Windows Defender is a tool designed to reduce the risk of specific types of spyware and other potentially unwanted software for small office and home users. Although Windows Defender is not designed for use in large enterprises, it does provide some integration with AD DS Group Policy and can retrieve updates from an internal Windows Server Update Services (WSUS) server.

Windows Defender will interact with users if potentially unwanted software is detected. Therefore, users must be trained before Windows Defender is deployed so that they understand how to respond to the various prompts and can distinguish between genuine Windows Defender prompts and other software that might impersonate those prompts (a common social engineering technique).

Windows Defender provides two types of protection, both enabled by default:

• Automatic scanning: Windows Defender scans the computer for potentially malicious software on a regular basis. By default, Windows Defender is configured to download updated definitions and then do a quick scan daily at 2 A.M. You can configure scanning frequency on the Windows Defender Options page.

Windows Defender provides two different types of scanning:

• Quick Scan Scans the portions of a computer most likely to be infected by spyware or other potentially unwanted software, such as the computer's memory and portions of the registry that link to startup applications. This is sufficient to detect most malware applications.


• Full Scan Scans every file on the computer, including common types of file archives as well as applications already loaded in the computer's memory. A full scan typically takes several hours, but it may take more than a day, depending on the speed of the computer and the number of files to be scanned. The user can continue to work on the computer during a quick scan or a full scan; however, these scans do slow down the computer and will consume battery power on mobile computers very quickly.

Windows 7 will display four options for each item detected:

• Ignore Allows the software to be installed or run on your computer. If the software is still running during the next scan, or if the software tries to change security-related settings on your computer, Windows Defender will alert you about this software again.


• Quarantine When Windows Defender quarantines software, it moves it to another location on your computer, and then prevents the software from running until you choose to restore it or remove it from your computer.


• Remove Deletes the software from your computer.


• Always Allow Adds the software to the Windows Defender allowed list and allows it to run on your computer. Windows Defender will stop alerting you to actions taken by the program. Add software to the allowed list only if you trust the software and the software publisher.


• Real-time protection: Windows Defender constantly monitors computer usage to notify you if potentially unwanted software might be attempting to make changes to your computer.

Windows Defender in Windows 7 includes real-time protection with greatly improved performance. Real-time protection can alert you when software attempts to install itself or run on your computer. Depending on the alert level, users can choose to remove, quarantine, ignore, or always allow the application, just as if the problem were encountered during a scan.

If Windows Defender real-time protection detects software attempting to make a change to important Windows settings, the user will be prompted to Permit (allow the change) or Deny (block the change).

Windows 7 reduces the number of agents to two:

• Downloaded Files And Attachments: Monitors files and programs that are designed to work with Web browsers, such as ActiveX controls and software installation programs. These files can be downloaded, installed, or run by the browser itself. Unwanted software is often included with these files and installed without the user's knowledge.


• Programs That Run On Your Computer: Monitors when programs start and any operations they perform while running. Malware can use vulnerabilities in previously installed applications to run unwanted software without the user's knowledge. For example, spyware can run itself in the background when a user starts another frequently used application. Windows Defender monitors applications and alerts the user if suspicious activity is detected.

When Windows Defender detects potentially malicious software, it assigns one of the following alert levels to it:

• Severe Assigned to potentially unwanted software that can severely affect your computer or compromise your privacy. You should always remove this software.


• High Similar to the severe rating, but slightly less damaging. You should always remove this software.


• Medium Assigned to potentially unwanted software that might compromise your privacy, affect your computer's performance, or display advertising. In some cases, software classified at a Medium alert level might have legitimate uses. Evaluate the software before allowing it to be installed.


• Low Assigned to potentially unwanted software that might collect information about you or your computer or change how your computer works but operates in agreement with licensing terms displayed when you installed the software. This software is typically benign, but it might be installed without the user's knowledge. For example, remote control software might be classified as a Low alert level because it could be used legitimately, or it might be used by an attacker to control a computer without the owner's knowledge.


• Not yet classified Programs that haven't yet been analyzed.