Windows Defender,
included with Windows Vista, helps users detect and remove known
spyware and other potentially unwanted software. Windows Defender
protects your computer with automated and real-time scanning and
software removal.
Because spyware
and other potentially unwanted software can try to install itself on
your computer any time you connect to the Internet or when you install
some programs, it is recommended that you have Windows Defender running
whenever you use your computer.
Windows Defender offers three ways to help keep spyware and other potentially unwanted software from infecting your computer:
Real-time protection.
Running in the background, Windows Defender alerts you when spyware or
potentially unwanted software attempts to install itself or to run on
your computer. It also alerts you when programs attempt to change
important Windows settings.
Scanning options. You
can use Windows Defender to actively scan your disks for spyware and
other potentially unwanted software that might be installed on your
computer and to automatically remove any malicious software that is
detected during a scan (see Figure 1). Windows Defender can be set up to scan automatically according to a schedule or manually.
SpyNet community.
The online Microsoft SpyNet community helps you see how other people
respond to software that has not yet been classified for risks.
You can also use
Windows Defender to constantly monitor your system to offer real-time
protection. The real-time protection uses nine security agents to
monitor the critical areas of your computer that spyware may attack.
Then, an agent detects potential spyware activity, it stops the
activity, and raises an alert. The agents include the following:
Microsoft Internet Explorer Configuration. Monitors browser security settings so that they do not get changed by spyware.
Internet Explorer Downloads.
Monitors files and applications that work within Internet Explorer,
such as ActiveX controls and software installation applications to make
sure spyware is not being installed with the files and applications.
Internet Explorer Add-Ons (Browser Helper Objects).
Monitors browser applications that automatically run when you start
Internet Explorer to make sure that these programs are not spyware.
Auto Start. Monitors applications that start when Windows starts to verify that these applications are not spyware.
System Configuration. Monitors Windows hardware and security settings to make sure they do not get changed by spyware.
Services and Drivers. Monitors services and drivers to make sure that spyware does not use them to access the computer.
Windows Add-Ons. Monitors add-on applications, also known as software utilities, that integrate with Windows.
Application Execution. Monitors applications to make sure that spyware does not use software application vulnerabilities to access a computer.
Application Registration (API Hooks).
Monitors files and tools in the operating system to make sure that they
do not open up applications or other files that contain spyware.
When you choose automatic scanning, you can choose the type of scan that you would like to perform:
Quick Scan. Checks areas on a hard disk that spyware is most likely to infect.
Full Scan. Checks all critical areas, all files, the registry, and all currently running applications.
Custom Scan. Allows you to scan specific drives and folders.
When you perform a scan, you can configure what Windows Defender will do when it identifies unwanted software (see Figure 2). The actions include the following:
Ignore. Windows Defender does not take any action, and the next scan will detect the item again.
Quarantine. Windows Defender places identified unwanted software in quarantine, which allows you to determine whether it is spyware.
Remove. Windows Defender removes the item from the system.
Always Allow. Windows Defender will not take any action and will stop detecting the item in future scans.
To
prevent Windows Defender from automatically taking the recommended
action, such as quarantining or removing software, you need to clear the
Apply Default Actions to Items Detected During a Scan option. As a
result, Windows Defender will recommend an action to take for detected
malicious software.
Similar to
antivirus software, Windows Defender uses a definition database that
lists and details the characteristics of known spyware. When software is
identified as spyware, it removes the software. Like antivirus
software, the definition database becomes out of data as new spyware is
introduced. Therefore, you must update the database regularly for it to
be effective.
To help keep your system
from being compromised, Windows Defender will scan all startup items,
including those specified in the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Exam Alert
You can use Windows Defender to view which items load during startup and easily disable any programs that you don’t recognize.
To view all programs
that are set to run at startup, click the Tools button, and then click
the Software Explorer option to view all programs that are set to run at
startup (see Figure 3). This enables you to view several categories of software,
including what is running at that time and what is set to run at
startup. For each application set to run at startup, there is additional
information, including the startup type, so you can identify the
mechanism used to start it, such as the registry.
By deleting the correct
program in Windows Defender, you prevent the program from starting
whenever Windows starts. Therefore, you should open Windows Defender and
remove any unfamiliar programs whose startup type is set to Registry:
Local Machine.
Windows Defender in
Windows Vista automatically blocks all startup items that require
administrator privileges to run. Because this feature is related to the
User Account Control (UAC) functionality in Windows Vista, and requires
the user to manually run each of these startup items each time he logs
in, if you cannot get an update to the software that allows a startup
item to run without being an administrator, you need to disable UAC
altogether.
To turn Windows Defender on or off, follow these steps:
1. | Open Windows Defender by clicking the Start button, All Programs, and then clicking Windows Defender.
|
2. | Click Tools, Options.
|
3. | Under
Administrator options, select or clear the Use Windows Defender check
box, and then click Save. If you are prompted for an administrator
password or confirmation, enter the password or provide confirmation.
|
To turn Windows Defender real-time protection on or off, follow these steps:
1. | Open Windows Defender by clicking the Start button, All Programs, and then clicking Windows Defender.
|
2. | Click Tools, Options.
|
3. | Under Real-time Protection options, select the Use Real-Time Protection (Recommended) check box.
|
4. | Select
the options you want. To help protect your privacy and your computer,
we recommend that you select all real-time protection options.
|
5. | Under
Choose If Windows Defender Should Notify You About, select the options
you want, and then click Save. If you are prompted for an administrator
password or confirmation, enter the password or provide confirmation.
|
If you trust software that
Windows Defender has detected, you can stop Windows Defender from
alerting you to risks that the software might pose to your privacy or
your computer. To stop being alerted, you need to add the software to
the Windows Defender allowed list. If you decide that you want to
monitor the software again later, you can remove it from the Windows
Defender allowed list at any time.
To add an item to the allowed list, follow these steps:
1. | The next time Windows Defender alerts you about the software, on the Action menu in the Alert dialog box, click Always Allow.
|
2. | If you are prompted for an administrator password or confirmation, enter the password or provide confirmation.
|
To remove an item from the allowed list, follow these steps:
1. | Open Windows Defender by clicking the Start button, All Programs, and then clicking Windows Defender.
|
2. | Click Tools, Allowed Items.
|
3. | Select the item that you want to monitor again, and then click Remove From List.
|
4. | If you are prompted for an administrator password or confirmation, enter the password or provide confirmation. |