Windows Defender and Resulting Internet Communication in Windows Vista
In This Section
Benefits and Purposes of Windows Defender and the Online Microsoft SpyNet Community
Overview: Using Windows Defender and Information from the Microsoft SpyNet Community in a Managed Environment
How Windows Defender Communicates with Sites on the Internet (Without Microsoft SpyNet Membership)
How Windows Defender Communicates with Sites on the Internet When Combined with Microsoft SpyNet
Procedures for Configuration of Windows Defender
Benefits and Purposes of Windows Defender and the Online Microsoft SpyNet Community
Windows Defender
With Windows Defender, users can be alerted when spyware or potentially unwanted software attempts to install itself or run on their computers. Windows Defender also alerts users when programs attempt to change important Windows settings. When Windows Vista is installed and the computer is started for the first time, prompts appear to help the user enable various recommended features, including Windows Defender.
With Windows Defender, users can schedule scans on a regular basis and can be alerted to harmful software that is detected or removed during the scan.
In Windows Vista, Windows Defender is designed to be easily updated from the Windows Update Web site or, in an environment with Windows Server Update Services (WSUS), from a WSUS server. Updating is important because it helps Windows Defender respond to the inevitable changes in spyware and unwanted software over time. The following list briefly describes how Windows Defender obtains updates:
If Windows Defender is enabled, by default it checks for software updates and updated definitions (of spyware and other unwanted software) before each scheduled scan. It checks for these updates on the Windows Update Web site (or in an environment with WSUS, it checks a WSUS server). This check for updates helps ensure that Windows Defender uses the latest available software and definitions when scanning.
Scheduled scans occur daily by default, so these checks for software updates also occur daily by default.
Through commands on the Help menu, the user can request that Windows Defender check immediately for updated definitions. (Users can also view a Web-based privacy statement.)
For more details about how Windows Defender checks for software updates, see "How Windows Defender Communicates with Sites on the Internet (Without Microsoft SpyNet Membership)," later in this section.
The Online Microsoft SpyNet Community
The Online Microsoft SpyNet community is designed to help Microsoft continually update and improve definitions of spyware and other potentially unwanted software, and help Microsoft improve Windows Defender and related technologies.
New types and versions of potentially unwanted software are emerging regularly, so SpyNet ratings help Microsoft researchers discover new threats more rapidly and determine which software to investigate. For example, if many people remove software that has not yet been classified, Microsoft will analyze that software to see if it should be included in future definitions.
Joining the online Microsoft SpyNet Community is optional but recommended. When the computer is first started after installation of Windows Vista, prompts appear recommending steps that can help protect the computer. These include joining the online Microsoft SpyNet community.
Overview: Using Windows Defender and Information from the Microsoft SpyNet Community in a Managed Environment
In a managed environment, Windows Defender can help prevent potentially unwanted software from causing problems and help keep it off of users' computers. Membership in the online Microsoft SpyNet Community can help provide additional information that might be useful when you are making decisions about questionable software.
However, you might choose solutions other than Windows Defender for defending against potentially unwanted software. There are a variety of ways to control Windows Defender, including:
Prevent users from running Windows Defender by using Group Policy.
Use Windows Defender but set up WSUS in your environment, which will cause Windows Defender to check your WSUS servers for updates. However, to ensure that Windows Defender uses the latest definitions when scanning, if the WSUS servers are unavailable, Windows Defender will check the Windows Update Web site for updates. For information about WSUS, see the Microsoft Web site at:
Limit access to resources such as the online Microsoft SpyNet Community by allowing only designated people to become members. You can prevent users from joining Microsoft SpyNet by using Group Policy.
How Windows Defender Communicates with Sites on the Internet (Without Microsoft SpyNet Membership)
The following list describes how Windows Defender communicates with sites on the Internet when users do not have membership in the online Microsoft SpyNet Community. (Communication that results with Basic or Advanced membership in the online Microsoft SpyNet Community is described in the next section.)
When enabled by itself, Windows Defender communicates with sites on the Internet as follows:
Specific information sent or received: The following list describes the information that is received in specific situations:
Each time Windows Defender performs a scheduled scan (if there is a connection to the Internet), by default it checks the Windows Update Web site for software updates and updated definitions. This is the same process that is used to check for updates for other operating system features, which means that the information sent includes the version of the current set of definitions. If updates are available, they are downloaded by Windows Defender. For more information about the update process, see Windows Update and Resulting Internet Communication in Windows Vista in this white paper.
When the user clicks Help options and then clicks Check for updates, Windows Defender performs the same check as described in the previous item.
When the user clicks Help options and then clicks View Privacy Statement Online, Windows Defender displays the Windows Defender privacy statement:
Default settings: If Windows Defender is enabled, by default it scans the computer daily. (Prompts recommending that Windows Defender be enabled are displayed the first time the computer is started after setup.)
Triggers: When Windows Defender performs a scheduled scan, by default it also searches the Microsoft Web site for the latest definition file. To cause Windows Defender to check immediately for updates or display the privacy statement online, the user must explicitly click the Help options offered.
User notification: When a scan is in progress and the Windows Defender interface is open, status about the scan is displayed. Also when a scan is in progress, the user can click the Windows Defender icon in the notification area (near the bottom of the screen) to view status.
Logging: Windows Defender logs the following types of information on the local computer:
Events are logged in Event Viewer in the System log.
Update failures are logged to systemroot**\Temp\Mpsigstub.log**.
Actions taken to protect against spyware or potentially unwanted software are logged in the same location as other events for that software.
Encryption: Windows Defender uses the same encryption methods as Windows Update, which means initial data is transferred using HTTPS, and updates are transferred using HTTP.
Access: Microsoft staff maintains the functionality of the Windows Update Web site, and as part of monitoring the Web site, monitors the version information that Windows Defender sends when it checks for updates.
Privacy: You can view the Windows Defender privacy statement at:
Transmission protocol and port: Windows Defender uses the same transmission protocols and ports as Windows Update: HTTP with port 80 and HTTPS with port 443.
Ability to disable: You can disable Windows Defender through Control Panel or Group Policy.
How Windows Defender Communicates with Sites on the Internet When Combined with Microsoft SpyNet
The following list describes communication resulting from the use of Windows Defender combined with membership in the online Microsoft SpyNet Community. (The previous section describes how Windows Defender communicates with sites on the Internet without Microsoft SpyNet membership.)
When a user has joined the online Microsoft SpyNet Community, Windows Defender communicates with sites on the Internet as follows:
Specific information sent or received: The following list describes the information that is sent with different levels of membership in Microsoft SpyNet. The information is sent whenever Windows Defender detects software that has not been analyzed for risks:
For Basic members: The report that is sent by Windows Defender to the Microsoft SpyNet Web site includes the following information:
About the computer: A randomly generated, globally unique identifier (GUID) that is used to anonymously identify the computers of Microsoft SpyNet members as they communicate with the Microsoft SpyNet Web site. (Windows Defender creates the GUID unless the operating system was upgraded from Windows XP, in which case the GUID might have been created previously by the Microsoft Malicious Software Removal Tool running on Windows XP.)
Information collected also includes the operating system name and version (including any service packs that have been applied), the Web browser software and version, and identifiers for the country or region and locale. In addition, the report might contain information related to the possible presence of spyware or other potentially unwanted software—for example, information about registry key entries that control actions such as automatically starting an application when the system starts.
About the software in question: This information includes file name, size, date stamps, and where applicable, vendor and cryptographic hashes. In addition, full URLs can be collected that indicate the origin of the file, and might contain personal information such as search terms or data entered in forms. The report can also include the action that the user chose to take when the program was detected (Block or Allow).
Note
The user's membership in Microsoft SpyNet means that the user might sometimes see a pop-up request for a Sample Submission report. This report requests specific files that Microsoft suspects might be potentially unwanted software on a computer, and they are used for further analysis. The report is sent only if the user consents.
- **For Advanced members:** The report that is sent to the Microsoft SpyNet Web site includes the information sent with a Basic membership, plus additional details about the software in question including file paths and partial memory dumps (rarely). These file paths and partial memory dumps might unintentionally contain personal information. To the extent any personal information is included in a report, the information is not used to identify a user or contact a user.
Note
The user's membership in Microsoft SpyNet means that the user might sometimes see a pop-up request for a Sample Submission report. This report requests specific files that Microsoft suspects might be potentially unwanted software on a computer, and are used for further analysis. The report is sent only if the user consents.
Default settings: If a person opts in to Microsoft SpyNet during the prompts that appear after a computer running Windows Vista is first started after setup, the membership is a Basic membership by default.
Triggers: When Windows Defender detects software that has not been analyzed for risks (software not previously categorized in the Windows Defender definition file) and the user is a member of Microsoft SpyNet, Windows Defender sends a report about the software in question.
User notification: For Basic Microsoft SpyNet members, the user notification is the same as for anyone using Windows Defender—see "How Windows Defender Communicates with Sites on the Internet (Without Microsoft SpyNet Membership)," earlier in this section.
For Advanced Microsoft SpyNet members, if software is present that has not yet been classified for risk, and it attempts to change computer settings, a prompt asks whether to allow or block the change. (For users who are Basic Microsoft SpyNet members, such software is not blocked.)
Logging: Logging for Windows Defender does not change when the user is a Microsoft SpyNet member—see "How Windows Defender Communicates with Sites on the Internet (Without Microsoft SpyNet Membership)," earlier in this section.
Encryption: Windows Defender uses Secure Sockets Layer (SSL) to encrypt the information it sends to Microsoft SpyNet.
Access: Microsoft SpyNet reports are used to improve Microsoft software and services. The reports may also be used for statistical or other testing or analytical purposes, trending, and signature generation. Only Microsoft employees, contractors, and vendors who have a business need to use the reports are provided access to them.
Privacy: You can view the Windows Defender privacy statement, which covers Microsoft SpyNet, at:
Transmission protocol and port: When Windows Defender sends information to Microsoft SpyNet, it uses HTTPS with port 443.
Ability to disable: A user can decline or end membership in Microsoft SpyNet from an individual computer running Windows Vista, and an administrator can prevent users from being members by using Group Policy.
Procedures for Configuration of Windows Defender
This subsection provides procedures for:
Viewing or changing Windows Defender settings, including Microsoft SpyNet settings, on a computer running Windows Vista.
Disabling Windows Defender by using Group Policy.
Preventing Microsoft SpyNet membership by using Group Policy.
Locating the Group Policy settings that control such things as Microsoft SpyNet Reporting and the degree of logging for Windows Defender detections.
To View or Change Windows Defender and Microsoft SpyNet Settings on a Computer Running Windows Vista
Click Start, point to All Programs or Programs, and then click Windows Defender.
Click Tools, and then click Options.
View or change settings, and then click Save or Cancel.
With the Tools and Settings interface still displayed, click Microsoft SpyNet.
View or change settings, and then click Save or Cancel.
To Disable Windows Defender by Using Group Policy
- See Appendix B: Resources for Learning About Group Policy for Windows Vista for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Vista, open Group Policy Management Console (GPMC) by running gpmc.msc, and then edit an appropriate Group Policy object (GPO).
Note
You must perform this procedure by using GPMC on a computer running Windows Vista (GPMC is included in Windows Vista).
Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Defender.
In the details pane, double-click Turn off Windows Defender, and then click Enabled.
Note
If this Group Policy setting is enabled, the user can still click the command to open Windows Defender. However, Windows Defender will display a pop-up saying that it is turned off by Group Policy.
To Prevent Windows SpyNet Membership by Using Group Policy
- See Appendix B: Resources for Learning About Group Policy for Windows Vista for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Vista, open Group Policy Management Console by running gpmc.msc, and then edit an appropriate GPO.
Note
You must perform this procedure by using GPMC on a computer running Windows Vista (GPMC is included in Windows Vista).
Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Defender.
In the details pane, double-click Configure Microsoft SpyNet Reporting, click Enabled, and then click No Membership.
Important
To prevent Microsoft SpyNet reporting, be sure to enable this setting and then choose No Membership (do not disable the setting).
To Locate the Group Policy Settings for Windows Defender
- See Appendix B: Resources for Learning About Group Policy for Windows Vista for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows Vista, open Group Policy Management Console by running gpmc.msc, and then edit an appropriate GPO.
Note
You must perform this procedure by using GPMC on a computer running Windows Vista (GPMC is included in Windows Vista).
Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Defender.
View the Group Policy settings that are available. If you want more information about a setting, double-click the setting, and then click the Explain tab.
Additional References
For basic information about Windows Defender in Windows Vista, you can view Web-based Help and Support for Windows Vista on the Microsoft Web site at:
For information about security-related improvements in Windows Vista, including the addition of Windows Defender, see the Microsoft Web site at:
For additional information about security, see the Web page for security resources for IT professionals on the TechNet Web site at:
For information about Windows Server Update Services (WSUS), see the Microsoft Web site at: