Windows Defender

Table of Contents

Windows Defender -1 ...... 2

Windows Defender -2 ...... 5

Windows Defender Usage ...... 6

Windows Defender Interface -1 ...... 7

Windows Defender Interface -2 ...... 8

Windows Defender Scan Configuration ...... 9

Windows Defender - Regular Scans ...... 11

Additional Configurations ...... 12

Windows Defender Advantages -1 ...... 13

Windows Defender Interface -1 ...... 14

Windows Defender Interface -2 ...... 15

Windows Defender Scan Configuration ...... 16

Windows Defender Advantages -2 ...... 17

Microsoft Malware Protection Center ...... 18

Microsoft SpyNet ...... 20

Windows Defender Disadvantages -1 ...... 21

Windows Defender Disadvantages -2 ...... 22

Windows Defender CLI ...... 24

Windows Defender PowerShell ...... 25

Windows Defender PowerShell Automatic ...... 26

Windows Defender PowerShell Manual ...... 27

Notices ...... 28

Page 1 of 28 Windows Defender -1

Windows Defender -1

Provides • Spyware • Malware detection and removal in real time • Built-in anti-virus (Windows 8 only)

Formerly known as Microsoft Anti-Spyware

**023 Windows Defender, Windows defender, formerly known as-- the artist formerly known as Microsoft Anti-Spyware. I guess they changed the name because it's a little bit more than just anti-spyware. It's anti- malware, does malware detection and removal, as well. And then if you're running Windows Defender in a Windows 8 environment, it is a built in antivirus functionality.

For Windows 7-- give me one second.

Student: Hey, Mark.

Mark Williams: Yes sir.

Page 2 of 28 Student: I noticed that when I put Kaspersky's in. I run ESET, Avast and Kaspersky's in different boxes-- see how they work with-- Kaspersky wanted you to disable Microsoft stuff.

Mark Williams: Sure.

Student: I wasn't so sure about that.

Mark Williams: I think many vendors will recommend, oh you have another firewall running, or you have another antivirus running, or you have another vendor's product running, you should go ahead and disable that. And sometimes that is a good idea because there are contention type of issues you have to worry about. They sometimes compete for the same resources. Sometimes they do interfere with each other.

On the other hand, there is this term it's called diversity of defense. Diversity of defense is a good thing because this vendor might catch-- notice and catch x and not y, whereas this one might notice and catch y but not x. So, if they work together in a complementary fashion, that's probably better for us the end users.

Oh, it is. I just wanted to check. In your notes, I believe it does-- the notes we provided for you, it does say if you want antivirus protection with Windows 7 that you use something known as MSE, Microsoft security essentials. So, Windows

Page 3 of 28 Defender has antivirus coded into it. But if you want anti-virus capability, then basically you turn on-- in Windows 7, Microsoft security essentials. And defender, it now goes away and security essentials is going to do the anti-malware, anti-spyware type of thing.

Microsoft security essentials for Windows 7, it is a free download for you. It does not come with the install, but it is a free download that you can add on if you need.

Student: Won't that give you some problems because every day they have an update? So, if you're set-- if you set your security so that you say download and notify me when, you're going to get that every day.

Mark Williams: Every day. Sure.

Page 4 of 28 Windows Defender -2

Windows Defender -2

Offers improved Internet browsing safety Protection against the latest threats through updated signatures

**024 It can be annoying. So, this is one of the things I think is nice. Not only is it looking at your system for malware and spyware and such, it's also looking at your browsing. So, when you're using Internet Explorer or another web browser, it's trying to help identify when you're going to sites that might be considered less than safe, sites that might have malware associated with them and such.

And so, it also will help you if you're downloading anything in an email attachment or something. Before it actually opens or as it's opening, it would do a scan of it and if it says

Page 5 of 28 that this is malicious or bad stuff it would stop the application, the attachment from opening. So, the Defender real time protection is a nice little feature that they've added in.

Windows Defender Usage

Periodically scans the computer for potential malware To protect against emerging threats, an up-to-date signature file is necessary Defender automatically updates

**025 Periodically, how do we use it? It periodically is going to scan, as you mentioned, it has to-- in order for it to scan for malware it has to have the latest and greatest updates. So, it has to go out and do an update and then scan.

It is always recommended that you try to have your antivirus, your anti-

Page 6 of 28 malware, your spyware protection, have them scan when your system is idle. Often times these scans do take up a lot of resources. I know specifically when I am trying to accomplish a task, if it's in the middle of the day and that scan kicks off, then I can usually see a performance hit. So, three o' clock in the morning might be a good idea, when you're definitely not going to be using that machine. So, it does automatically update and you can schedule your scans for a later point in time.

Windows Defender Interface -1

Windows 7 provides a button / menu driven GUI for configuration options.

**026 So, there is a difference in the way Defender looks in Windows 7

Page 7 of 28 compared to the way Defender looks in Windows 8. In Windows 7, they have, in Defender, these buttons, the home button, the scan button with the drop down menus and so forth. And I guess that's nice. But they-- they decided they wanted to change it in Windows 8.

Windows Defender Interface -2

GUI provides 4 clean tabs for viewing, configuring, and controlling Defender in Windows 8.

**027 So, when you bring up Windows Defender in 8, instead of having those iconic buttons at the top, you have a tabular type of interface to select, so the home, update and history, and then settings, tomatoes, tomatoes. They effectively both-- both the devices, both the applications,

Page 8 of 28 effectively do the same thing, just a different interface. Mike? Student: It's easier for the programmer to add a tab then it is to go mess with a navigation bar.

Mark Williams: Okay, that's a good logic for why they did it that way. Add another tab, just another little module of code. That makes sense.

Windows Defender Scan Configuration

Regular scans should be run according to local policy.

**028 Here they're showing you under the home tab, we have the ability to schedule our scans and set our scan options, I should say, what type of scan do we want to do, quick scan, full scan, or customized. You

Page 9 of 28 might want to do-- when you initially install the system and run the scan for the very first time, do a full complete scan of the system. Obviously, the full scan's going to take a little bit longer. But then, on a recurring basis, maybe on a day-to-day basis, you do a quick scan. It does not look at everything, certainly not going to look at the files that have not changed.

It'll go this is your Windows directory, there have been no changes in your Windows directory. We don't need to scan that. There have been changes in My Documents, so we're going to go ahead and scan-- we will scan that under the full. And you also have custom. I only want to scan these specific areas. So, you can configure it any way you like.

Page 10 of 28 Windows Defender - Regular Scans

Windows Defender - Regular Scans

User configurable scan options • Scan type • Date & time • Manual or automatic

**029 Dates and times, we can have-- in this particular case, they're saying we want to scan every single day. I told you do it at a time where you're expected to be idle. My wife, probably two a.m. might not be the great time. At least when she was going to school to get her Master's, she was up-- seemed to me she was up all night doing work. Now, that she's back to a working woman and not going to school all the time, now maybe two a.m.'s a good time for her to do that. And select what type of scan, various settings.

Page 11 of 28 Additional Configurations

Additional Configurations

Default actions • What to do when a threat is detected Real time protection • Downloaded files and running applications Create a restore point

**030 Default actions, this is where we get to say what do I want you to do if we have a problem. If you detect that there is some threat out there, what should we do? And we can have a number of different actions depending up the severity of the threat.

So, you can see, at the very bottom on the right hand side, if it's a low level alert, meaning kind of just more informational than anything else, just follow the recommended actions that Microsoft provides. And in that case, by the way, all of these are set to recommended actions. But you could simply say, if it's severe, stop it, don't

Page 12 of 28 allow it, disable it, shut down, quarantine it. There's all kinds of other options that you could have available to us.

You could also create restore points so that if we do end up with some sort of malware or malicious activity on the system, we could get back to a known good-- previously good point.

Windows Defender Advantages -1

Three options for scanning • Quick • Full • Custom scan Visual indication of PC security status • Green – good • Yellow – caution • Red – attention is needed

**031 So, what do we like about it? Lots of options. We also like the fact that it's easy to configure. And it's very easy from a user standpoint to know the status of your computer

Page 13 of 28 system. You may have red, green, and yellow indicators. So, when we talk about the severity, the things that are highly severe, or very severe issues, high threats, they're going to be the red items. The informational type of things, they'll be the yellow types of items. So, add a visual indication of if your machine is working good or not.

If I go back-- I'm going to go back one, two, three-- I'll go to the four--

Windows Defender Interface -1

Windows 7 provides a button / menu driven GUI for configuration options.

**026 This one. Take a look at my bar here. Green, good check, I like that. I don't even have to pay any

Page 14 of 28 attention. That's a good thing. Your computer's running. No threats have been found.

Windows Defender Interface -2

GUI provides 4 clean tabs for viewing, configuring, and controlling Defender in Windows 8.

**027 So, quick visual indications.

Page 15 of 28 Windows Defender Scan Configuration

Windows Defender Scan Configuration

Regular scans should be run according to local policy.

**028 Green check here-- well, green field with a white check in it.

Page 16 of 28 Windows Defender Advantages -2

Windows Defender Advantages -2

Built-in to Windows • Free Part of the Action Center Integrated tools • Microsoft Malware Protection Center • Microsoft SpyNet

**032 More advantages, one of the biggest advantages, I think, to Windows Defender is that it comes with-- it's built into-- it's integrated with our Windows operating system. It's going to work really well with Windows.

I know I have, at various times over the years, installed third party operating-- not operating systems, third party antivirus, third party spyware detection tools and such. They work well. But sometimes there's an update, and then all of a sudden, that particular utility starts eating up all of my CPU resources. And now it has an adverse effect on

Page 17 of 28 how Windows works. This one probably will not ever do that for us, will not ever have that adverse effect because it's integrated with Windows.

And also integrates with the action center, you guys remember the action center? It gives us the alerts about when you machine is having some problems. If you have-- if the Defender detects any malware or spyware, you're going to get the alerts through action center, as well.

Microsoft Malware Protection Center

Provides anti-malware research and response Provides practical advice to users about emerging threats • What is the threat? • What is the danger? • Tips for protection • Directions for recovery if already infected / hacked

Ref: www.microsoft.com/security/portal

**033 They mention Microsoft Spynet and also Microsoft Malware Protection Center. Let's take a look at those real quick.

Page 18 of 28 So, here we are at the Microsoft

Malware Protection Center. As you can see, threat research and response. Microsoft spends many, many, many hours, hundreds of man- hours, thousands of man-hours, trying to keep up to date with all of the bad stuff that people can do to our systems. And then they provide good advice for you about how you can protect yourself.

So, Microsoft Malware Protection Center is a good starting point to learn about-- in this case, it looks like there's an article. If you're using Microsoft Office Outlook, you can download and install the Microsoft Junk Email Reporting add in. That might be a nice little tool for you. Junk Email Reporting add in so that you can help Microsoft keep up with the junk email that's out there.

So, tells us what are the threats, what are the dangers, gives us daily tips, if you will, for how we can protect ourselves.

The second thing that we mentioned-

Page 19 of 28 Microsoft SpyNet

Microsoft SpyNet

An online community dedicated to helping users respond to potential spyware Built-in feature of Windows Defender Users can choose to participate by automatically sending information to Microsoft about • Potential spyware • Unwanted software • Changes that software makes to the system This information is analyzed to identify malware.

**034 Was Microsoft Spynet. Spynet is an online community that you can become a member of, in which case, you can choose to participate and share information about spyware that you might have encountered. This online community--

Page 20 of 28 Windows Defender Disadvantages -1

Windows Defender Disadvantages -1

Personal information may unintentionally be sent to Microsoft SpyNet • Only if a basic or advanced membership is selected. • No membership is necessary to participate.

**035 Let's see. This is the danger of it, though. When you join, take a look at this. Like I said, it is optional. It comes with Defender, if you want to participate in it. But be aware, in some instances, personal information might be unintentionally sent to Microsoft.

Now, what are they going to do with that personal information? They're probably just going to throw it in the can. We don't want it. They don't need it for what they're trying to do. They're just trying to figure out what is the spyware that is-- that people are encountering, and keep up to date with the latest and greatest.

Page 21 of 28 They don't care about your individual details. But you do have to be aware that it could be transmitted to Microsoft.

They do tell us that Microsoft will not use this information to identify you or contact you. So, they're not-- if it does get there accidentally, they're getting rid of it. They don't want it. But you do have to be aware that is a security issue.

Windows Defender Disadvantages -2

On Windows 7, Defender does NOT provide virus protection (anti-virus). Microsoft Security Essentials (MSE) could be downloaded and it would do the anti-malware as well as anti-virus. Detection rates are lower than other “free” AV products • Avast, Avira, AVG, Panda 100 90 MSE 80 AVG 70 60 Avira Avast Panda

Adapted from data collected by PCWorld Ref: http://www.pcworld.com/article/259876/antivirus_on_windows_8_looking_at_your_options.html

**036 All right, disadvantages of Windows Defender, on Windows 7, I guess the only real disadvantages that-- Defender itself does not do the

Page 22 of 28 antivirus protection. It's anti- malware, anti-spyware, that type of stuff. But it's not antivirus. That's where Microsoft Security Essentials comes into play.

And this is according to an article in PC World. And they did say that compared to some of the other free antivirus products that are out there, that Defender may not have as good performance. And I think that is-- that's probably something that is arguable from an individual basis. It is integrated in. I have, personally, found that it has better performance on the systems I've been running compared to some of the other antiviruses that are out there.

Page 23 of 28 Windows Defender CLI

Windows Defender CLI

Defender can be configured via a command line interface (CLI). %ProgramFiles%\Windows Defender\MpCmdRun.exe

**037 Can I control Defender via the command line? I sure can. There is, in the Windows Defender directory, there is a utility mpcommandrun.exe. And if you were to do mpcommandrun.exe, you have a couple of options for configuring and operating Defender.

The reason I keep giving you these command line options, scripting. Anything you want to do as administrator on a day-to-day basis, you know that we can script how this is functioning.

Page 24 of 28 Windows Defender PowerShell

Windows Defender PowerShell

Defender can be controlled via PowerShell. To view: PS C:\Users\admin> Get-Service -DisplayName 'Windows Defender’

**038 I can also configure it in PowerShell. In this particular case, they're using PowerShell to just see that Windows Defender is running. We'll talk about the get service in the PowerShell module. But we see Windows Defender is running-- the status is running on this particular machine.

Page 25 of 28 Windows Defender PowerShell Automatic

Windows Defender PowerShell Automatic

To allow automatic startup PS C:\Users\admin> Set-Service -DisplayName 'Windows Defender' -StartupType Automatic

**039 I can set it to do automatic start up if I like. And so, in this particular case, again a PowerShell command, set service. What service are we talking about? Defender. And it's automatically starting up when the OS starts, so set the service start up type.

Page 26 of 28 Windows Defender PowerShell Manual

Windows Defender PowerShell Manual

To manually start the service PS C:\Users\admin> Start-Service -DisplayName 'Windows Defender

**040 I can also manually start the service. For whatever reason, it did not start. So, I can do a start service. I can do a restart service. I can do a stop service, if it is started, again, through PowerShell. We'll talk more about PowerShell.

Page 27 of 28 Notices

Notices

© 2014 Carnegie Mellon University This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide. Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT). CERT ® is a registered mark owned by Carnegie Mellon University.

Page 28 of 28