Windows Defender: Part One of Two

  • Article

Time, once again, to introduce you to new Group Policy settings included with Windows Vista. I've set aside this week and next week to write about new Group Policy settings that control Windows Defender.

Spyware is software that typically collects user information, changes computer settings, or displays advertisements, like pop-up ads, without consent of the user. Antispyware software is software specifically designed to prevent the installation of or alert the user of potential spyware. Windows Defender is an antispyware component of Windows Vista.

As a Group Policy administrator, you have the ability to control some behaviors of Windows Defender by using Group Policy. You can locate the Windows Defender policy settings under Computer ConfigurationsAdministrative TemplatesWindows ComponentsWindows Defender. This policy category has eight computer policy settings and does not provide any user policy settings. These policy settings apply to computers running and users logging onto Windows Vista. Earlier versions of Windows will ignore most of these policy settings. Read the explain text of each policy setting before you combine these policy settings with earlier policy setting in a single Group Policy object. This installment covers four of the eight computer policy settings.

I'll begin with the simplest of this week's four policy settings. This is the Turn off Windows Defender policy setting. This policy setting literally speaks for itself. When enabled, Windows Defender does not provided any real-time monitoring nor does it scan at regulated scheduled intervals. You can use this policy setting if your company uses an alternative antispyware solution.

Windows Defender uses a definition file to determine potential forms of Spyware. The definition file contains patterns or "signatures" of common implementations of spyware. However, newer forms of spyware attempt to perform potentially unauthorized operations, which are not included in the definition file. Windows Defender monitors for this type of behavior and it prompts the user with an Unknown Detection dialog box. This dialog box remains on the screen until the user responds by clicking Allow, to allow the operation to proceed, or Block, which prevents the operation from completing. The policy settings Turn off Real-Time Protection prompts for Unknown Detection allows you to control this behavior. When enabled, Windows Defender does not prompt the user to allow or block the unknown activity.

Windows Defender scans the registry and file system for patterns that match the signatures in the definition file during scheduled times. The policy setting Check for New Signatures Before Schedule Scans provides you with the ability to force Windows Defender to check Windows Update or a corporate WSUS server for new signatures before it starts its scheduled scan of the computer. You can use this policy setting to ensure Windows Defender uses the newest signatures when scanning for spyware.

As previously noted, definition files contain signatures. These signatures help Windows Defender detect spyware. Periodically, Microsoft releases new definition files, which contain new signatures. The previously discussed policy setting controls when Windows Defender checks for new signatures. More often, corporate networks distribute operating system updates using Windows Server Update Service (WSUS). Additionally, WSUS is capable of distributing definition files used by Windows Defender. The Turn on definition updates through both WSUS and Windows Update policy setting controls how Windows Defender retrieves new definition files. When enabled, this setting allows corporate computers to retrieve new definition files from Windows Update when an attempt to use corporate WSUS server fails. This is especially useful for laptop computers, which often times are disconnected from corporate networks.

Spyware is real; it increases the cost of ownership, and it can open your network up to other vulnerabilities. Consider using Windows Defender, its policy settings, and other Group Policy settings to lower your total cost of ownership and keep your network safe.

NEXT WEEK: Windows Defender: Part Two of Two

Mike Stephens, Technical Writer, Group Policy