What is Windows Defender?
Windows Defender is a free anti-spyware program by Microsoft for validated users of Windows. If you have Windows Vista, you have this program already. Windows XP users need to download Windows Defender from Microsoft Download Center to take advantage of the free protection by Microsoft against spyware.
Difference of Windows Defender on XP and Vista
There is not much difference on Windows Defender for XP and Vista other than Windows Defender will automatically block startup applications that require administrator permissions (if User Account Control is enabled) and is not UAC-aware yet. Vista is available and in use already by many users and there are few trusted programs have problem with UAC. Most software vendors adjusted or developed their programs to be UAC-aware.
Using Windows Defender to Explore what’s on your computer
Windows Defender provides an option to explore the already installed and running applications on your computer. The Software Explorer in Windows Defender will help you manage what’s on your Windows. Software Explorer was not created to describe the running application only but to provide user’s option to remove (to permanently remove) or disable (to stop) unwanted, rogue or badware applications. Stopping or disabling an entry using the Software Explorer of Windows Defender is useful, if the malware or unwanted program in your computer can be removed by Windows Defender or another malware scanner because it’s currently running or in use in Windows.
The sample image at the left is an example of a running application in Windows but the classification status is “In Progress” and the program is “not digitally signed”. If a user would like to know if they have unwanted software, Software Explorer should give you a hint whether the program that you are using is safe or not. You should start investigating the particular software and if found, rogue or potentially unwanted program, you should remove it using Add/Remove Programs or another anti-malware program that will detects the product as rogue.
Note: When I reviewed the Windows 7 Beta, Software Explorer is not included in the program anymore.
Real-Protection by Windows Defender
By default, Windows Defender actions on detected items are the following:
Severe and High Classifications – Windows Defender will block access to the file and provide
to users. These are known malicious software that is in the wild and can pose security and privacy issue or damage your computer. Example: Virus, Trojan, Rootkit, Worms or combinations of these malware.
Medium and Low Classifications – Windows Defender will block the access to the file and provide a yellow alert to users. These are known software that can damage your computer and have privacy issue. Example: Spyware, Adware, Rogue and potentially unwanted software (PUPs)
Not yet classified (not classified as severe, high, medium or low risk) – Windows Defender will not block the file and users will not receive any visible alert (unless the user will configure Windows Defender to alert them for non-classified software).
Windows Defender is using similar approach by other anti-malware program’s real-time protection but if a user would like to see Windows Defender to protect the computer automatically without giving the malware a chance to bypass the prompts of Windows Defender, I highly suggest to change the settings to automatically “Quarantine” detected items that have severe, high, medium and low rating. When you allow an item to be quarantine, Windows Defender will still notify you in the notification area of Windows so you can review the detected items. It’s not recommended to configure Windows Defender to automatically “Remove” any classified risks to prevent also in damaging another application, e.g. false positive detection by Windows Defender on safe and legitimate programs.
Choosing to Quarantine classified items by Windows Defender is the safest way because you’ll have the option to restore, if needed a program or file and you are preventing malware infection.
Another setting in Windows Defender that I suggest that users should to use is the notification on unclassified software. As we all know already there’s no single malware scanner that can detect all malware. Enabling the “notify you about software that has not been classified for risks” will greatly help you to be informed when another program tried to do something on your computer without your knowledge. Even if Windows Defender has not classified it, you should be able to do a research or self-investigation on why Windows Defender discovered that a program has modified your settings without your consent. You will be given an option by Windows Defender to “Permit or Deny” the event.
SpyNet and Windows Defender
SpyNet is a threat network by Microsoft where they can collect some information regarding the detected items by Windows Defender. It’s not a requirement for users to join SpyNet unless you would like to help in protecting others. Microsoft will analyze the collected data and provide updated definitions that their team found as new or a variant.
Definitions Update for Windows Defender
Windows Defender is updated often thru Windows Update. If you are using the Automatic Update option in Windows, you should be receiving the update without doing it manually. Daily definitions update for Windows Defender is also available but users can only download and install it manually from Microsoft Malware Protection Center website.
Windows Defender is maybe not the best free anti-spyware program but the number of definitions that is released on daily basis and proper settings should help protect user’s machine in becoming infected. Every Windows users should learn to update all software including Windows and make sure that the firewall and anti-virus real-time protection are enabled.