Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows Vista

Managing Client Protection : Using Windows Defender (part 1)

5/3/2013 5:57:34 PM

Windows Defender is a tool designed to reduce the risk of specific types of malware for small office and home users. Though Windows Defender is not designed for use in large enterprises, it does provide some integration with Active Directory Group Policy and can retrieve updates from an internal Windows Software Update Services (WSUS) server.

Windows Defender will interact with users if potentially unwanted software is detected Therefore, users must be trained before Windows Defender is deployed so that they understand how to respond to the various prompts and can distinguish between genuine Windows Defender prompts and other software that might impersonate those prompts (a common social engineering technique).

1. Understanding Windows Defender

Windows Defender provides two types of protection, both enabled by default:

  • Automatic scanning Windows Defender scans the computer for potentially malicious software on a regular basis. By default, Windows Defender is configured to download updated definitions and then do a quick scan daily at 2 A.M. You can configure scanning frequency on the Windows Defender Options page.

  • Real-time protection Windows Defender constantly monitors computer usage to notify you if potentially unwanted software might be attempting to make changes to your computer.

The sections that follow describe each type of protection in more detail.

Automatic Scanning

Windows Defender provides two different types of scanning:

  • Quick Scan Scans the portions of a computer most likely to be infected by malware, such as the computer’s memory and portions of the registry that link to startup applications. This is sufficient to detect most malware applications.

  • Full Scan Scans every file on the computer, including common types of file archives as well as applications already loaded in the computer’s memory. A full scan typically takes several hours, but it may take more than a day, depending on the speed of the computer and the number of files to be scanned. The user can continue to work on the computer during a quick scan or a full scan; however, these scans do slow the computer down, and will consume battery power on mobile computers very quickly.

By default, Windows Defender runs a quick scan daily. This is usually sufficient. If you think a user might have malware installed, you should run a full scan to increase the chances of removing every trace of the malware. In addition to quick scans and full scans, you can configure a custom scan to scan specific portions of a computer. Custom scans always begin with a quick scan.

If Windows Defender finds potentially unwanted software, it will display a warning, as shown in Figure 1.

Figure 1. Windows Defender notifies the user of potentially unwanted software.

Most of the time, the user should simply choose to remove all of the potentially unwanted software. However, Windows Vista will display four options for each item detected:

  • Ignore Allows the software to be installed or run on your computer. If the software is still running during the next scan, or if the software tries to change security-related settings on your computer, Windows Defender will alert you about this software again.

  • Quarantine When Windows Defender quarantines software, it moves it to another location on your computer, and then prevents the software from running until you choose to restore it or remove it from your computer.

  • Remove Deletes the software from your computer.

  • Always Allow Adds the software to the Windows Defender allowed list and allows it to run on your computer. Windows Defender will stop alerting you to actions taken by the program. Add software to the allowed list only if you trust the software and the software publisher.

Real-Time Protection

Real-time protection might alert you when software attempts to install itself or run on your computer, as shown in Figure 2. Depending on the alert level, users can choose to remove, quarantine, ignore, or always allow the application, just as if the problem were encountered during a scan.

Figure 2. Windows Defender real-time protection warns the user if potential malware attempts to make changes to your computer.

If potentially unwanted software is allowed to run on your computer, it sometimes attempts to make changes to system settings so that it will automatically run the next time you start your computer. Of course, legitimate software also makes similar changes, so it’s up to the user to determine whether the change should be allowed. If Windows Defender real-time protection detects software attempting to make a change to important Windows Settings, the user will be prompted to Permit (allow the change) or Deny (block the change).

Real-time protection provides the following security agents, all of which are enabled by default:

  • Auto Start Monitors lists of programs that are allowed to automatically run when you start your computer. Malware typically wants to run after you restart your computer, and frequently adds itself to one of the several lists of autostart programs.

  • System Configuration (Settings) Monitors security-related settings in Windows. Malware often attempts to disable security software to make it more difficult for users to detect or remove the malware and to allow other applications to install without the user’s permission.

  • Internet Explorer Add-ons Monitors programs that automatically run when you start Internet Explorer. Malware can masquerade as web browser add-ons and run without the user’s knowledge.

  • Internet Explorer Configurations (Settings) Monitors browser security settings, which are your first line of defense against unwanted content on the Internet. Malware can try to change these settings without the user’s knowledge to make it easier to make browser configuration changes.

  • Internet Explorer Downloads Monitors files and programs that are designed to work with Internet Explorer, such as ActiveX controls and software-installation programs. These files can be downloaded, installed, or run by the browser itself. Unwanted software is often included with these files and installed without the user’s knowledge.

  • Services and Drivers Monitors services and drivers as they interact with Windows Vista and applications. Malware often attempts to use services and drivers to gain access to protected areas of the operating system.

  • Application Execution Monitors when programs start and any operations they perform while running. Malware can use vulnerabilities in previously installed applications to run unwanted software without the user’s knowledge. For example, spyware can run itself in the background when a user starts another frequently used application. Windows Defender monitors applications and alerts the user if suspicious activity is detected.

  • Application Registration Monitors tools and files in the operating system where applications can register to run at any time, not just when you start Windows Vista or another program. Malware can register a program to start without notice and run at a scheduled time each day, for example. This allows the program to collect information about the user or gain access to important software in the operating system without the user’s knowledge.

  • Windows Add-ons Monitors add-on programs (also known as software utilities) for Windows Vista. Add-ons are designed to enhance your computing experience in areas such as security, browsing, productivity, and multimedia. However, add-ons can also install programs that will collect information about users and expose sensitive, personal information, often to advertisers.

Other -----------------
- Securing the Workstation : Beginning with Basic Security
- Managing Client Protection : User Account Control (part 4) - How to Configure User Account Control
- Managing Client Protection : User Account Control (part 3) - UAC Virtualization, UAC and Startup Programs, Compatibility Problems with UAC
- Managing Client Protection : User Account Control (part 2) - UAC User Interface, How Windows Vista Determines Whether an Application Needs Administrative Privileges
- Managing Client Protection : User Account Control (part 1) - UAC for Standard Users, UAC for Administrators
- Maintaining Desktop Health : Using Task Scheduler (part 5) - Scheduled Tasks Events, Troubleshooting Task Scheduler
- Maintaining Desktop Health : Using Task Scheduler (part 4) - Managing Tasks
- Maintaining Desktop Health : Using Task Scheduler (part 3) - Creating New Tasks
- Maintaining Desktop Health : Using Task Scheduler (part 2) - Task Scheduler Security, Task Scheduler User Interface
- Maintaining Desktop Health : Using Task Scheduler (part 1) - Task Scheduler Architecture
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 4) - Using the Problem Reports And Solutions Control Panel
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 3) - Architecture of Windows Error Reporting, Configuring Windows Error Reporting
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 2) - Conceptual Components
- Maintaining Desktop Health : Understanding Windows Error Reporting (part 1) - Error Reporting Cycle, Report Data Overview
- Maintaining Desktop Health : Using Performance Information And Tools
- Maintaining Desktop Health : Understanding the Windows System Assessment Tool
- Maintaining Desktop Health : Understanding Windows Eventing (part 2) - Event Viewer User Interface
- Maintaining Desktop Health : Understanding Windows Eventing (part 1) - Windows Eventing Capabilities
- Using Voice and Sounds : Associating a Sound with an Event, Using Alternatives to Sound
- Using Voice and Sounds : Letting Your Computer Do the Talking, Creating a Sound File
Most view of day
- Microsoft Content Management Server Development : Validating Placeholder Controls - Validating the SingleAttachmentPlaceholderControl
- Microsoft Excel 2010 : Formatting Subtotals, Applying Multiple Subtotal Function Types (part 2) - Combining Multiple Subtotals to One Row
- SQL Server 2008 R2 : Configuring Resource Governor (part 2) - Defining Workload Groups, Creating Workload Groups in T-SQL
- BizTalk Server 2009 : Use The Business Rule Engine (part 1)
- Windows Server 2012 Group Policies and Policy Management : GPO Administrative Tasks - GPO Administrative Delegation
- Microsoft Excel 2010 : Calculating the Mode (part 1)
- Windows Phone 7 Programming Model : Asynchronous Programming - Background Threads
- Microsoft Exchange Server 2010 : Managing Connectivity with Hub Transport Servers - Messages in Flight
- Microsoft Visio 2010 : Creating and Using Shape Data Fields (part 5) - Shape Data Labels versus Names
- Windows Server 2012 : Configuring IPv6/IPv4 interoperability (part 5) - Stateless address autoconfiguration,Stateful address autoconfiguration
Top 10
- Windows Phone 8 : Scheduled Tasks - Scheduled Task API Limitations
- Windows Phone 8 : Scheduled Tasks - Updating Tiles Using a Scheduled Task Agent
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 5) - Editing an Existing To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 4) - Creating the To-Do Item Shell Tile, Saving a To-Do Item
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 3) - Debugging Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 2) - TodoService, TodoItemViewModel
- Windows Phone 8 : Scheduled Tasks - To-Do List Scheduled Task Sample (part 1) - TodoItem,TodoDataContext
- Windows Phone 8 : Scheduled Tasks - Using Scheduled Tasks
- Windows Phone 8 : Scheduled Tasks - Background Agent Types
- Windows Phone 8 : Windows Phone Toolkit Animated Page Transitions - Reusing the Transition Attached Properties
Windows XP
Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
2015 Camaro