Lesson 3: Troubleshooting Windows Defender

Windows Defender, which is also available as a free download for Windows XP, is a tool that informs users about changes programs make to their computers and gives users greater control over which programs are installed. One of Windows Defender’s goals is to reduce the impact of spyware and potentially unwanted programs.

However, as with many features that improve security, Windows Defender can cause compatibility problems. This lesson describes how to diagnose and resolve problems using Windows Defender.

After this lesson, you will be able to:

  • Troubleshoot problems downloading Windows Defender definitions.
  • Identify changes that Windows Defender has blocked.
  • Avoid Windows Defender alerts for necessary programs.

Estimated lesson time: 15 minutes

How to Troubleshoot Problems Downloading Definitions

If Windows Defender cannot download updates, the most likely cause is that a firewall is blocking access to Windows Update. Often, network administrators block Windows Update because the organization uses WSUS to approve updates, and client computers should never retrieve updates directly from Microsoft.

To identify the source of the problem, first examine the System event log for information about updates. To view the System event log, follow these steps:

  1. Click Start. Right-click Computer, and then click Manage. Provide administrative credentials at the UAC prompt.
  2. Under System Tools, expand Event Viewer, Windows Logs, and then select System.

Within the System event log, view events with a source of “Windows Defender.” The following shows an event with an Event ID of 2000, in which Windows Defender successfully installed a definition update:

Windows Defender signature version has been updated. 
          Current Signature Version: 1.15.2224.9 
          Previous Signature Version: 1.15.2220.1 
          Update Source: User
          Signature Type: AntiSpyware 
          Update Type: Delta 
          User: NT AUTHORITY\SYSTEM 
          Current Engine Version: 1.1.2101.0 
          Previous Engine Version: 1.1.2101.0

Windows Defender uses Event ID 2002 to log updates to the Windows Defender engine itself.

Next, examine the %windir%\WindowsUpdate.log file for error messages, and then search related Microsoft Knowledge Base articles for more information about errors in the Windows-Update.log file. This log file will typically have thousands of entries, but you can quickly find the Windows Defender–related entries by searching for the phrase “Windows Defender.” The following example shows a successful Windows Defender definition update (with some fields omitted for simplicity):

DnldMgr          ************* 
DnldMgr          ** START ** DnldMgr: Downloading updates [CallerId = AutomaticUpdates] 
DnldMgr          ********* 
DnldMgr              * Call ID = {DA5A072F-A9F9-43B4-B67B-5435D3301B01} 
DnldMgr              * Priority = 2, Interactive = 0, Owner is system = 1,
  Explicit proxy = 0, Proxy session id = -1, ServiceId = 
DnldMgr              * Updates to download = 1 
Agent              *      Title = Definition Update 1.14.1921.2 for Windows Defender (KB915597) 
Agent              *      UpdateId = {EAF6F766-3E8B-4F45-B50F-9F30EF004044}.100 
Agent              *           Bundles 1 updates: 
Agent              *                {B47FBF08-503F-428C-96BB-11509FBDF3A5}.100 
DtaStor            Update service properties: service registered with AU is
DnldMgr          ***********  DnldMgr: New download job [UpdateId = 
{B47FBF08-503F-428C-96BB-11509FBDF3A5}.100] *********** 
DnldMgr               * BITS job initialized, JobId = {99086C54-EAD1-4093-A226-92F021003FCF} 
DnldMgr               * Downloading from http://au.download.windowsupdate.com/msdownload/update 
to C:\Windows\SoftwareDistribution\Download 
\7e35a762b4eb36bdef0bcfddafbafc1dc750dd54 (full file). 
Agent          ********* 
Agent          **   END   ** Agent: Downloading updates [CallerId = AutomaticUpdates] 
Agent          ************* 
Report         REPORT EVENT: {712F6CF3-4DAC-4DBD-AA73-7AB74B5DC419} 
2006-11-29 16:17:13:272-0500                   1           147              101 
{00000000-0000-0000-0000-000000000000}                   0	          0 
AutomaticUpdates          Success            Software Synchronization 
Windows Update Client successfully detected 2 updates.

As you can see from this log file excerpt, the Windows Defender update agent logs the exact source and destination location. If you experience a problem downloading definitions, you can attempt to download the specified update file ( in the sample log file) directly from the computer by using Internet Explorer. If you can’t download the file in Internet Explorer, the Windows Defender update agent also won’t be able to download the file.

If you can’t manually reach the file by using Internet Explorer, verify the following:

  • You can use a Web browser to reach the public Internet.
  • If your computer is a member of a domain, it has the latest version of the domain Group Policy settings. You can refresh these settings by running gpupdate /force with administrative privileges. These settings might configure the Windows Update client to retrieve updates from a WSUS server instead of downloading them directly from Microsoft.
  • Any firewalls allow HTTP requests to the windowsupdate.com domain and subdomains (that is, download.windowsupdate.com).
  • Internet Explorer is not configured to block requests to the windowsupdate.com domain. To verify that the problem is not related to the Internet Explorer configuration, add http://*.windowsupdate.com/ to the computer’s Trusted Sites list.

How to Identify Changes Blocked by Windows Defender

Windows Defender adds events to the System event log when it detects changes that require the user’s confirmation. Within the System event log, view events with a source of “Windows Defender.” The following shows an event with an Event ID of 3004, in which Windows Defender blocked the installation of a program that registered an icon in the system tray:

Windows Defender Real-Time Protection agent has detected changes. 
Microsoft recommends you analyze the software that made these changes 
for potential risks. You can use information about how these programs 
 operate to choose whether to allow them to run or remove them from 
your computer. Allow changes only if you trust the program or the 
software publisher. Windows Defender can't undo changes that you allow. 
 For more information please see the following: 
Not Applicable 
           Scan ID: {14DC2DCC-A5C9-47CF-90EC-0B01BF0C7B58} 
           User: computer\user 
           Name: Unknown 
           Severity ID: 
           Category ID:
           Path Found: regkey:HKLM\Software\Microsoft\Windows\CurrentVersion\Run 
           Alert Type: Unclassified software 
           Detection Type: 

Shortly thereafter, the System event log might show an event with an Event ID of 3005, which will show how the user chose to handle the change. The following example event demonstrates that the user approved the previous change, as evidenced by the Ignore action:

Windows Defender Real-Time Protection agent has taken action to protect 
 this machine from spyware or other potentially unwanted software. 
 For more information please see the following: 
Not Applicable 
           Scan ID: {14DC2DCC-A5C9-47CF-90EC-0B01BF0C7B58} 
           User: computer\user 
           Name: Unknown 
           Severity ID: 
           Category ID: 
           Alert Type: Unclassified software 
           Action: Ignore

You can use the Scan ID to match related Windows Defender events.

How to Work Around False Alarms

It is possible for Windows Defender to warn users about a file that you consider to be trustworthy. You can selectively avoid these warnings by trusting specific files and folders or by disabling different types of real-time protection. Making these changes always requires administrator privileges.

The sections that follow describe different techniques for avoiding these false alarms. Whenever possible, ignore specific files and folders that cause problems in your organization. Only disable real-time protection or heuristics if the Windows Defender warnings are extremely problematic and frequent.

NOTE Tracking Windows Defender changes

Malware might attempt to change the Windows Defender configuration to avoid detection. So that you can track all Windows Defender configuration changes, it adds events with a source of “Windows Defender” and an Event ID of 5007 to the System event log.

How to Ignore Specific Files and Folders

To configure Windows Defender to ignore specific files or folders, follow these steps:

  1. Start Windows Defender. Then, click Tools on the toolbar.
  2. Click the Options link.
  3. Scroll down to the Advanced Options section.
  4. Under Do Not Scan These Files Or Locations, click the Add button. In the Browse For Files Or Folders dialog box, select the file or folder you want Windows Defender to ignore. Click OK.
  5. NOTE Where to find Document folders

    The Browse For Files Or Folders dialog box doesn’t show users’ Documents folders. However, you can find these under C:\Users by default.

  6. Click Save.

Windows Vista will not scan the specified files or folders.

How to Ignore Specific Types of Real-Time Protection

Windows Defender monitors many aspects of the operating system. You can disable any of these aspects if they prove problematic in your organization because of a large number of false alarms.

  1. Start Windows Defender. Then, click Tools on the toolbar.
  2. Click the Options link.
  3. Scroll down to the Real-Time Protection Options section. Clear the check boxes for the specific types of protection you want to disable:
    • Auto Start Monitors changes to the list of programs that start automatically when Windows starts or when a user logs on. This is one of the most important configuration settings to monitor; if unwanted software adds itself to the Auto Start list, it will continue to run after restarting the computer.
    • System Configuration (Settings) Monitors changes to the system configuration. This is important to leave enabled because many types of unwanted software attempt to change aspects of the computer’s configuration.
    • Internet Explorer Add-Ons Monitors changes to Internet Explorer add-ons. Typically, you should leave this enabled even if you have a custom add-on that you need installed. If this is disabled, unwanted software might be able to install add-ons, which can change how webpages appear.
    • Internet Explorer Configurations (Settings) Monitors changes to Internet Explorer configuration. This is very important, because changes to the Web browser configuration could disable important security settings, exposing weaknesses that other unwanted software might abuse.
    • Internet Explorer Downloads Monitors files that users download with Internet Explorer. Many unwanted software installations are initiated when a user intentionally downloads a program because the program contains unwanted, bundled software. Disabling this type of real-time protection increases the likelihood of users accidentally installing unwanted software. You should clear this setting only if you have tightly configured Internet Explorer to prevent users from downloading unwanted software.
    • Services And Drivers Monitors additions and changes to services and drivers. Services and drivers can start automatically and run with system-level privileges, so it is important to keep this real-time protection enabled.
    • Application Execution Monitors when unknown applications run.
    • Application Registration Monitors when an application installs itself.
    • Windows Add-Ons Monitors new components that register themselves as add-ons.
    • Software That Has Not Yet Been Classified For Risks Monitors software that does not yet have a Windows Defender definition. This capability allows Windows Defender to detect potentially unwanted software that Microsoft has not analyzed.
    • Changes Made To Your Computer By Software That Is Permitted To Run This is the only form of real-time protection that is disabled by default. You can enable this for additional security; however, users can find it annoying.
  4. Click Save.

Windows Vista will not perform the types of scans for which you cleared the associated check boxes. If you must disable some form of real-time protection to troubleshoot an issue, disable one form of real-time protection at a time and test the problem to verify that it is fixed. Avoid disabling real-time protection unnecessarily to reduce security risks.

How to Ignore False Alarms for Unknown Software

Windows Vista can use heuristics to alert users to unknown software running. Unknown software includes any program that Microsoft has not yet analyzed and provided a definition for. If you determine that Windows Defender frequently alerts users to problems detected using heuristics, you can disable this feature by clearing the Use Heuristics To Detect Potentially Harmful Or Unwanted Behavior By Software That Hasn’t Been Analyzed For Risks check box on the Windows Defender Options page.

Practice: Distribute Updates and Analyze Windows Defender Problems

In this practice, you configure a Windows Vista client to download updates from a WSUS server. Then you simulate the installation of an application by monitoring changes to a file that Windows Defender protects.

Practice 1: Analyze Windows Defender Changes

In this practice, you perform a change that Windows Defender will detect as potentially unwanted. Then you examine the System event log to identify how Windows Defender records the attempted change.

  1. Log on to your Windows Vista test computer.
  2. Click Start. Type notepad %windir%\system32\drivers\etc\hosts. Press Ctrl+Shift+Enter to run Notepad with administrative privileges. Respond to the UAC prompt. Notepad opens your Hosts file, which is one of the files Windows Defender monitors.
  3. At the top of the file, type # Testing Windows Defender. Save the file and close Notepad.
  4. Click Start, right-click Computer, and then click Manage. Respond to the UAC prompt. Windows Vista opens Computer Management.
  5. Expand Event Viewer, Windows Logs, and then select System.
  6. Identify the Windows Defender event that describes the change you made to the Hosts file.

In production environments you can use this technique to identify important or dangerous change attempts that Windows Defender might have blocked.

Lesson Summary

  • To troubleshoot problems downloading updated Windows Defender definitions, view the System event log. For more detailed information, analyze the %windir%\Windows-update.log file.
  • To identify changes that Windows Defender has blocked, search the System event log for events with a source of “Windows Defender.”
  • You should test programs before deploying them to Windows Vista clients to verify that they work properly with Windows Defender. If Windows Defender does block legitimate changes made by one of your programs, you can configure Windows Defender to ignore the change to prevent problems when you deploy the program.

Lesson Review

You can use the following questions to test your knowledge of the information in Lesson 3, “Troubleshooting Windows Defender.” The questions are also available on the companion CD if you prefer to review them in electronic form.

NOTE Answers

Answers to these questions and explanations of why each answer choice is right or wrong are located in the “Answers” section at the end of the book.

  1. A user complains that an application installed incorrectly. How can you determine whether Windows Defender blocked any aspect of the application installation? (Choose two. Each correct answer is a complete solution.)
    1. Examine the System event log.
    2. Examine the Application event log.
    3. Examine the Security event log.
    4. View the Windows Defender History.
  2. Where would you look to identify whether Windows Defender was experiencing problems downloading updated definitions from Microsoft?
    1. The System event log
    2. The Application event log
    3. The Security event log
    4. The Windows Defender History
  3. Which of the following types of changes might Windows Defender alert the user to? (Choose all that apply.)
    1. A new service being installed
    2. A program that automatically starts
    3. A Microsoft Word document that contains a macro
    4. An Internet Explorer Add-on being installed
< Back      Next >



© Microsoft. All Rights Reserved.