How Windows Vista Helps Protect Computers From Malware

Windows Defender

Published: September 6, 2006

Windows Defender is a feature of Windows Vista that provides protection from spyware and other potentially unwanted software. Windows Defender helps to ensure that Windows Vista computers protect the user’s privacy and remain efficient and reliable. Windows Defender is signature-based, using descriptions that uniquely identify spyware and other potentially unwanted software to detect and remove known applications. Windows Defender regularly retrieves new signatures from Microsoft so it can identify and remove newly created spyware and other potentially unwanted software. These definition updates are available for free to legitimate Windows customers.

Additionally, Windows Defender real-time protection monitors critical touch-points in the OS for changes usually made by spyware. Real-time protection scans every file as it is opened and also monitors the Startup folder, Windows add-ons and other areas of the OS for changes. If an application attempts to make a change to one of the protected areas of the operating system, Windows Defender prompts the user to take appropriate action.

As shown in Figure 3, Windows Defender can also run a scan on-demand to detect and remove known spyware. By default, Windows Defender will scan Windows Vista computers daily at 2:00 AM for malware infections. Although Windows Defender real-time protection attempts to prevent most infections, nightly scanning allows Windows Defender to detect and remove newly discovered malware that may have circumvented the defenses of real-time protection.

Figure 3: Users who suspect malware has infected their computer can run a Windows Defender scan on-demand
Figure 3: Users who suspect malware has infected their computer can run a Windows Defender scan on-demand

The SpyNet Community enables Windows Defender to communicate discoveries about new applications and whether users identify applications as malware or legitimate. Feedback from the SpyNet Community helps Microsoft and users distinguish malware from legitimate software, enabling Windows Defender to more accurately identify malware and reduce the number of false alarms. Providing private feedback to the SpyNet Community is optional; however, all users can benefit from the information gathered by the community.

In addition to these features, Windows Defender includes Software Explorer. Software Explorer provide users with control over many different types of applications, including applications that install themselves into the browser and into applications that start automatically.

Top of page

Windows Service Hardening

Windows Service Hardening restricts critical Windows services from performing abnormal activities in the file system, registry, network, or any other resources that could be used to allow malware to install or attack other computers. For example, the Remote Procedure Call (RPC) service, which does not need file system access, is restricted from replacing system files or modifying the registry. Windows Service Hardening provides an additional layer of protection for services based on the security principle of defense in depth. Windows Service Hardening cannot prevent a vulnerable service from being compromised. Instead, Windows Service Hardening limits how much damage an attacker can do in the event the attacker is able to identify and exploit a vulnerable service.

An example of a real-world security incident that Windows Service Hardening could have contained is the Blaster Worm. In August 2003, the Blaster Worm infected over 15 million Windows XP and Windows 2000 computers by compromising a known vulnerability in the RPC service. Although a security update to fix the vulnerability had been available for months, many administrators had not yet deployed the security update.

The Blaster Worm began its attack by sending network communications to the RPC Service on the target computer. These network communications caused the RPC Service to run malicious code, write a file to the disk, add a startup entry to the registry so the worm could persist between reboots, and then initiate outbound connections to attempt to infect other network computers.

Under normal circumstances, the RPC Service never needs to write such a file to the disk, add startup entries, or send that type of network communications. However, Windows XP and Windows 2000 were not configured to block the RPC Service from taking those actions. Windows Service Hardening in Windows Vista will prevent a service from being abused in this way. Windows Service Hardening includes profiles for every core Windows service that dictates which parts of the file system and registry a service can access and which types of network communications a service can initiate. Third-party software developers can also take advantage of the Windows Service Hardening security benefits by providing profiles for custom services.

If a service attempts to perform an action not explicitly allowed by Windows Service Hardening, Windows Vista will block the action. For instance, Windows Service Harding will use the outbound filtering capabilities of Windows Firewall to block unallowed outbound network communications. Therefore, if a worm such as the Blaster Worm were able to successfully compromise a core Windows service, it would probably not be able to add a startup entry to the registry nor easily propagate to other computers across the network.

The cost of a security compromise can be very high. Confidential data can be compromised, users can lose data, and productivity can be sacrificed. An IT department can spend several weeks repairing the damage done by a severe compromise. Windows Service Hardening can greatly reduce the damage caused by a compromised service by preventing the service from changing important configuration settings or infecting other computers on the network. With Windows Service Hardening, what could have been a major security exploit can be limited to a minor compromise.

Top of page

Malicious Software Removal Tool

There are thousands of computer viruses, but historically, a small fraction of that total has become widespread. The Malicious Software Removal Tool, available to all the Windows 2000, Windows XP, Windows Server 2003 and Windows Vista family of operating systems, finds and removes prevalent viruses and worms from infected computers. This feature helps limit the damage caused by widespread viruses and worms. Windows Vista setup runs the Malicious Software Removal Tool prior to an upgrade to help remove widespread viruses and worms from the previous operating system and is also delivered every month through automatic updates.

The Malicious Software Removal Tool is designed to remove clearly malicious software, such as viruses and worms. Also, the Malicious Software Removal Tool does not replace a full-featured antivirus tool because it does not proactively prevent viruses from infecting a computer, and it can remove only the most widespread viruses. Microsoft recommends that customers deploy a full antivirus solution for the highest level of security.

Top of page

Windows Security Center

As shown in Figure 4, Windows Vista includes an improved version of the Security Center first released with Windows XP Service Pack 2. Security Center is a tool primarily intended for consumers and small businesses, and it is not available on computers participating in a Microsoft Active Directory directory service domain.

Figure 4: Security Center provides control over important aspects of a computer's security
Figure 4: Security Center provides control over important aspects of a computer's security

Security Center provides a console for evaluating and managing many critical aspects of a computer's security:

  • Automatic Updating. Identifies whether Automatic Updating is currently enabled. Microsoft regularly releases updates to fix newly discovered vulnerabilities that malware might abuse. Having these updates installed automatically is the best way to ensure your computer receives them.
  • Virus Protection. Windows Vista does not include antivirus software, but many computer manufacturers install antivirus software on all new computers. Security Center clearly shows whether antivirus software is installed and provides recommendations for finding and installing antivirus software.
  • Spyware Protection. Identifies whether Windows Defender or third-party antispyware is currently enabled. If antispyware is not enabled, a computer is more vulnerable to spyware and other types of malware.
  • Other Security Settings. Identifies whether Internet security and User Account Control settings are set to their recommended default state. Changing these settings can make a computer more vulnerable to malware.

Additionally, Security Center contains links for managing Windows Update, User Accounts, Parental Controls, Secure Startup, Internet Options, and Windows Firewall

Windows Firewall

Windows Vista includes an improved version of Windows Firewall. Like the version of Windows Firewall included with Windows XP Service Pack 2, Windows Vista includes the following features:

  • Program and service exceptions. Windows Firewall blocks all inbound traffic by default but can allow traffic to be sent to specific programs and services, regardless of which protocols those programs and services use.
  • Port filtering. Like traditional firewalls, Windows Firewall can allow or block traffic for specific TCP or UDP port numbers. Windows Firewall can also filter ICMP traffic.
  • Group Policy configuration. To enable network applications to work properly throughout an organization, administrators can use Active Directory Group Policy configuration to configure Windows Firewall and IP Security settings.
  • Friendly notifications. On PCs not joined to a domain, Windows Vista shows a notification if it blocks traffic from a new application. The prompt enables authorized users to add an exception for the application, making firewall configuration simple.

These features give administrators centralized control over the filtering of inbound traffic on a computer-by-computer basis. Filtering unsolicited traffic reduces the risk of malware spreading across the network by exploiting a vulnerability in an unused network service.

Top of page