The XP User's Guide to Windows Vista, Part 8: Windows Defender

1. The Basics of Windows Defender

Windows Defender is an anti-malware product, meaning that it attempts to detect and stop unwanted changes to your system -- behavior that is the hallmark of spyware.  It is not an antivirus program and is not listed as one in Security Center; it's got its own discrete entry there.

Defender runs as a service integrated tightly into Windows, and not really as a separate application per se.  Most of the time you're not even supposed to know it's running at all.  It should only come to your attention when something is wrong, or when you want to make changes to one of its settings.

1.1. Home

The program's main window typically gives you details about the last scan that was performed and any warnings that might have been thrown up by the program.  Scans are typically run silently by the program on a fixed schedule, at 2AM each day (you can change this option, if you'd rather it scan during the daytime). Scans are always done at the lowest possible priority to avoid interfering with work.

1.2. Scan

If you want to run a scan manually, you can do this by clicking Scan from the toolbar at the top of the program window.

Note that the default scan option is a quick scan, which simply looks for changes to the most commonly-modified or -threatened places in the system.  You can continue to do other things while the scan runs, although there's a chance the results may be changed if you do this.  On my own machine (an AMD Opteron 2400), the quick scan completed in about a minute and a half.

1.2.1. Scan Options

If you click the drop-down arrow next to the Scan button, you'll get options to do a full scan -- which takes much longer but is far more thorough -- and a custom scan, where you can scan specific drives and folders for known issues.

1.3. History

The History window gives you a list of all the activities that Windows Defender has discovered.  Note that some of these may be your own actions, which are completely benign.  In the example below, one of the things Windows Defender flagged was me moving the Music folder to the E: drive (where I have my 100+GB of ripped music files!).

Note also how the threat is listed as "Unclassified".  Things logged with such a label tend to be benign, but there's a chance they may be changes made in a fashion that is not yet explicitly labeled a threat.  You don't need to review the History pane constantly, but it can be a useful gude to figuring out if something was changed at around the time your system started misbehaving!

2. Tools and Settings

The Tools and Settings submenu in Defender is detailed and complex enough that it's worth exploring on its own in a whole subsection of this article.

Here's what you'll find in the Tools and Setting menu:

• Options: Controls how Windows Defender runs, including its scanning schedule and the details of how it deals with detected problems.
• Microsoft SpyNet: Lets you join the community of other Vista / Defender users in reporting back information about detected threats.  Membership is optional.
• Quarantined items: Lets you review and examine any items that have been quarantined by Defender as a possible threat.
• Software Explorer: Lets you see detailed information about all the software running in your computer, including publisher and other technical details that might give you clues as to how valid the application is.
• Allowed Items: Lists files that have been explicitly allowed to run in Defender, especially if they might normally be flagged by the program.
• Windows Defender Website:

2.1. Options

The Options menu for Windows Defender is quite extensive -- so much so that if you open it up, you might get a little intimidated by how many things you can set.  The good news is that the default settings for the program tend to work fine.  For the sake of the curious and the scrutinous, though, I'll walk through each of the settings listed and describe them.

2.1.1. Automatic Scanning

• Automatically scan my computer: Enabled by default.  When checked, your computer'll be automatically scanned by Windows Defender at the time and in the manner listed.  The default is daily at 2AM, with a quick scan.  You can set the time and frequency to something else if you'd rather have it happen when you're actually logged in.
• Check for updated definitions before scanning: This makes sure the program has the most recent threat definitions loaded before beginning a scan.  Leave this enabled.
• Apply default actions to items detected during a scan: Every item that can be tagged by Defender has a default action associated with it -- for instance, a process that you wouldn't want set to start up with Windows but which has registered itself in this fashion would be disabled as its default action.  Also leave this enabled unless you are specifically interested in changing the default actions for some things.

2.1.2. Default Actions

This changes the default actions to apply to detected threats, as broken out by the threat level for the item.  The default actions are typically best unless you want to adjust them for the sake of your own testing.  For instance, if you wanted to determine that Defender was detecting something you knew was high-risk but you didn't want it automatically removed, you could set High alert items to Ignore.

2.1.3. Real-Time Protection Options

This section controls how Defender applies real-time protection, which is enabled by default.

• Use real-time protection: When enabled (by default), Defender will attempt to take action against detected threats right when they do something, not just when something is encountered in a scan.
• Choose which security agents you want to run: Defender's "security agents" perfom real-time checks against specific kinds of system modifications.  The entire category of security agents is broken out here, and all of them are enabled by default.  Unless you specifically want to exempt a particular area from scrutiny -- for instance, if you're doing a lot of low-level work with that part of the system and you don't want Defender spuriously flagging that activity -- it's best to leave these options as-is.
• Choose if Windows Defender should notify you about software that has not been classified for risks: Any program that's not listed in the Defender database as a threat or as a known-good program is "unclassified".  By default this is turned off -- i.e., such programs are not flagged as risks.  This is because new software that poses no threat to a computer is always appearing, and to flag every new program as a possible risk would be more intrusive and inhibitive than helpful.
• Choose if Windows Defender should notify you about changes made to your computer by software that is permitted to run: As with the last option, this is disabled by default because it'll probably generate more spurious data than anything useful.  Turn it on only if you suspect a program marked as legit really isn't.
• Choose when the Windows Defender icon appears in the notification area: By default you'll only see the Windows Defender icon in the system tray when it needs to tell you about something.  This is the default choice and is probably the best since you'll only see the icon when it's needed.

2.1.4. Advanced Options

The advanced options section contains settings that you will probably never change, but if you really start to dig into the guts of Defender they're handy to have available

• Scan the contents of archived files and folders for potential threats: This extends the scanning engine's activity to look in archives (.ZIP, .CAB files) as well.  This is on by default, but if you don't feel it'll do anything for you except slow you down you can turn it off.
• Use heuristics: This attempts to use behavior analysis -- what the program is trying to do, where it's doing it, etc. -- to determine if an as-yet-unclassified program should be regarded as a threat.  Since this is a pretty helpful option, it's enabled by default; I would recommend leaving it on unless you keep running into problems with programs that get mistakenly flagged because of the heuristics.
• Create a restore point before applying actions to detected items: This will cause a System Restore point to be created before any changes are made by Defender to items that have been detected.  I'd leave this enabled since creating a Restore Point doesn't really take a lot of time, and if for whatever reason you need to roll back the system's settings to recover from such changes it'll be nice to know you have a restore point available from right before that action.
• Do not scan these files or locations: If you have parts of the system that you always want to exclude from scanning, you can add them here.

2.1.5. Administrator Options

These options are enabled only if you're a logged-in administrator.

• Use Windows Defender: In some ways this is Defender's most important option, and to have it buried all the way at the bottom of this page is a bit annoying.  Uncheck this option and Defender will be disabled completely, which may free up a bit of system resources.  To be honest, even on a 512MB machine I don't notice much benefit from turning this option off, but I have not put such a machine through really rigorous paces, so your experiences may be different than mine.  In any case, turning off Defender as a way to free up resources and make things run faster strikes me as being a bit disingenuous anyway.  If you're turning off Defender to use some other product in its place, however, that's another story.
• Allow everyone to use Windows Defender: This enables non-admins to run scans and act on the findings.  If you trust other users sharing the PC to do such things, turn this on; otherwise, leave it off and let Defender make its own decisions.

2.2. Microsoft SpyNet

Microsoft SpyNet is a sort of silent user community which Defender users can join and contribute information about potential threats and system behavior to.  It's a little like the Customer Experience Improvement Programs that Microsoft runs for Office and Windows at large: the user can opt-in and opt-out at any time; the information submitted is anonymized and cannot be used to personally identify you; and the details forwarded to Microsoft can be helpful in engineering future versions of the product.  Other anti-spyware and anti-malware products have similar data-collection initiatives (Trend Micro, for instance), so it's not unusual to see Microsoft doing something similar.

SpyNet membership has three settings:

• Basic. Sends only the most rudimentary information about threats and actions back to Microsoft.  This is the best choice if you want to help out, but don't want to send any revealing information at all.
• Advanced.  Sends back slightly more detailed information, with the possibility that personal data that might be collected in an incidental way -- for instance, the name of a document.  You'll also be given more information about software that hasn't yet been analyzed for risks.
• None.  Nothing is sent back to Microsoft.

There's no fee to join; all tiers of memership are free and entirely voluntary.  My own desktop machine is set to Basic; I'm not a particularly high-risk user for spyware in the first place, so I figure that's about the best match for my habits.

2.3. Quarantined Items

The Quarantined Items view lets you examine and take action on any items that have been quarantined from the system by Defender, listed by name, alert level, and date.  Note that all the actions in this view require a UAC approval, and that you can change your SpyNet membership level from here, too.

2.4. Software Explorer

Software Explorer is easily my favorite part of Windows Defender; it's the kind of thing I used to have to download a third-party tool for.  Here, you can see lists of programs in four major areas of the computer, and obtain detailed information about them -- whether they're signed by their makers, if SpyNet thinks they're malicious, what they're trying to do, and so on.

You can choose which area of the computer to examine through Software Explorer by selecting from the drop-down, so I'll describe each area separately.  In most of the views, if you click on Show for All Users (UAC), you'll see the same view as it would be rendered for all users, not just the currently logged-in one.

2.4.1. Startup Progams

This lists all the third-party programs that will launch when Windows itself starts up.

Select an entry from the list and click Disable, and the selected item will not be loaded at startup.  (Click Enable and it'll load again.)  Click Remove and you'll remove its startup entry entirely, although the application itself will still be installed in the system.

Some of the more useful categories of information for any selected program are worth talking about here:

• Classification: The most general category that Defender puts programs in.  This can be Permitted, Not yet classified or a danger ranking.
• Ships With Operating System: This tells you whether or not a given application is actually something that came with the OS when you first installed it.  If you have something that's hiding behind an innocuous-sounding process (like "winexe.exe" or something equally bogus), this is one way to tell if it's not really part of Windows.
• SpyNet Voting: This indicates what sort of feedback, positive or negative, the SpyNet information-gathering system has collected about the process.  If it's been listed as a threat, you'll see something about it here.  "Not Applicable" means the program has been signed by a trusted authority or otherwise exempted from SpyNet because it's known to be good.  "Not Available" means no votes have been created for this particular app, but it might not be bad; it's essentially the same as "Not yet classified" in the Classification category.

2.4.2. Currently Running Programs

This is probably the most useful of the views in Software Explorer; it lists all the currently-running programs in the system.  You might argue that you could get the same information from Task Manager, but the way it's been formatted and presented here is a little more immediately useful; you don't have to dig as much to understand whether or not something should or shouldn't be there.

2.4.3. Network Connected Porgrams

This view shows you all the running programs currently attempting to access the network.  Click on Show for All Users and you'll see network processes that are running in other user contexts (such as Defender itself).

2.4.4. Winsock Service Providers

This is probably the most tech-y of the views; it shows a list of all the Windows Sockets (Winsock) network service providers currently registered with the computer.  Malware will sometimes try to damage these entries or register new ones to hijack some system functions.  The only time you really need to see this view is if you're familiar with existing Winsock Service Providers and want to see if they've been tampered with; most regular users will never need to go here.

2.5. Allowed Items

The Allowed Items view is basically the opposite of Quarantined Items: it's a list of all the objects in the system that were flagged before as a possible danger, but which you have deliberately exempted from being scanned.  This screen is usually empty, but any items you want to remove from the list will require a UAC approval from you so they can't be removed by accident or by another program.

That's it for this time!