Windows Defender: Benefits

(Reprinted with permission of the author, Bill Castner, MS MVP, and aumha.net forum VSOP)

There are a lot of aspects and benefits of Windows Defender that have not been discussed -- from SpyNet; to the fact that Defender acts as a Monitor of changes to key registry and startup items -- similar to the way in which third-party utilities such as WinPatrol or Spybot S&D TeaTimer try to add these feature sets. One additional feature is the Software Explorer, which lets you examine and disable programs that launch on Windows startup. These aspects of Defender are independent of its role as an Active malware blocker, and a passive on-demand scanner.

In the Windows Defender options, the user can configure real-time protection options:

. Auto Start - Monitors lists of programs that are allowed to automatically run when the user starts the computer
. System Configuration (settings) - Monitors security-related settings in Windows
. Internet Explorer Add-ons - Monitors programs that automatically run when the user starts Internet Explorer
. Internet Explorer Configurations (settings) - Monitors browser security settings
. Internet Explorer Downloads - Monitors files and programs that are designed to work with Internet Explorer
. Services and Drivers - Monitors services and drivers as they interact with Windows and programs
. Application Execution - Monitors when programs start and any operations they perform while running
. Application Registration - Monitors tools and files in the operating system where programs can register to run at any time
. Windows Add-ons - Monitors add-on programs (also known as software utilities) for Windows

Internet Explorer integration
There is integration with Internet Explorer which enables files to be scanned when they are downloaded to help ensure that one does not accidentally download malicious software. This implementation is similar to the real-time scanners of many anti-virus products on the market.

Software Explorer
The Advanced Tools section allows users to discover potential vulnerabilities with a series of Software Explorers. They provide views of startup programs, currently running software, network connected applications, and Winsock providers (Winsock LSPs). In each Explorer, every element is rated as either "Known", "Unknown" or "Potentially Unwanted". The first and last categories carry a link to learn more about the particular item, and the second category invites users to submit the program to SpyNet for analysis by experts.

Windows Vista-specific functionality
Windows Defender in Windows Vista automatically blocks all startup items that require administrator privileges to run (this is considered a bad behavior for a startup item). This automatic blocking is related to the UAC (User Account Control) functionality in Windows Vista, and this integration with UAC enforces the requirement for UAC approval for startup items that are mis-behaved.

The changes to Windows Defender are more than GUI changes since its acquisition from GIANT. When Defender went final, it represented a ground up rewrite of the entire package orginally purchased from GIANT. The scanning engine was brand new. Defender benefits from the feedback of 100s of millions of computers: scanned monthly by the Malicious Software Removal Tool (MSRT) (700 million every Month), by OneCare installations, and by Forefront installations, as well as others running Windows Defender (~ 35 million computers) who participate in SpyNet. This means that alone of the anti-malware utilities, Windows Defender has the largest base of actual incident as well as heuristically determined anomalies on which to develop its definition and other updates. There is not a competitive product that can match the reporting base of Defender. There are very few freeware alternatives that automatically update as does Defender. As a practical matter, this means that Defender is uniquely positioned to just get better and more effective over time. During the first thee months of the final release of Windows Defender over two years ago, Microsoft found that the software discovered 22 million pieces of spyware and successfully removed 14 million of them. Windows Defender also uncovered 2,849 unique groups of spyware. In the two years since, it has done considerably more. In conjunction with the monthly MSRT, Windows Defender provides a reasonable effort to reduce the spread of malware from computers that would otherwise serve as silent distribution points on the internet. This represents a change in focus over time; originally the focus was just on Spyware. Over time, malware sui generis became its focus, particularly in the last year and half.

Windows Defender is free, offers many advanced features, provides fast scans, is light on system resources, and includes two free technical support calls. It does not conflict with your antivirus software or other anti-malware utilties. Leave it enabled under Vista. Install it under Windows XP.