Using Windows Defender to block malware
The best way to fight unwanted and malicious software is to keep it from being installed on any PC that is part of your network. Over the years, malicious hackers have found a variety of ways to install malware: floppy disks, document files, email attachments, instant messaging attachments, AutoPlay on USB flash drives, scripts, browser add-ons . . . and the list goes on. Many of these transmission methods rely on social-engineering techniques designed to lure inattentive or gullible users into opening an infected attachment, visiting an infected website, and so on. Not satisfied with being able to pick off the inattentive and gullible, authors of hostile software are always on the lookout for techniques they can use to spread infections automatically.
Any program that tries to sneak onto your PC without your full knowledge and consent should be blocked. An important layer in a basic PC protection strategy, therefore, is to use up-to-date antimalware software. Into the breach steps Windows Defender, the antimalware program included in Windows 10.
Windows Defender runs as a system service and uses a scanning engine to compare files against a database of virus and spyware definitions. It also uses heuristic analysis of the behavior of programs to flag suspicious activity from a file that isn't included in the list of known threats. It scans each file that you access in any way, including downloads from the Internet and email attachments you receive. (This feature is called real-time protection-not to be confused with scheduled scans, which periodically inspect all files stored on your computer to root out malware.)
Using Windows Defender
In general, you don't need to "use" Windows Defender at all. As a system service, it works quietly in the background. The only time you'll know it's there is if it finds an infected file; one or more notifications will pop up to alert you to the fact.
Nonetheless, you might want to poke around a bit. To open Windows Defender, type defender in the search box, and click the program's shortcut. If a shortcut to Windows Defender doesn't appear or if you don't have a keyboard, open Settings, tap Update & Security, tap Windows Defender, scroll all the way to the bottom, and tap Use Windows Defender.
The Home tab, shows the current status and the results of the most recent scan. This tab also tells you whether real-time protection is enabled.
To temporarily disable real-time protection (if it is interfering with the installation of a legitimate program, for example), click Settings to open a window in which you can turn off real-time protection. Doing so causes the PC Status banner at the top of the program window to glow red and change from Protected to At Risk; a large Turn On button dominates the Home tab. Windows Defender is so anxious to restore real-time protection, in fact, that it automatically turns it back on when you restart your computer or after some time elapses.
Windows Defender uses Windows Update to retrieve definition files and periodic updates to the detection engine. The Update tab in Windows Defender shows when the definitions were last updated and also features an Update button in case you want to get the latest definitions immediately instead of waiting for Windows Update.
Manually scanning for malware
The combination of real-time protection and periodic scheduled scanning is normally sufficient for identifying and resolving problems with malware and spyware. However, if you suspect that you've been infected, you can initiate a scan on demand. To immediately scan for problems, on the Home tab under Scan Options, select the type of scan you want to perform and click Scan Now.
The Quick option kicks off a scan that checks only the places on your computer that malware and spyware are most likely to infect, and it is the recommended setting for frequent regular scans. Choose Full if you suspect infection (or you just want reassurance that your system is clean) and want to inspect all running programs and the complete contents of all local volumes. Click Custom if you want to restrict the scan to any combination of drives, folders, and files.
Run a scan from a script or a scheduled task:
Windows Defender includes a command-line utility that you can use to automate scans with a script or a scheduled task. You'll find MpCmdRun.exe in %ProgramFiles%\Windows Defender. For details about using the utility, open an elevated Command Prompt window and run the program with no parameters.
A full scan can be burdensome, especially if you have hundreds of thousands of files scattered around local disks. To minimize the time and system resources, you can specify that Windows Defender skip over locations and file types that you know are safe and haven't been tampered with. To do that, begin by clicking Settings. On the Windows Defender tab in Settings, click Add An Exclusion (under Exclusions) to display a window.
There you'll find four options that affect scanning:
- Exclude A File:
Specify files that you know to be safe. - Exclude A Folder:
Specify folders that you know to be safe. This is an appropriate option if you have a folder full of previously downloaded system utilities that routinely trigger alerts. Do not use this option with folders where you normally download new files. - Exclude A File Extension:
Similarly, you can exclude from scans all files with the file name extensions (such as common scripts) that you specify. - Exclude A .Exe, .Com Or .Scr Process:
If you find that a program is routinely detected as a potential threat despite your telling Windows Defender to allow it, consider adding the program to this list. Be sure to specify the process name (Myprogram.exe) and not the program name. This strategy is less risky than excluding the containing folder; if you grant blanket approval for files in the containing folder, and later some real spyware ends up in the folder, you risk allowing malware to sneak onto your system with no warning.
To delete an exclusion (so it will no longer be excluded from scans), return to Add An Exclusion, click or tap the name of the exclusion you want to delete, and click Remove.
Dealing with detected threats
If Windows Defender detects the presence of malware or spyware as part of its real-time protection, it displays a warning above the notification area and, in most cases, resolves the problem without you lifting a finger.
To learn more about its findings, in Windows Defender click the History tab. Select Quarantined Items, and then click View Details. Windows Defender shows the name, alert level, and detection date of the quarantined item or items.
Detected items are moved to a restricted folder (%ProgramData%\Microsoft\Windows Defender\Quarantine) whose permissions include a Deny access control entry that locks out the built-in Users and Everyone groups. Executable files in this folder cannot be run, nor can the folder's contents be accessed from File Explorer. Items moved here can be managed only from the Windows Defender console (preferred) or an elevated Command Prompt window.
Stopping unknown or malicious programs with SmartScreen
SmartScreen, which began as a feature in Internet Explorer in Windows 7, is used to identify programs that other users have run safely. It does so by comparing a hash of a downloaded program with Microsoft's application-reputation database. This occurs when you download a program using Microsoft Edge or Internet Explorer, and when you attempt to run a program that you have downloaded from the Internet-regardless of what browser you use.
Programs with a positive reputation run without any ado. Programs that are known to be bad or that have not yet developed a reputation are blocked.
If you're certain that a program is safe, you can override the block by selecting the check box, which adds a Run Anyway button you can then click. With default settings in place, you'll then need the approval of someone with an administrator account before the program runs. Don't say you weren't warned.
You can adjust the level of SmartScreen protection by going to Security And Maintenance and clicking Change Windows SmartScreen Settings. Besides the default setting, you can remove the requirement for administrator approval or you can disable SmartScreen altogether.
