Microsoft Windows Vista: Windows Defender

(Windows Defender was released in October 2006 as a download for Windows XP and 2003. Now it's also built into Windows Vista, making it more convenient to protect your computer against spyware threats.)

Windows Vista comes with a built-in anti-spyware application called Windows Defender, to help you protect your computer against malicious software designed to gather information about you and your system for the purpose of advertising or even identity theft. Defender is an integral part of Vista's heightened security. Here are 10 things you need to know to use Defender to your best advantage.

Windows Defender is only one part of a multilayered security strategy:

Defender is designed to detect and remove or quarantine known and suspected spyware programs that may be installed on your computer without your knowledge. It does not prevent all attacks against your computer. Defender should be used in conjunction with other security mechanisms such as a firewall, antivirus software, and encryption.

Defender is enabled on Vista by default:

You can turn Defender on and off and configure its properties and behavior through the Windows Defender Control Panel applet. It can also be accessed through the Security Center in Vista. The interface is simple, with a one-click button to scan immediately for spyware and the ability to schedule automatic scans on a daily basis or on a selected day of the week at a time of your choosing.

Defender can perform three types of scans:

A Quick Scan looks in the locations where spyware is most commonly found. This saves time and catches most spyware. A Full Scan checks every drive and folder on the computer. This is the most thorough option but it can take quite some time, depending on the size of your hard disk(s) and the number of files you have. During the scan, there may be a performance hit on other activities you perform on the computer. A custom scan allows you to select the specific drive(s) or folder(s) you want to scan. If Defender detects spyware during a Custom Scan, it will then perform a Quick Scan to remove or quarantine it.

You can specify how you want Defender to perform a scan:

You can choose whether Defender should scan files and folders that have been archived. You can select to use heuristics methods to identify software that is likely to be spyware, based on patterns and behavior, in addition to using definition files that identity known spyware. In addition, you can choose whether to create a restore point before removing detected items, so that if a file that's necessary to one of your legitimate programs is removed by mistake, it will be easy to fix the problem. You can also specify files and folders that Defender should skip altogether when performing a scan.

Real-time protection alerts you immediately if a suspected spyware program attempts to install itself or run on your computer:

Real-time protection is enabled by default, but you can choose whether to use it and you can select which security agents should be turned on to monitor various aspects of the system. A number of security agents are available to monitor such items as startup programs, security-related configuration settings, IE add-ons, IE configuration settings, downloaded files and programs, services and drivers, application registration files, Windows utilities, or any program that's started.

Administrators can control how Defender runs on user machines:

Admins can allow all users to use Windows Defender to scan the computer, choose actions for Defender to take when suspected spyware is detected. and review Defender's activities. They can also restrict the use of Defender with administrative privileges. By default, everyone is allowed to use Windows Defender.

You can view the activities Windows Defender has performed via the History page:

On the History page, you'll see a list of programs and activities that includes a description of detected items, advice regarding what to do about each item, and resources such as the file location and registry keys associated with the program. You'll see the alert level, what action was taken on what date, and the current status of the item. You can also review a list of items you've permitted to run via the Allowed Items link. You can see what you've prevented from running, and remove or restore these items, via the Quarantined Items link.

Windows Defender classifies possible spyware threats according to four alert levels:

Severe means it's a malicious program that can damage your computer. High means it's a program that might collect your personal information or change your settings. Software classified as Severe or High alert should be removed immediately. Medium pertains to programs that might collect personal information but may also be part of a trusted program. Low alert signifies software that might collect information or change settings but that was installed in accordance with a licensing agreement you accepted. You should review programs flagged as Medium or Low alert and decide whether you want to block or remove them. Some programs are not yet classified.

You should have Defender check for new definitions on a regular basis:

To be effective, anti-spyware software uses definitions files that must be kept up to date because new spyware threats appear on a frequent basis. Best practice is to have Defender automatically check for new definitions through Windows Update before performing a scheduled scan. You can also check for new definitions manually. If you rely on manual updating only, you should check for new definitions at least once per week.

Microsoft relies on the SpyNet community of Defender users to help expand the spyware database:

You're not required to participate in SpyNet to use Defender, but if you do, Defender will send information to Microsoft about the suspected spyware it detects and the actions you apply to each. You can join the SpyNet community easily via the Tools Settings options, and you can select either a basic or advanced membership. With an advanced membership, you'll receive an alert when Defender detects software that hasn't been analyzed, and more detailed information is sent to Microsoft about detected software.