This article is also available as a PDF download.
Spyware is acknowledged by most IT professionals as one of the biggest problems facing both consumer and business computer users. Spyware is a type of malicious software that is installed usually without the knowledge or permission of the user and then collects information from the computer that it may send back to its maker.
Many varieties of spyware collect information such as Web sites visited, for advertising purposes. But other types are more malevolent and steal users' passwords, credit card, or bank account numbers or even log keystrokes and capture screenshots of what users do on the computer. Some spyware programs also display unwanted advertising, and spyware is often responsible for computer performance slowdowns.
Some jurisdictions have passed laws making certain types of spyware illegal; however, enforcement can be difficult. To control the problem, you need a technological solution. A number of third party anti-spyware programs are available. Early last year, Microsoft released its free anti-spyware program, Windows Defender, to beta testing. The product was made available to the public in October 2006 as a download for Windows XP and 2003. Windows Defender is built into Windows Vista, making it more convenient than ever for users to defend against this insidious type of malware.
Windows Defender for XP is still available for download.
Defender technology: Origins
Windows Defender is based on the GIANT Anti-spyware software which was acquired by Microsoft in December 2004. (Sunbelt Software's CounterSpy was also originally based on GIANT technology under a pre-existing agreement, although both companies have expanded on the original code and added their own enhancements.)
Using Defender on Vista
In Vista, you access Windows Defender through an applet in Control Panel, as shown in Figure A.
|You access Windows Defender via Control Panel in Vista.|
Alternatively, you can open Defender from the left pane of the Windows Security Center, as shown in Figure B.
|You can also access Defender in Vista through the Windows Security Center.|
The Defender interface is simple; a one-click button lets you check for new definitions updates and a Status box shows the date, time, and type of the most recent scan, the schedule you've set for automatic scanning, whether real time protection is turned on or off, and the definition version.
Real-time protection alerts you immediately when suspected spyware attempts to install itself or run. You also get an alert if you change certain Windows settings, to ensure that you really initiated the change and it isn't being done by malware. Figure C shows the front console page.
|The Defender interface is simple and intuitive.|
Across the top of the console, there is a menu toolbar that contains the following icons:
- Back and Forward buttons
- Home button that returns you to the "front page" of the console
- Scan button with a drop-down menu for selecting Quick Scan, Full Scan, or Custom Scan
- History button (Figure D) that allows you to see Windows Defender activities, review or monitor items you've permitted to run on your computer (Allowed items), and remove or restore items that Windows Defender is preventing from running (Quarantined items).
- Tools button (Figure E) that allows you to configure settings and options.
|The History page allows you to view all Defender activities.|
|You can configure settings and options for Defender through the Tools menu.|
Scanning your computer
You can run three types of spyware scans with Defender:
- Quick Scan: In the interest of saving time, only those locations on the hard disk where spyware is most frequently found will be checked.
- Full System Scan: This option checks every file on your hard disk and all programs that are currently running. This can take a while and may slow down your computer while it's being performed.
- Custom Scan: You specify what locations (folders or drives) on the computer to scan. If Defender detects spyware, it will perform a Quick Scan to remove detected items from other areas of the computer.
You also have several options when running a scan. You can choose to scan the contents of archived files and folders and you can use heuristics in addition to definition files to identify software that may be spyware before it's included in the definitions files. You can also create a restore point before removing detected items, just in case you find that necessary files are removed. And you can specify particular files or folders that Defender should skip when performing a scan. Note that you may be prompted for an administrative password or confirmation when you try to run a scan.
Configuring settings and options
You can configure several aspects of Defender's behavior via the Tools | Options selection. You can set up a schedule for Defender to scan your computer automatically on a daily basis or on a specified day of the week, the time for the auto scan, and the type of scan to perform (Quick, Full, or Custom). You can also have Defender check for updated definitions before scanning and/or apply default actions to items that are detected when a scan is performed, as shown in Figure F.
|A number of options allow you to customize Defender's behavior.|
Default actions can be selected separately for high, medium, and low alert items. For each alert level, you can apply the definition-based default action, remove the item, or ignore it.
You can select whether to use real-time protection (by default, it's turned on) and which security agents you want to run. There are agents that monitor:
- Programs that run automatically when you start the computer
- Security-related configuration settings
- Internet Explorer add-ons
- IE configuration settings
- Files and programs downloaded via IE, such as ActiveX controls and software installation programs
- Services and drivers
- Any programs that are started and the operations they perform
- Application registration files
- Windows add-ons or utilities
If you want, you can have Defender notify you about software that has not yet been classified for risk and changes that are made to your computer by software you have permitted to run. (Neither of these options is enabled by default.)
You can also specify when you want the Windows Defender icon to appear in the notification area. By default, it appears only if Defender detects an action to take, but you can have it always appear if you prefer.
Under Advanced Options, you choose whether to scan the contents of archived files and folders, whether to use heuristics, and whether to create a restore point. By default, all of these options are turned on. This is also where you can add file or folder locations that should not be scanned, as shown in Figure G.
|Use Advanced and Administrator options to further configure Defender's actions.|
Windows Defender can be turned off or on under the Administrator Options section. This is also where you can specify whether you want to allow everyone, including users who don't have administrative rights, to scan the computer, choose actions to apply to detected software, and review Defender activities.
The SpyNet community
SpyNet is an online community in which you can participate (but are not required to) when you use Windows Defender. You join the SpyNet community via the Microsoft SpyNet selection in Tools | Settings. There are two participation options:
- You can join with a basic membership, in which case Defender will send basic information to Microsoft about the software it detects and what actions you apply.
- You can join with an advanced membership, in which case you get an alert when Defender detects any software that hasn't been analyzed for risk (or changes made by such software). Defender also sends more information to Microsoft about detected software. This includes where the software was located on your hard disk, filenames, and how the software has affected your computer.
With Vista, you don't have to buy third-party software to scan for and remove spyware (although some people will want the added features of commercial anti-spyware programs). Windows Defender, which is included with the operating system, can be used alone or in conjunction with other anti-spyware programs to help keep your computer safe.
- Anti-spyware: Software that uses definition files and/or heuristics to detect known or potential spyware on a computer, alert the user, and/or remove or quarantine the spyware.
- Custom Scan: An option that scans only those locations you specify.
- Full Scan: An option that scans the entire computer (all files and folders on the hard drive).
- Heuristics: In this context, a method of determining what programs are likely to be spyware based on their behavior and patterns before they have been identified by definitions.
- Quick Scan: An option that scans only locations commonly infected by spyware.
- Real-time protection: An anti-spyware feature that alerts you immediately when suspected spyware attempts to install itself or run.
- Security agents: In this context, software that monitors specific files, programs, or settings for indications of spyware infection.
- SpyNet: The Microsoft online community that shares information about spyware and potential spyware to help improve Windows Defender's effectiveness.
- Spyware: Malicious software that is installed without the knowledge or permission of the user (often in conjunction with other, legitimate software) and that collects information about the user or computer and may send it back to the spyware maker.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.