Protect Your Computer with Windows Defender
Published: September 28, 2006
Your home page or search engine has changed by itself. Your Web browser contains buttons that you're pretty sure you didn't put there. You see pop-up ads even when you're not connected to the Internet. Or maybe your computer just seems to be running more slowly. These can all be symptoms of spyware.
I spend a lot of time fixing problems that spyware has caused. Cleaning up a spyware infection can be tricky, and its especially frustrating knowing that had Microsoft Windows Defender been running on the infected computer from the start, the problem likely never would have occurred.
How does Windows Defender work?
Windows Defender protects your computer in two ways:
| • | Scheduled scans of your computer. By default, Windows Defender performs a quick scan of the most likely places for spyware to infect your computer every night at 02:00. |
| • | Real-time protection. Windows Defender alerts you when malicious programs try to run or install themselves. |
To Windows Defender, programs fall into one of three categories:
| • | Known legitimate programs. Windows Defender takes no action for known legitimate programs, allowing them to run normally. |
| • | Known malicious or potentially unwanted programs. Windows Defender does not allow known malicious programs to run normally. Instead, Windows Defender recommends options for dealing with the program based on the reported severity of the malicious program. You can ignore the alert, or you can remove or disable the program. Removing the program deletes it. Disabling the program puts it into a quarantine list that you'll learn how to access a bit later in this article. |
| • | Unknown programs. If you are an advanced member of the SpyNet community, or if you enable the Software that has not yet been classified for risks checkbox under Notification Options in the Options menu, Windows Defender will also alert you about unknown programs. For programs that Windows Defender doesn't already know about, it let's you decide whether the program should run. Windows Defender also gives you the option of sending information to Microsoft SpyNet about the program and the choice you made about allowing the program to run. As more people in the SpyNet Community report a particular program, this information allows Microsoft to make better decisions about what is and isn't spyware. |
For an illustration of the spyware-identification process, read Windows Defender antispyware cycle. For technical information about the process, read How Windows Defender identifies spyware.
Download and install Windows Defender
To use Windows Defender, your computer must meet the minimum system requirements. In addition, your copy of the Microsoft Windows operating system must be validated through the Windows Genuine Advantage program.
To download and install Windows Defender on your computer, go to http://www.microsoft.com/athome/security/spyware/software/default.mspx, and then click DOWNLOAD IT HERE. If your copy of Windows has not yet been validated, you'll be prompted to validate it before you can download Windows Defender.
After downloading the program, run the downloaded installation file and follow the steps described in the setup wizard to install Windows Defender. If you've ever installed software before, most of these steps will look familiar to you, such as picking an installation location and agreeing to the licensing terms. For a step-by-step guide to installing Windows Defender, see How to install and set up Windows Defender.
The one-page wizard on which you'll need some information to help you make a decision is the Help Protect Windows page. Choose one of the following options:
| • | Use recommended settings. This option installs definition updates and also enlists your computer as basic member of the Microsoft SpyNet Community. When you remove or allow an unknown program, Windows Defender sends information about that program and the choice you made to SpyNet. |
| • | Install definition updates only. This option installs new definitions but does not enroll your computer in the SpyNet Community. |
| • | Ask me later. This option allows you to postpone the decision. |
Become part of the Microsoft SpyNet Community to help discover and fight new spyware.
Perform a scan
After installation, Windows Defender prompts you to download updates and perform a quick scan of your computer. Take advantage of this to make sure you're off to a clean start.
Tip: If you download and install Windows Defender as part of a Microsoft Windows OneCare installation, the Windows OneCare Setup wizard asks to restart the computer when the installation is finished but before Windows Defender can update its definitions and perform a preliminary scan. Restart the computer. Windows OneCare opens automatically the first time you restart the computer after installation and gives you a chance to update Windows Defender at that point.
After the first scan, you can start a manual scan at any time. In the main Windows Defender window, click Scan to start a quick scan. Click the down arrow next to the Scan button to choose any of the following types of scans:
| • | Quick scan. Windows Defender scans areas of your computer that are at the highest risk for spyware and also scans currently running programs. By default, Windows Defender runs a quick scan of your computer every night, so you probably don't need to worry too much about running quick scans manually. Just for peace of mind, I might run a quick scan of my computer after letting someone else use my computer or installing new software. |
| • | Full scan. Windows Defender scans all files on all hard disks and also scans all currently running programs. A full scan takes considerably longer to run than a quick scan, so it's best to run the full scan when you don't need your computer for a while. Even though you can continue working while the scan is in progress, things may seem a bit slower. Run a full scan any time you suspect that spyware may have been installed on your computer. |
| • | Custom scan. Windows Defender scans selected drives and folders. Run a custom scan when you suspect that a particular program or set of files may be malicious. |
Set Windows Defender options
Windows Defender provides several options for controlling how it scans for and interacts with spyware, including setting up a schedule for automatic scanning, setting real-time protection options, and setting advanced and administrator-level options.
To access the Windows Defender Options dialog box
1. | In Windows Defender, click Tools on the main toolbar. |
2. | On the Tools and Options page, click Options. |
Configure tools and options in Windows Defender.
Automatic scanning
In this section, you control when and how Windows Defender performs automatic scans. Set the schedule and whether you want to perform a quick scan or a full scan. Also, choose whether you want Windows Defender to check for updates before each scan and to apply default actions to detected items.
Configure an automatic scanning schedule.
Tip: Check out the Scheduled Tasks already set up on your computer to make sure that the default time is a good one for you. To check scheduled tasks, click Start, point to All Programs, point to Accessories, and then look in the System Tools folder. With Automatic Updates, virus scanners, disk tune-ups, and other automated activities, it's always best to make sure tasks don't interfere with one another.
Default actions
Default actions govern what Windows Defender does when it detects a malicious or unknown program. For each alert level, you can have Windows Defender provide a recommendation based on the definition for the program, ignore the threat, or remove the program. I recommend leaving the default actions set to Definition recommended action. While pop-up warnings may occasionally get in your way, it's much better dealing with them than worrying about what might be allowed to run on your system or what might be unknowingly deleted when you configure a blanket setting to ignore or remove programs.
Real-time protection
Real-time protection alerts you when spyware and other potentially unwanted software attempt to install themselves or run on your computer. It also alerts you if programs attempt to change important Windows settings.
Configure real-time software protection.
You can configure the following real-time protection options:
| • | Auto Start. This option monitors programs that start with Windows and warns you when a program attempts to add itself to this list. |
| • | System Configuration (Settings). This option monitors Windows security settings and warns you when a program attempts to change them. |
| • | Internet Explorer Add-ons. This option monitors programs that start with Microsoft Internet Explorer and warns you when a program attempts to add itself to this list. |
| • | Internet Explorer Configurations (Settings). This option monitors Internet Explorer security settings and warns you when a program attempts to change these settings. |
| • | Internet Explorer Downloads. This option monitors add-ins for Internet Explorer and warns you when a program attempts to add itself to Internet Explorer. |
| • | Services and Drivers. This option monitors services and drivers and warns you if a program attempts to make changes to them. |
| • | Application Execution. This option monitors when programs start and any operations they perform while running. |
| • | Application Registration. This option monitors tools and files in the operating system where programs can register to run at any time, not just when you start Windows or another program. |
| • | Windows Add-ons. This option monitors add-on programs for Windows and warns you when an unknown or malicious program attempts to add itself to the list. |
Advanced and administrator options
Settings in the Advanced area of the Options page include:
| • | Scan the contents of archived files and folders for potential threats. I recommend leaving this option enabled. Many spyware programs masquerade as self-extracting archive files. |
| • | Use heuristics to detect potentially harmful or unwanted behavior by software that hasn't been analyzed for risks. Heuristics allows Windows Defender to detect potentially malicious activities for files that are not already in its set of spyware definitions. Using this feature incurs a slight performance penalty and can potentially increase the chances that a non-malicious program is flagged as malicious. However, the performance penalty is barely noticeable on modern computers, and the chance of false positives is a small price to pay for catching new malicious programs before they can do any harm. |
| • | Do not scan these files or locations. If Windows Defender repeatedly flags files that you know to be safe, you can make those files exempt from scanning. |
Configure advanced and administrator options.
Settings in the Administrator area of the Options page include:
| • | Use Windows Defender. This option turns Windows Defender off or on. |
| • | Allow users to use Windows Defender. When enabled, non-administrative users can run scans and can also view potentially sensitive information such as the Windows Defender history. Consider turning this option off if you have limited user accounts on the computer (such as children's accounts in a household) that you would prefer not be able to scan the computer. |
Use the Windows Defender tools
Tools are listed on the same page as options. You can access them by clicking Tools on the main toolbar.
Quarantined and allowed items
Quarantined items are programs that Windows Defender has disabled. In the Quarantine list, you can select a program, and then either remove the program from the computer or restore the program (remove it from the quarantine list and allow it to function normally).
Allowed items are programs and files that you have explicitly allowed to run, even though Windows Defender determined that they may be a threat. Windows Defender does not notify you about risks that programs in the Allowed items list may pose. You can clear any item from the list, and Windows Defender will once again warn you about the program whenever the program runs.
Software Explorer
Software Explorer is quite a useful tool that shows detailed information about the programs running on your computer. When you select a program, Windows Defender shows you a wealth of information to help you identify what the program is and whether it is a threat.
Software Explorer breaks programs down into four categories:
| • | Startup programs. These are programs that start when Windows starts. You can use Software Explorer to disable a program from starting with Windows. Tip: Check out the Scheduled Tasks already set up on your computer to make sure that the default time is a good one for you. To check scheduled tasks, click Start, point to All Programs, point to Accessories, and then look in the System Tools folder. With Automatic Updates, virus scanners, disk tune-ups, and other automated activities, it's always best to make sure tasks don't interfere with one another. |
| • | Currently running programs. These are programs that are running in the current session. This includes startup programs if they are currently running, so you may see programs that fall into both these categories. Software Explorer does allow you to end a process, but be careful when doing so: Doing so can often have unexpected results, such as the loss of data. If possible, close the program the normal way, instead. |
| • | Network-connected programs. These are programs that can connect to the network or the Internet. When you select a network-connected program, you are able to end the process or block any listening port the program uses to accept connections from the Internet. When blocked, the program can still send and receive solicited information from the Internet. |
| • | Winsock service providers. These are programs that perform low-level network functions for programs and services. |
Use Software Explorer to view descriptions of all programs running on your computer.
 | Walter Glenn is a writer and consultant based in Huntsville, Alabama. He is the author of numerous books, articles, and whitepapers on Windows and other Microsoft technologies. His recent works include MCSA/MCSE Self-Paced Training Kit (Exam 70-270): Installing, Configuring, and Administering Microsoft Windows XP Professional, Second Edition (Microsoft Press) and Linksys Networks: The Official Guide. Walter can be reached at info@walterglenn.com |
