Windows Defender

Before you start

Objectives: Learn what is Windows Defender in Windows and why it is used.

Prerequisites: no prerequisites.

Key terms: Windows Defender, spyware, system protection, alerts, action center.

What is Windows Defender

Windows Defender replaces the Microsoft anti-spyware beta software and is installed in Windows Vista and Windows 7 by default. It is also available as a free download for XP installations verified with WGA (Windows Genuine Advantage). Windows Defender helps protect against slow performance and security threats caused by spyware and other malicious or unwanted software. It has a database of spyware definitions which is similar to antivirus definitions for antivirus programs. Those definitions help Windows defender to detect spyware on our machine.

Windows Defender protects from malicious software such as viruses, worms, and Trojan horses (malware), that have been designed to harm our computer. In addition to spyware detection, Windows Defender will alert us if software attempts to change important Windows settings. Keep in mind that Windows Defender is not an anti-virus application, so we should still have additional anti-virus software installed besides Windows Defender. Windows Defender should not be used side-by-side with other spyware applications. It is best to choose only one spyware application and have that application protect our system.


By default, at 2 a.m. Windows Defender will go to the update server and make sure that it has the latest definitions. We can also manually check for definitions. In newer versions of Windows (Windows 7), updates for Windows Defender come with Windows Updates.

Real-time Monitoring

Windows defender also includes real-time monitoring agents to help protect our PC. Real-time protection alerts us when spyware or potentially unwanted software attempts to install itself or run on our computer. It also alerts us when programs attempt to change important Windows settings. Real-time protection uses security agents that monitor specific system components and software.

Real-time Agents

We can choose to enable real time protection options called agents. When potential spyware is detected by an agent, it stops the activity and raises an alert. There is an agent for IE configuration that keeps track of changes made to our browser security settings. Also there are agents for downloads and add-ons such as ActiveX. There is real-time agent for auto startup programs designed to eliminate the danger of spyware running without our knowledge. Defender checks the list of applications configured to run when we start our computer. There are real-time agents for system configuration (monitors security-related settings in Windows so that spyware cannot collect personal information), services and drivers (they perform essential software and hardware functions and Defender monitors and protects so that spyware cannot gain access to them), Windows add-ons (monitors software utilities for Windows so that spyware cannot collect and transmit our online activities), application execution (monitors applications as they start, checking for suspicious activity that may run in the background) and application registration (monitors registered applications, making sure malicious software does not start without our knowledge). By default Windows Defender does a quick scan at 2 a.m. each day. We can modify the automatic scan frequency, schedule, and type or manually initiate a scan. The results of the scan are shown in the message center (the Home screen for Defender). We can configure Defender to notify us in the System Tray when a real-time threat is detected.

Automatic Scanning

Automatic scanning checks files on our computer. Defender can run Quick scan, Full scan and a Custom Scan. A Quick scan checks hard drive locations which are most likely to be infected by spyware. A Full scan checks all files on the hard disk, the registry, currently running applications, and all other critical areas of the operating system. A Custom scan checks only the drives and folders that we specify.

When scanning we can enable some advanced options. For example, we can choose to scan archive files, e-mails, removable drives. We can also choose to create restore points when doing actions on detected items. We can also specify to use heuristics. Heuristics allow Windows Defender to detect potential malicious activity for files that are not defined in spyware definitions.

Alert Levels

Alert actions define what to do when a security threat is detected. Each alert is classified with an alert level that describes the seriousness of the potential threat. Alert levels are Severe, High, Medium, Low and Not yet classified.

Severe level warns us about exceptionally malicious programs, similar to viruses or worms, which negatively affect our privacy, the security of our computer and damage our computer. We should remove this software immediately.

High level warns us about programs that might collect our personal information, damage our computer by changing settings, typically without our knowledge or consent. We should remove this software immediately. Medium level warns us about programs that might affect our privacy by collecting personal information or make changes to computer that could negatively impact our computing experience. We should review and consider removing this software.

Low level warns us about potentially unwanted software that might collect personal information about us or our computer or change how our computer works, but is operating in agreement with licensing terms displayed when we installed the software. We should review the alert details or check to see if we recognize and trust the publisher of the software.

‘Not yet classified’ warns us about programs that are typically benign unless they are installed on our computer without our knowledge. If we do not recognize the software or the publisher we should review the alert details to decide how to take action.

Prompts and Actions

When a real-time agent detects a threat we may get prompted to manually inspect the notification and decide on the best course of action to take. We can respond to those prompts in four ways. We can ignore the warning message, remove the software, quarantine the software and choose to always allow.

‘Ignore’ takes no action. The program is left on the system, and it will be detected the next time the system is scanned or the software is run.

‘Remove’ deletes the program from your computer.

‘Quarantine’ prevents the program from running by creating a backup of the program and removing it from the system. Quarantined items will not be reported in future scans. We can use the Quarantined items list to view items in quarantine. From the list we can restore a program (which allows us to run it again) or remove it from the system.

‘Always allow’ lets the program run anytime without further prompts. Future scans will not warn us of software added to the Allowed items list. Removing the item from the list does not delete it, but will cause Defender to detect it again.

When we are reviewing an item after a warning or a scan, we must review the item details before we can select to quarantine or always allow the program. To run a program in the Quarantined items list, we must restore it on our system. When we run it, Windows Defender will identify it again as a potential security threat. When detected, we can choose Allow to add the program to the list of allowed items so that we can run it again in the future without a prompting.


We have sepparate articles for Windows Defender demonstration: