Logo
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
PREGNANCY
 
 
Windows 7

Security Essentials - Stopping Spyware with Windows Defender

3/17/2011 11:34:53 AM

Spyware is a term that has come to describe a variety of undesirable software programs, whose bad behavior ranges from annoying you with pop-up ads to surreptitiously sending your private information to other people. Indications of common spyware infections include the following:

  • Unexpected new toolbars, favorites, and links in your web browser

  • Changes to your browser's home page and default search provider

  • Numerous pop-up ads

  • Sudden occurrence of computer crashes or slow performance

Note that spyware doesn't necessarily "spy" on you. A common characteristic of anything dubbed "spyware" is that it does its deeds—malicious or otherwise—without your informed consent. (Spyware typically gets installed by deceitfully asking permission to do something other than what it actually does or, in some cases, by exploiting browser vulnerabilities. In this regard, most spyware is fundamentally different from earlier types of malware; it typically relies on social engineering to install instead of exploiting vulnerabilities.)

That's where Windows Defender comes in. For known malicious programs that have no redeeming value to you, it intercedes without disturbing you and then quarantines or removes the offending program. Other "spyware" programs, along with programs that perform activities that are suspiciously similar to known spyware tactics, fall into a gray area; when Windows Defender encounters one of these programs knocking at your door, it suggests a solution and asks what you want to do.


Note:

For detailed information about the criteria that Windows Defender uses to identify spyware, visit w7io.com/1517.


In addition to its real-time protection for spyware-like behavior, Windows Defender (shown in Figure 1) also scans your computer's files periodically, looking for known spyware.

Figure 1. The Windows Defender home page shows the current status of your system, including links to information about detected problems, the scan schedule, and the date of the spyware definition file.


Windows Defender runs as a service, which allows it to provide protection for all users on your computer. The Windows Defender user interface runs in the context of the current user (therefore, UAC elevation is required for some actions), but the scanning and spyware removal is done by the service—and without the need for administrative privileges.


Note:

Windows Defender is a good antispyware solution for computers in homes and in small business networks. If you use a domain-based network, you might want to look into Microsoft Forefront Client Security (w7io.com/1519), which provides spyware protection with centralized control, management, and reporting.


1. Scanning Your Computer for Spyware

Scanning is one of the two primary detection mechanisms in Windows Defender. (The other is real-time protection.) When Windows Defender scans your computer, it checks applications it finds against a database of spyware definitions. The database, which is frequently updated via Windows Update, contains detailed information about known spyware, including file names and version numbers, a description of the threat presented by each program, and a recommended action to take if the program is found on your computer.

Scanning performance has been improved in Windows 7. Automatic scans, which run at low priority, use better algorithms to determine when your computer is idle than does Windows Defender in Windows Vista; this enables scans to run efficiently when you're not using your computer and to stay out of the way when you are. In addition, the scanning engine uses a caching system that improves performance over time, persisting through reboots and spy-ware definition updates.

TROUBLESHOOTING

Spyware definitions don't update properly

Microsoft Knowledge Base article 918355 (w7io.com/1520) explains how to troubleshoot and resolve definition update problems.


1.1. Scanning Automatically

By default, Windows Defender scans your computer automatically once a day; your current scan schedule appears near the bottom of the home page in Windows Defender, shown in Figure 15-8. You can modify the schedule and set other scanning options by clicking Tools and then clicking Options. The Options page is shown next.



The Automatic Scanning panel of the Options page is where you specify a schedule and the type of scan: quick or full. A quick scan checks only the places on your computer that spy-ware is most likely to infect, and it is the recommended setting for frequent regular scans. A full scan checks all files on your local hard disk drives and all running programs, and it is likely to slow down your computer during its sometimes lengthy run.

Before you leave the Options page, review some additional, less intuitive options that affect scanning:

  • Excluded Files and Folders In this box, you can specify files or folders that you know to be safe. Generally, the only reason to consider excluding files in this way is if you have a program that you knowingly run regularly and that is detected by Windows Defender every time it runs, despite your telling it to allow the program. If this happens, you should exclude the detected file (or files) rather than its containing folder; if you grant blanket approval for files in the containing folder, and later some real spyware ends up in the folder, Windows Defender won't detect it.

  • Excluded File types Similarly, you can exclude from scans all files with the file name extensions that you specify.

  • Advanced The first three options on the Advanced panel expand the scope of Windows Defender scans when selected. Note that archive files—the subject of the first option—provide the storage mechanism for compressed folders as well as .zip and .cab files.



1.2. Scanning Manually

Regular automatic scanning is normally suffiicient for identifying and resolving spyware problems. However, if you suspect that you've been infected—or if you've disabled automatic scanning—you can scan on demand. To immediately run a quick scan, simply click the Scan button on the toolbar. If you want to run a full scan, which is a better option if you suspect infection, click the arrow next to the Scan button and click Full Scan. The Custom Scan option lets you narrow your scan to the drives and folders you specify.

Inside Out: Run Windows Defender from a batch program

Windows Defender also includes a command-line utility, %ProgramFiles%\Windows Defender\MpCmdRun.exe, that you can use to automate the use of Windows Defender. For details about using the utility, open a Command Prompt window and run the program with no parameters.


2. Using Real-Time Protection

Real-time protection runs in the background, always on the lookout for spyware that attempts to install itself or to run. To enable real-time protection, open the Options page and click Real-Time Protection. For full protection, be sure that all check boxes are selected.

When real-time protection is enabled, if Windows Defender encounters spyware (or suspected spyware), an alert appears by the Action Center icon in the notification area, as shown below.



3. Responding to Windows Defender Alerts

If Windows Defender detects the presence of spyware, whether during the course of a scan or caught by real-time protection, you must decide how to handle it. If you see an alert triggered by real-time protection, as shown above, click the alert balloon (or, if it deflates before you have a chance to click it, click the Action Center icon and click Potentially Harmful Software Detected). Alternatively, on the Home page of Windows Defender (shown earlier in Figure 15-8), click Review Detected Items. A Windows Defender Alert dialog box opens, as shown in Figure 2.

Figure 2. Clicking Clean System removes all detected items from your system, regardless of the setting in the Action column.


For each suspected spyware program, you can specify one of three actions:

  • Remove Windows Defender permanently removes the detected spyware from your computer.

  • Quarantine Windows Defender moves the program to a different folder and prevents the program from running.

  • Allow Windows Defender allows the program to be installed or to run and adds the program to the allowed list; Windows Defender no longer alerts you to its presence and its risks. You should allow only software that you know to be safe.

If you simply want to remove all detected items, click Clean System; Windows Defender begins the removal process and reports the results when it completes. If you're unsure which action to take, click Show Details to display additional information, advice, and a link to online details about the selected item. After you select an action for each item, click Apply Actions. If you later change your mind about items you chose to quarantine or allow, you can reverse those decisions, as described in the following section.

Inside Out: Take action—but which action?

How do you decide what to do based on the rather cryptic information that's presented? Begin with the Windows Defender advice, if shown. Then consider the publisher of the program: is it a company that you've heard of and trust? Examine each of the details and, for the ones you can understand, consider if that's a reasonable action for the type of program you think you're installing.

If you're still unsure, search the web for the names of any programs or files shown; you're likely to find many sites that better describe the source and potential risks with a particular file or program. (You're also likely to find a number of sites packed with misinformation, and it's sometimes hard to tell the difference. Until you find a site that gives you confidence, check several sites to find a consensus. And when you do find one of those good sites, bookmark it for the next time you have to deal with an uncategorized risk.) Dealing with potentially risky software is not clear-cut. Not everyone agrees on what constitutes a risky program; some are willing to accept the risk in return for benefits derived from the program. Furthermore, some perfectly safe, perfectly legitimate programs work in ways similar to some spyware, and they could be flagged as spyware. Ultimately, you have to decide.


TROUBLESHOOTING

You can't get rid of a spyware program

Some spyware is pernicious and uses every trick in the book to avoid being removed and to reinstall itself—much like a monster in a horror movie. After you take action to disable spyware (either remove or quarantine), be even more vigilant in case it rears its ugly self again. After you restart your computer (usually required by Windows Defender after cleanup), run a full scan. Be sure that all real-time protection agents are enabled. And watch out for the sequel.

If spyware does return, you're dealing with a tough one, and you're going to need some up-to-date expert advice to help you through the process of manually removing it. Because the advice depends on the particular spyware as well as other factors, we can't provide it here—but we can point you to an excellent resource: the Spyware Warrior forums (w7io.com/1521), where you'll find links to diagnostic and removal tools and volunteer experts to help solve problems.


4. Working with Allowed and Quarantined Items

When you choose to let Windows Defender remove a detected spyware item, whether by selecting the Remove action or by clicking Clean System, it's gone for good. That's not the case with items for which you select the Allow or Quarantine actions. The detected files remain on your system. You can view and manage allowed and quarantined items from the Tools page in Windows Defender.

Allowed files remain in their original location, and you can use them without interference from Windows Defender. If you later change your mind, you can remove an item from the allowed list. On the Tools page, click Allowed Items. By default, Windows Defender hides allowed items to protect the privacy of other users on your computer (allowed items for all users appear here); click View and respond to the UAC elevation prompt to view the files. To remove a program from the allowed list, shown in Figure 3, select the item and click Remove From List. Windows Defender does not remove the program from your computer—but it does resume monitoring it and warning you when the program does something provocative.

Figure 3. If you mistakenly allowed detected spyware, you can correct your error by removing the program from the allowed list.


Quarantined items are moved to an isolated folder location where they can't be accessed, except through Windows Defender. If you later decide what you want to do with a quarantined item, you can visit the quarantine, where you can choose to restore an item (that is, return it to its prequarantine condition) or remove it from your computer. On the Tools page, click Quarantined Items and then click View to expose the file list and the available actions: Remove All (removes all quarantined files from your computer), Remove (removes the selected item), or Restore (returns the selected item to its previous location).

Inside Out: Bypass the View button to see quarantine, allowed list, and history contents

To protect the privacy of other users on your computer, Windows Defender requires you to click View and then provide administrator credentials before you can see the quarantined items list, the allowed items list, or the history of Windows Defender actions taken. If that's too cumbersome, on the Tools page, click Options. On the Administrator panel, select Display Items From All Users Of This Computer. Thereafter, when you click the link to Quarantined Items, Allowed Items, or History, you go directly there without any further roadblocks.


5. Disabling Windows Defender

Choices on the Options page—specifically, the first option on the Automatic Scanning and Real-Time Protection panels—let you turn off automatic scanning and real-time protection. Even if you turn off both options, however, the Windows Defender service continues to run and the program remains available for manual scans. If you want to disable Windows Defender altogether, open Windows Defender, click Tools, click Options, and then click Administrator. Clear the Use This Program check box to disable Windows Defender.

Other -----------------
- Security Essentials - Blocking Viruses and Worms with an Antivirus Program
- Blocking Intruders with Windows Firewall (part 2) - Allowing Connections Through the Firewall
- Blocking Intruders with Windows Firewall (part 1)
- Monitoring Your Computer's Security
- Recording and Watching TV
- Using Windows Live Web Services
- Using Windows Live Programs (part 3) - Using Windows Live Photo Gallery
- Using Windows Live Programs (part 2) - Using Windows Live Mail
- Using Windows Live Programs (part 1) - Obtaining a Windows Live ID & Using Windows Live Messenger
- Using Speech Recognition and Voice Commands
- Reading, Writing, and Editing with Pen and Touch Tools (part 1) - Using Gestures in Windows 7
- Reading, Writing, and Editing with Pen and Touch Tools (part 1) - Using Gestures in Windows 7
- Enabling and Customizing Pen and Touch Features
- Working with (and Around) Digital Rights Management
- Managing Your Media Library
- Ripping CDs
- Using Windows Media Player (part 2) - Working with Playlists
- Using Windows Media Player (part 1)
- Which File Formats and Codecs Does Windows 7 Support?
- Performing Routine Maintenance - Managing Disk Space
 
 
Most view of day
- Windows Phone 8 : Configuring Basic Device Settings - Providing Feedback
- Windows Phone 7 : Running XNA Projects in Windows (part 3) - Input Differences, Isolated Storage, Application Life Cycle
- SharePoint 2010 : Farm Governance - Installing a feature and activating it
- Sharepoint 2013 : Integrating Apps for Office with SharePoint (part 1) - Standalone Apps for Office
- Windows Phone 8 : Designing for the Phone - Designing with Visual Studio
- Microsoft Excel 2010 : Calculating the Mean (part 1) - Understanding Functions, Arguments, and Results
- Configuring Startup and Troubleshooting Startup Issues : How to Configure Startup Settings (part 1)
- Sharepoint 2013 : Planning for Disaster Recovery
- Maintaining Desktop Health : Using Task Scheduler (part 2) - Task Scheduler Security, Task Scheduler User Interface
- Integrating BizTalk Server 2010 and Microsoft Dynamics CRM : Communicating from BizTalk Server to Dynamics CRM (part 4) - Configuring the BizTalk endpoints
Top 10
- SQL Server 2012 : Latch Contention Examples - UP Latches in tempdb, Spinlock Contention in Name Resolution
- SQL Server 2012 : Latch Contention Examples - Queuing
- SQL Server 2012 : Latch Contention Examples - Inserts When the Clustered Index Key Is an Identity Field
- SQL Server 2012 : Latches and Spinlocks - Monitoring Latches and Spinlocks
- SQL Server 2012 : Latches and Spinlocks - SuperLatches/Sublatches
- SQL Server 2012 : Latches and Spinlocks - Latch Types, Latch Modes
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - Client-Side Object Model API Coverage
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 3) - Creating, Updating, and Deleting
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 2) - Filtering and Selecting
- Sharepoint 2013 : Overview of The Client-Side Object Model and Rest APIs - REST and OData (part 1) - Getting Started with REST and OData
 
 
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro