Anyone that's used Windows for longer than fifteen minutes has probably had an unpleasant encounter with spyware. Whether the result of design flaws or simply due to the operating system's ubiquity, there's little doubt that a Windows PC can be a magnet for all kinds of unwanted or harmful software.
Whatever the reason, it seems only appropriate that Microsoft should offer users a way to keep their systems free from spyware, and with the release of Windows Defender, Redmond finally does. Formally known as Windows AntiSpyWare and as Giant AntiSpyWare before that (prior to Microsoft's purchase of Giant Company Software), Windows Defender has spent most of the year in beta and is now ready for prime time.
Windows Defender is available is free for licensed Windows XP users (it runs only on Windows XP or Windows 2003 Server). The operative word here is licensed, because as is now typical, Microsoft requires you to submit your system to a Windows Genuine Advantage (WGA) validation check before letting you get your hands on the software. (In fact, a second system validation is conducted during the application install process.)
Windows Defender, which has a clean, easy-to-understand interface, consists of two main components: a scanner to detect and clean existing infections and a real-time protection feature that monitors for suspicious behavior in an attempt to prevent infections from occurring in the first place. Note that unlike Microsoft's Windows Live OneCare (which is a paid product/service), Windows Defender doesn't check for viruses, so it's no substitute for a separate anti-virus utility.
It's also worth noting that while many popular third-party anti-spyware utilities (Spybot and AdAware both come to mind) scan browser cookies, Windows Defender doesn't concern itself with them. Microsoft's position on this is that cookies are generally used for legitimate purposes, and that in any event the place to manage them is within the browser. We're not sure we agree with the second point, and would have preferred to have seen cookie scanning available in Windows Defender as an option.
Scanning for Danger
Windows Defender's default setting is to perform a quick scan of your computer, which concentrates on the most vulnerable system areas (such as the \windows\system32 folder). You can also perform a full scan of your entire hard drive, as well as opt for a custom scan that focuses only on files and/or folders you specify.
If a scan finds anything nasty or questionable lurking on your PC, Windows Defender displays a results page that tells you what items were found, along with an alert level and a recommended action to take. The five alert levels — Not Yet Classified, Low, Medium, High, and Severe — are culled from Microsoft's own research on potential threats.
The four possible actions are Always Allow, Ignore, Quarantine, and Remove. Windows Defender's recommended action for a given item depends on its alert level. For high and severe alerts the default action is Remove, while in other cases you're prompted to choose the action you want to take.
To help you make a decision regarding a particular piece of software, Windows Defender reports a series of information for each item detected, including a category (adware, browser modifier, etc.) and what areas of your system have been modified. Each entry also includes a link to Microsoft's Malicious Software Encylopedia, though in most cases we found the additional information provided there to be quite sparse.
We used Windows Defender to scan a system with the P2P application Kazaa installed, and it detected no fewer than eight individual infections (including InstaFinder, AltNet, and a host of other nasties) with alert levels ranging from medium to severe. We opted to remove all the offending applications, and following a system reboot, they seemed to have been banished.
We shortly started experiencing some Kazaa-related (non-browser) pop-ups, however, so we ran a second scan. This time, two remaining infections were detected, and after initiating the removal process they were gone for good and subsequent scans came back clean. (The second scan didn't require a reboot.)
When we tried to re-install Kazaa, Windows Defender's real-time protection emerged, displaying a series of warning pop-ups that allowed us to squelch the application in utero. This kind of feature can be very obtrusive, though, because it often flags legitimate applications taking justifiable actions, so Windows Defender lets you adjust which settings and events will receive real-time monitoring. Helpfully, it also doesn't second-guess actions taken by trusted or known applications.
Windows Defender automatically downloads updated spyware definitions and schedules scans to take place nightly at 2:00 AM, a schedule you can modify to your liking. You can also change the default recommendation for each alert level, and have Windows Defender automatically take the default action without requiring user confirmation. The beta versions had a habit of removing "good" software when this feature was turned on, but the official release seems to no longer have that penchant.
