Logo
programming4us
programming4us
programming4us
programming4us
Home
programming4us
XP
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server
programming4us
Windows Phone
 
Windows Vista

Windows Defender and Other Defenses Against Malware

- Windows 10 Product Activation Keys Free 2019 (All Versions)
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
3/13/2011 4:14:13 PM
Microsoft’s Windows Defender is a free tool that gets installed automatically with Windows Vista. It finds and tries to remove malicious software and other unwanted programs, often called malware or spyware. This malware can slow down your computer, display annoying pop-up ads, change Internet settings, or use your private information without your consent.

Alert

Windows Defender scans you computer for malware within programs on a schedule (called a Scan) and can scan program files when you launch applications (called real-time protection). It quarantines known spyware and executables that exhibit undesirable behavior. Windows Defender tries to remove or quarantine these bad applications without negatively affecting your data and without losing any of your installed applications.


You can configure Windows Defender to handle different levels of threatening behavior differently, on the Tools > Options dialog box, as shown in Figure 1. Windows Defender ranks the threat levels of malware as Low, Medium, High, Severe, and Not Yet Classified. By default, Windows Defender immediately quarantines Severe and High threat level programs. You can configure the way Windows Defender reacts when it detects malicious software.

Figure 1. Windows Defender performs scheduled scans of your computer and quarantines or warns you of threatening programs.

By scrolling down in this same dialog box, you can configure the way that Windows Defender alerts you when it finds malware, as shown in Figure 2.

Figure 2. Windows Defender alerts can be configured on the Tools > Options dialog box. Sometimes you might want to know when Windows Defender is taking action, and sometimes you may not want Windows Defender’s pop-up alert to bother you.

Because Windows Defender automatically quarantines applications that meet its definition of “threatening,” it may quarantine an application that you know to be safe and desirable. While the application is quarantined, you cannot launch the application. If Windows Defender quarantines a program that you choose to run, you can easily restore the program to its normal state in the Tools > Quarantined Items dialog box.

Caution

Removing Applications from Windows Defender’s Quarantine Just because you want to use an application does not mean that the application is safe to be used. Applications can be placed in quarantine because they are known to be malicious, because they appear to be infected, or because they exhibit risky behavior. Removing an application from the Windows Defender quarantine could be a dangerous decision that can severely affect the security of your computer. Don’t do this unless you truly know that the application is safe, or unless you are willing to accept the risk of having your computer being exploited by the bad guys and having your private information exposed.


Windows Defender’s Logging Capabilities

Windows Defender also monitors all the programs that are running, looking for potentially harmful or unwanted behavior by the running processes. This is called real-time protection. As a byproduct of monitoring all running applications, you can enable logging of all known good applications and all unknown applications that are running on the computer. This increased logging can be configured in the Local Computer Policy on one computer or by Group Policy Objects (GPOs) if you are in an Active Directory environment.

Microsoft’s SpyNet Program

Windows Defender’s default settings provide automatic updating of the malware signature database. Windows Defender also reports back to Microsoft on the software that it has seen and taken action on through its SpyNet program. This is an optional service that you can choose whether to participate in. The SpyNet program collects malware statistics from Windows Defender on computers in an attempt to keep Microsoft’s malware signature database current. SpyNet is designed to collect a minimum of personal information and takes steps to ensure your anonymity.

You can opt out of the Microsoft SpyNet program by going to the History page in Windows Defender’s Options and selecting the Change Settings hyperlink adjacent to the SpyNet reference. You can view the items that you have chosen to have Windows Defender allow, as well as the items that Windows Defender has quarantined. These last two items can also be accessed from the Options page.

Alert

Another cool tool in Windows Defender is the Software Explorer, which is also accessed from the Tools dialog box. This tool shows you detailed information about all the programs running on your computer, as shown in Figure 3.

Figure 3. Startup programs can be identified in the Tools > Software Explorer dialog box.

The Software Explorer tool inside Windows Defender can display the running applications by grouping them into four categories:

  • Startup ProgramsPrograms that launch at startup

  • Currently Running ProgramsEverything running on the desktop and in the background

  • Network-Connected ProgramsPrograms that are connected to other computers over the network or the Internet

  • Winsock Service ProvidersPrograms that assist network-connected programs


Windows Defender relies on an underlying service called (surprise!) Windows Defender, as shown in Figure 4.

Figure 4. If a bad guy doesn’t want his malicious software to be detected, he might try to kill the Windows Defender service on your computer.


To ensure that this service stays running keeping your malware protection in force, you might want to configure the Windows Defender service to restart automatically if it ever gets shut down. You can configure the service to restart on the first and second failure of the service. If the service doesn’t remain started, you can configure the service to try for what is called Trusted Recovery. On the third shutdown of the service, reboot the computer.

Caution

Using Service Recovery This service recovery configuration can be utilized on any service that runs on a Microsoft-based computer.

Be aware that restarting a computer automatically, as previously described, can cause serious problems and, potentially, the loss of data. This should be implemented on computers only after careful consideration of the ramifications of forcing an automatic shutdown and restart of the system.


MSConfig.exe

Another useful tool in the battle to protect your computer from bad things is called the System Configuration Utility, or MSConfig. You can launch MSConfig.exe, shown in Figure 5, from the Start > Run (or the Start > Search) command line. Just type msconfig and click Enter.

Figure 5. MSConfig.exe allows you to view all programs configured to launch at computer bootup or at user logon.

You can use MSConfig to configure Normal, Diagnostic, or Selective startup on the General tab; adjust the Startup menu (instead of using BCDEdit) on the Boot tab; enable or disable services on the Services tab; view all programs that are configured to run at computer startup or at user logon on the Startup tab; or launch a number of configuration and diagnostic tools from the Tools tab.

Caution

Configuration Changes with MSConfig.exe Making changes to the startup configuration of the computer can cause applications and services to fail, or even cause the system to fail to boot up successfully. Don’t make any changes to the startup configuration unless you understand what the results will be and know how to recover if the results you get are unexpected.


The hosts File

One bad thing that malware might do is try to keep you disconnected from websites that help you identify malware, like the Windows Update and the antivirus definitions update websites. Malware often tries to block your access to these websites by adding incorrect mappings into the hosts file on your computer.

Note

A Word About the hosts File The hosts file can be edited with Notepad.exe and is located in the \Windows\System32\Drivers\etc folder. The hosts file is used to map computer hostnames (like webserver1) and fully qualified domain names (FQDNs, like www.microsoft.com) to their IP address.


If malware modifies your hosts file, your computer thinks it knows where to find these helpful websites by looking in the hosts file. Your computer never asks public DNS servers where to find the actual websites. Because malware has incorrectly mapped these websites to the loopback address of 127.0.0.1 or some other incorrect IP address, your computer can never connect to the update sites and never gets the new updates and security updates that might just find the original malware.

Alert

If you discover that your computer is not getting updates for the operating system, applications, and not getting new definition files for antivirus programs or anti-spyware programs, first try to kill the malware by running a Windows Defender scan and an antivirus scan and then enabling a pop-up blocker.

Then use Notepad.exe, as shown in Figure 6, to open the hosts file and delete any lines other than the localhost mappings. One localhost mapping is to the loopback IPv4 address of 127.0.0.1 and another localhost mapping to the IPv6 loopback address of ::1. When you save the hosts file, you should be able to get to these beneficial websites again.

Figure 6. When you use Notepad to clean up the hosts file, always check to be sure that Notepad has not added a .txt extension to the hosts file.



Getting Rid of Malware

While you probably have installed antivirus software, and you use Windows Defender to perform automatic removal of malware, sometimes you can simply uninstall the malware. Malware, like an unwanted Internet Explorer toolbar that installs with some third-party software update, can often be uninstalled from the Control Panel > Programs and Features section. Simply click Uninstall a Program. Then click on the program that you desire to remove and click Uninstall from the overhead menu.

Sometimes it isn’t that easy to get rid of malware, and a more rigorous approach is required.

RootkitRevealer

If you are really concerned about undetected malware, Microsoft and Sysinternals have a tool called RootkitRevealer. It is a specially designed utility to detect rootkits and can be downloaded from the following website:

http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

Rootkits are what bad guys upload to your computer when they pretty much have taken over. It is a collection of malware tools and “trojaned” applications that are designed to take control and keep control of an exploited system. The bad guys have gotten good at hiding these malicious tools from antivirus and anti-spyware detectors.

Caution

RootkitRevealer Is Buggy with Vista At the time of this writing, this RootkitRevealer tool wasn’t exactly Vista compatible. As a matter of fact, after I installed and ran RootkitRevealer, I had to restore the Vista system I used it on from a previous system restore point. But keep RootkitRevealer in mind for malware protection on Vista systems in the future and for the exam. My bet is that Microsoft will be releasing a new Vista-compatible version of RootkitRevealer in the near future.

Other -----------------
- Windows Firewall
- Troubleshoot Security Configuration Issues (part 2) - Securing Data in Storage with Encrypting File System & Securing Computers with the Security Configuration and Analysis Tool
- Troubleshoot Security Configuration Issues (part 1) - The Windows Security Center & Securing the Operating System and Data in Storage with BitLocker
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 4) - Digital Certificates
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 3) - Cookie-Handling & ActiveX Opt-In
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 2) - Internet Explorer’s Protected Mode
- Configure and Troubleshoot Security for Windows Internet Explorer 7 (part 1) - Pop-Up Blocker & Phishing Filter
- Troubleshooting Deployment Issues
- Perform Post-Installation Tasks (part 3) - Managing Computers with Multiple Operating Systems
- Perform Post-Installation Tasks (part 2) - Managing User Data
 
 
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
Celebrity Style, Fashion Trends, Beauty and Makeup Tips.
 
programming4us
Windows Vista
programming4us
Windows 7
programming4us
Windows Azure
programming4us
Windows Server