: If you're not comfortable with Defender possibly making changes to your system in the middle of the night, thus risking problems in the morning, configure Defender to create a restore point before applying any fixes. Then, if there are problems, you can roll back to a working system.
  • Do not scan these files or locations: There may come a time when a file or folder on your system results in a false positive to Defender, or there may be files that, what whatever reason, you want Defender to simply ignore. Using the Add button, tell Defender about these files and locations. Your entries will then appear in the box under the section heading.
  • Use Windows Defender: One of two administrator options, with this single check box, you can stop Defender from protecting your system. This option also enables automatic updates of your definition files.
  • Allow everyone to use Windows Defender: Presumably, not every single user on your system has administrative rights and may not have the ability to make changes (i.e., fixes) to files that may be infected. By selecting this option, users can initiate changes that will fix problems.

You can see this in detail in Figure D.

Figure D

The third page of Defender's options.

When you're done making configuration changes to Defender, press the Save button.

Microsoft SpyNet

Older spyware and viruses for which there are definitions aren't as big a threat as new threats that have not been vetted well enough for a final severity determination. That's where SpyNet comes in. SpyNet is a community affair that lets you see how others are responding to similar threats. This can help you decide how you want to respond. If others aren't taking a new threat all that seriously because it poses little threat, it's good to know that so you don't go overboard combating something that doesn't necessarily warrant the effort.

If you're concerned about privacy, you don't have to use SpyNet. If you do decide to use the service, there are two levels of membership available. A basic membership reports your protection selections to the central network to be made a part of the aggregate decision. Further, the success or failure of your actions are reported. Microsoft indicates that some personal information could be transmitted as a part of this reporting process.

An advanced membership includes all aspects of the basic membership, but more information is sent to Microsoft and you are provided with the opportunity to take action when potentially dangerous actions are taken by software that has not yet been analyzed for risk.

SpyNet is one of those services that those wary of Microsoft will avoid out of fear of being "outed" as owners of illegal versions of Windows or out of fear of personal information being misused. Before you jump into SpyNet, take these possibilities into consideration. Personally, I believe that Microsoft would seriously damage the Defender product if they took adverse action against users or misused personal information, so they are likely to use the information specifically as outlined.

Software Explorer

One useful aspect of Windows Defender is the Software Explorer, which offers you four different views of the software and services running on your system. You can look at programs and services in the following categories:

  • Startup programs: Programs that start when your system boots.
  • Currently running programs: Programs for which there are currently active services.
  • Network connected programs: Programs that have established some kind of network connection. This view also shows you the ports in use by the program or service.
  • Winsock service providers: Programs that perform low-level networking and communication services for Windows and other running programs.

I'll give you a look at screenshots from all four categories below, starting with the startup programs option, shown in Figure E.

Figure E

A list of startup programs on my system.

Note that this view allows you to see exactly how a program made its way into your startup routine. With so many different ways to start programs at system start, it's nice to have a view that shows you both the startup method and the location. In the case of GoogleTalk, shown in Figure F, the software starts as the result of a registry key in the Current User hive. Specifically, the located at Software\Microsoft\Windows\CurrentVersion\Run handles this startup task. This view also indicates to you whether a particular program shipped with Windows, or was added on later. This can be useful for troubleshooting. Also take note of the Classification column. In Figure E, note that there are mostly Permitted items, with a few that are not yet classified.

You can actually change this view so that the items are grouped by the startup location. Right-click anywhere in the left-hand pane and, from the resulting shortcut menu, choose Startup Type. You will get a view similar to the one shown below in Figure F.

Figure F

A list of startup programs on my system sorted by startup location.

If you're concerned about software that is currently running on your system, you probably want a view that goes beyond just startup programs. From the drop-menu at the top of the Software Explorer window, select Currently Running Programs to get a view like the one shown below in Figure G.

Figure G

A list of all running programs on my system sorted by publisher.

This window gives you much of the same information, but notice that each program name also lists the process ID so you can match it up against Task Manager. The process ID is also included in the Details pane.

For multi-user systems, rather than grouping processes by the software publisher, you can also sort by the user name. Right-click in the left hand pane and, from the shortcut menu, choose User Name. If you want to include system accounts in the mix, press the Show For All Users button. This button is available in all views and allows you to see processes other than the ones started just by user accounts. Figure H gives you a look at this view.

Figure H

A list of all running programs on my system sorted by user ID and including programs running under all accounts.

Have you ever had to root around your system looking for the process associated with a particular network connection? Without using the command line or using specific tools, it can be a tedious task.

In Figure I, take a look at the bottom of the Details pane. In the tables, Software Explorer provides you with a complete list of the IPv4 and IPv6 connections in use by the particular process. Now you can see what your software is really doing. Figure J below shows the same view as Figure I, but I wanted to show you a process that has an established IP connection.

Figure I

A list of all network connected programs on my system sorted by user ID and including programs running under all accounts.

Figure J

A similar view to Figure J.

Finally, the Software Explorer provides you with a way to view Winsock Service Provider services. These services can have deep access into the operating system, so protecting them is very important. Figure K gives you a look at Defender's summary of running Winsock services.

Figure K

A summary of Winsock Service Providers running on Vista.

Allowed programs

Earlier in this article, I indicated that Defender has a mechanism by which you can add programs that Defender will ignore. For example, you might have a program that Defender considers harmful but that you need. From the Tools page, choose Allowed Items to see a screen like the one shown in Figure L.

Figure L

>

Defender's list of allowed programs.

Windows Defender Web site

This final option on the Tools page takes you to Microsoft's Defender Web site.

Scanning

Earlier in this article, you learned about some of Defender's scan scheduling options. As with most scanners, Defender also provides a scan-on-demand mechanism. As is the case with scheduled scans, you can perform a Quick Scan, a Full Scan, or a Custom Scan. Figure M shows you these options made available from the Scan option on the Defender home page. Note that the Defender home page also provides details about the most recent scan.

Figure M

Defender's list of allowed programs.

If you choose the Quick or Full scan options, Defender starts scanning your system with no further required input. If, however, you choose the Custom Scan option, Defender asks you for some additional information, including the scan type and the location that you want to scan.

When you're done with a scan, a quick scan overview is provided on the Defender home page.

History

As you use Defender and make decisions, and as Defender finds problems, it's important that you can go back and see what's taken place. To this end, Defender's home page provides a History option giving you just such details. Figure N shows you the History page.

Figure N

What locations would you like to scan?

Note that the History page provides an entry for each anomaly, along with details about the entry, including advice and the location of the offending file.

Defend against unpleasantries

Although it would be better if there was no need for the product, Windows Defender is an able protector of systems. When used in conjunction with other security mechanisms, Defender will help you keep your systems free of unwanted nasties.

About Scott Lowe

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

Editor's Picks

Free Newsletters, In your Inbox