Windows Defender Helps Protect Windows in Real-time

Page content

Free Anti-Spyware for Windows

User Interface of Windows Defender in Windows 7

Microsoft added the Windows Defender program, a free anti-spyware protection program, as a default part of Windows 7 and Vista. Windows XP and Windows 2003 users may still download, install and use the anti-spyware program. A genuine copy of Microsoft Windows software is a requirement, which means that if you fail the Windows Genuine Advantage (WGA) validation when downloading and installing Windows Defender, you won’t be able to install it on XP and Windows 2003 systems.

Windows Defender is enabled by default to start protecting the computer in real-time against spyware, adware and other types of malware. However, the program does not scan or protect against viruses. You will need to install an anti-virus program to get full protection against all threats. The Windows Defender download is free for all XP, Windows 2003, Vista and Windows 7 users. Do not buy Windows Defender, because Microsoft never sells it. Any supposed vendor is scamming you.

Features of Real-time Protection by Windows Defender (4 out of 5)

The on-access protection offered by Windows Defender will not only detect spyware, adware and other malware but will also monitor

Real-time Protection Options in Windows Defender

changes in the following areas in Windows:

  • Auto start: Unsafe and unclassified programs that will start during Windows logon are monitored. If you’ve configure Windows Defender to detect changes that are not classified for risks but permitted to run, you will see it in action. An example below is when I configured the Shadow Defender program to automatically start in Windows. The program is safe but since I have setup Windows Defender to monitor any changes in the system using its real-time protection, I was alerted of the new startup item:

    Real-time protection of Windows Defender on Startup Programs

    Detail of Detected Startup Item Detected by Windows Defender

  • S****ystem Configuration settings: Changes in the System Information (msinfo32.exe) configuration settings in Windows are monitored in real-time.

  • Internet Explorer Add-ons and settings: Spyware, malware and legitimate or unsafe programs may add browser add-ons, such as Brower Helper Objects and toolbars. Windows Defender’s on-access protection can monitor this area, as well. Changes in home or search pages and other settings in IE are also monitored

  • Internet Explorer downloads: ActiveX controls or other software that will take advantage of IE to run are monitored in real-time.

  • Windows services and drivers: Rootkits or hidden files may add drivers to Windows, so it’s best to keep the real-time protection offered by Windows Defender enabled. Some malware will also add a service to Windows, which is why Windows Defender monitors for any new services.

  • Application Execution and Registration: Programs that will inject themselves into other programs are monitored. This is similar to HIPS protection by advanced firewall software such as Outpost Free, Online Armor, Sunbelt Personal Firewall and Comodo. Also, persistent a program that continues to register itself in Windows is monitored. This is quite a useful feature for protecting the PC against rogue programs or freeware software that’s fake or malicious. An example of such a rogue program is the Security Tool scareware program.

  • Windows Add-ons: Any software add-ons for Windows are monitored, such as Windows Media Player plugins, browser or e-mail add-ons or gadgets.

    Alert by Windows Defender on Windows Add-ons Changes

    Software Explorer

Software Explorer is a feature in Windows Defender for XP and Vista only. This feature lets you manage startup items, connected applications, Winsock and active processes in Windows. Microsoft has removed Software Explorer in Windows Defender for Windows 7.

Another feature in Windows Defender is the built-in updater for the program and definitions. You can push the “Check for updates” button to download the update, configure the program to run a daily scan with option to check for updates before the scan will start or by checking for security updates using Windows Update.

Advanced Protection by Windows Defender (4 out of 5)

Advanced Options for Windows Defender

Windows Defender uses heuristic detection for potentially harmful or unwanted behavior by programs that are not classified yet or known to its detection signatures. An example is when you install a legitimate program that bundles third-party add-ons that are potentially harmful or will act maliciously when installed. The old version of the Unlocker program is one such example. Windows Defender automatically detects the risks in its installer.

Windows Defender in Windows 7 scans e-mail contents and attachments. This feature is not included in Windows Defender for XP and Vista. An option to exclude scanning of files and folders or file types is available in Windows Defender on all supported operating systems.

Archive files and removable drives can be scanned by the anti-spyware program. A restore point will be created before the program applies an action to detected threats. You can disable or enable restore point creation but it is recommended to enable it so you can restore to a previous state, if an issue occurs or if a quarantined item cannot be restore if it is a false positive.

On-demand Scanner by Windows Defender (4 out of 5)

There is no option to run a single-file scan using the context menu in Windows. You can only use it to run a quick, full or custom scan on folders or drives. Scanning networked drives is not an option and it will not protect or scan for files and folders in a home network.

When a malicious file or process is detected, the program will prompt the user for action or automatically use the default actions that Windows Defender has as per its rating. Regardless of the setting users have picked, the program will alert the user via its system tray icon so that they can review the details or manage the program. If Microsoft wants to further analyze a detection, a window with a list of detected items will be displayed prompting the user to decide whether to send or withhold the copy of detected files. Submitting the files to Microsoft is optional and the alert will be displayed even if you did not join Microsoft Spynet.

Microsoft Spynet is similar to the cloud-based protection offered by PrevX or Panda Cloud Antivirus. It will help other Windows Defender users if you submit detected files.

To test the scanner of Windows Defender, I allowed it to scan 239 executable malware files and 96 archive files.

Windows Defender Scanner Found 90 malware in 239 malware samples

Windows Defender Detects 58 threats in 96 samples

Microsoft SpyNet

Windows Defender has detected 90 executable files and 58 archive files with malware, leaving the computer at risk from 187 threats. However, like other anti-virus or anti-malware programs, Windows Defender provides on-access protection for malware that the on-demand scanner has failed to detect.

On-Access Protection by Windows Defender (5 out of 5)

In the above screenshot, you will notice that Windows Defenders’ on-demand scanner failed to detect some malware samples. To check the on-access protection by Windows Defender, I infected the computer by executing some of the malware files that the on-demand scanner did not detect. Windows Defender’s on-access protection is good because it protected the system from unclassified malicious files. This is because Windows Defender is configured to detect any changes to the system, whether they are bad or good. Below is an example of the action by Windows Defender on-access protection.

I executed a new malware file, windows_protection_suite.exe that Windows Defender on-demand scanner failed to detect during an on-demand scan:

New Malware File Undetected by Windows Defender On-Demand Scanner

Detected Threat in Real-Time by Windows Defender

Reviewing the changes it detected, it displays the unclassified items found by Windows Defender but with unwanted behavior:

Details of Detected Threats

I let Windows Defender apply a “Deny” action for said changes to the system by the rogue program. Note that the default action it presented is “Permit” since it is unclassified program to Windows Defender. The free anti-spyware succeeded in removing the rogue program and when I restarted the computer, the rogue program was removed already and placed in quarantine.

Windows Defender’s On-Access Protection Removes Security Tool

Quarantined Unclassified Threat but Detected and Removed in Real-time by Windows Defender


With the correct settings, using Windows Defender will protect end-users of Windows operating systems from malicious software, spyware and adware. You should review the settings in Windows Defender by enabling all options for detecting changes by known and unknown programs or unclassified or permitted to run program. These settings are disabled by default and let’s hope Microsoft will eventually change the default option in Windows Defender to enable all options for its real-time protection settings.

You don’t need to pay for an anti-spyware program to assist your anti-virus software in guarding the computer against all types of threats. Windows Defender simply works! The Windows Defender download is located on the Microsoft Download Center website.

Image credit: Screenshot taken by the author.