CHAPTER 5

CHAPTER 5

Protecting Client Systems

Any computer that is connected to the Internet faces a barrage of network-based threats in the form of malicious software attacks. These threats are growing in number and

sophistication every year, and as an enterprise support technician, you are responsible for protecting client systems from these evolving dangers.

As part of your company’s broad defense strategy, you need to know how to configure in Windows 7 the features whose purpose is to protect your clients. Specifically, you need

to know how to minimize the risk of damage from malware by implementing User Account Control (UAC) at an appropriate level, by using Windows Defender, and by removing

unwanted software if it is discovered.

Exam objective in this chapter:

■ Identify and resolve issues due to malicious software.

Lesson in this chapter:

■ Lesson 1: Resolving Malware Issues 195

Before You Begin

To perform the exercises in this chapter, you need:

■ A domain controller running Windows Server 2008 R2

■ A client computer running Windows 7 that is a member of the same domain

REAL WORLD

J.C. Mackin

I often hear people repeating a number of misconceptions about viruses and other

malware, and I’m convinced that these misconceptions have lulled users and

administrators into a false sense of security about the dangers their systems face.

Often these misconceptions are based on an accurate understanding of what was

the state of malware threats about 10 years ago. But the nature of these threats has

evolved significantly, and it continues to evolve. So in the interest of learning how best

to defend ourselves today, let’s deal with the most common of these misconceptions.

194 CHAPTER 5 Protecting Client Systems

■ “As long as you keep Windows updated, you’re fine.”

in applications as easily as they can be found in operating systems, and the

security holes in many of these can be exploited to completely compromise

a system. Microsoft Office applications in particular are often targeted.

Remember that your systems are not safe from exploits if you are keeping only

Windows updated.

■ “As long as you aren’t tricked into opening anything, you’re fine.”

Merely browsing to the wrong site, for example, can lead to a secret drive by

download of malicious software. Even worse, some of the most harmful

attacks come from Internet worms, which need no user involvement

whatsoever. It is still essential for users to avoid opening unknown software,

but this preventative measure alone is not enough to keep your systems safe

from infection.

■ “As long as you keep your antivirus software up to date and scan daily, you’re fine.”

of a sound client protection strategy, the sad truth is that such software has its

limitations. Malware developers who are serious about exploiting computers

naturally design their programs in a way that avoids detection by antivirus

solutions. For example, a rootkit is a relatively new type of malware that—so

far—few anti-malware applications have had good success in detecting. But

even more familiar types of malware can be designed to evade detection. As

a result, when your antivirus software fails to detect malware on a system, you

should know that the system still could very easily be infected.

These three misconceptions all have a common thread running through them: the

belief that you can protect your systems by adopting a small number of well-known

defenses against malware. In truth, adequately protecting client systems requires

your company to adopt a wide array of strategies that include effective software

updates, antivirus software, user education, firewalls, and most important of all,

effective management of these and other security features.

It’s certainly true that you need to keep Microsoft Windows updated, but

you need to keep all your software updated. Security l holes can be found

A long time ago, it was true that malicious software needed user assistance

to be installed on a system. Now, the situation is completely different.

This might be the most common of all misconceptions regarding malware.

While it’s true that a robust anti-malware solution is one of the essential pillars

Lesson 1: Resolving Malware Issues

The number of new malware applications being released today actually exceeds that of new

legitimate applications. As an enterprise support technician, you need to adequately protect

your clients from these mounting threats and know how to handle malware infections once

they are discovered.

Windows 7 includes two features that assist you in this fight against malware. User Account

Control (UAC) helps prevent programs from secretly altering protected areas of the operating

system, and Windows Defender scans your system for spyware and offers to remove any

unwanted software that is detected.

Though you will need to use additional applications such as Microsoft Forefront and

a managed anti-malware solution to protect your network, understanding how to use and

configure these built-in features of Windows 7 represents part of the essential skill set you

need on your job.

After this lesson, you will be able to:

■ Configure User Account Control (UAC) to display notifications in a way that

suits the needs of your organization.

■ Configure Windows Defender settings.

■ Detect and remove some malware manually in case your anti-malware

applications fail.

Estimated lesson time: 30 minutes

Understanding Malware

Malware is an umbrella term for many different types of unwanted software. It’s important

to understand the nature of these different threats, but it’s also important to recognize that

many malware applications blend features from more than one of these malware types.

The following list discusses the most common types of malware:

■ Virus A virus is a self-replicating program that can install itself on a target computer.

Viruses do not propagate over networks automatically; they need to be spread

through e-mail or another means. Once installed, viruses usually alter, damage,

or compromise a system in some way.

■ Worm A worm is a self-replicating program that can spread automatically over

a network without any help from a user or a program such as an e-mail client or Web

browser. Worms vary greatly in the potential damage they can cause. Some worms

simply replicate and do little other than consume network bandwidth. Others can be

used to compromise a system completely.

■ Trojan horse A Trojan horse is a program that is presented to users as a desirable

application but that is intentionally written to harm a system. Unlike viruses and

worms, Trojan horses do not copy themselves automatically or install themselves

automatically; they rely on users to install them.

■ Spyware Spyware is a type of privacy-invasive software that secretly records

information about user behavior, often for the purposes of market research. Typically

spyware is injected into a system when a user installs a free tool or visits a Web site

with browser security settings set to a low level. The most common function of such

spyware is to record the Web sites that a user visits. More rarely, some spyware, such

as keyloggers (which record every keystroke), can be installed deliberately by a third

party and be used to gather personal information. The biggest threat posed by most

spyware is system performance degradation. All types of spyware reduce system

performance by hijacking the resources of the computer for their own purposes. Unlike

viruses and worms, spyware does not self-replicate.

■ Adware Adware is similar to spyware and is often installed alongside it. The purpose

of adware is to display unsolicited advertisements to the user in the form of pop-up

windows or Web browser alterations. Adware can also download and install spyware.

NOTE SPYWARE AND ADWARE

The term spyware is often used as a general term for all unwanted software that runs in

the background and that gathers market research information, displays advertisements,

or alters the behavior of applications such as Web browsers. Microsoft uses the phrase

“spyware and potentially unwanted software” to refer to the type of software that is

unwanted but is not unambiguously harmful.

■ Backdoor A backdoor is a program that gives a remote, unauthorized party complete

control over a system by bypassing the normal authentication mechanism of that

system. Backdoors have been known to be installed by worms that exploit a weakness

in a well-known program. To protect your system against backdoors, it is essential to

keep your applications (not just your operating system) updated.

■ Rootkit A rootkit is a persistent type of malware that injects itself beneath the

application level and that as a result, tends to be much harder to detect from within

the operating system. A rootkit can alter the core functionality of the operating

system, or it can install itself as its own operating system invisible to the user and to

most anti-malware software. Other rootkits can operate at the firmware (BIOS) level.

Typically, a rootkit is used to provide a backdoor to a system.

Although malware has been proliferating in type and number, the defenses against these

threats have improved as well. When UAC is enabled in Windows 7, for example, a malware

application cannot install itself easily without the user's knowledge. This next section provides an

overview of UAC, which was introduced in Windows Vista and has been refined in Windows 7.

Understanding UAC

UAC is a set of security features designed to minimize the danger of running Windows as an

administrator and to maximize the convenience of running Windows as a standard user. In

versions of Windows before Windows Vista, the risks of logging on as an administrator were

significant, yet the practice of doing so was widespread. Meanwhile, running as a standard

user was generally safe, but the inconveniences prevented many from adopting the practice.

In versions of Windows before Windows Vista, malware could use the credentials of

a locally logged-on administrator to damage a system. For example, if you were logged

on to Windows XP as an administrator and unknowingly downloaded a Trojan horse from

a network source, this malware could use your administrative privileges to reformat your hard

disk drive, delete all your fi les, or create a hidden administrator account on the local system.

The main reason that users in previous versions of Windows often ran as administrators

despite these dangers is that many common tasks, such as installing an application or adding

a printer, required a user to have administrator privileges on the local machine. Because

in previous versions of Windows there was no easy way to log on as a standard user and

“elevate” to an administrator only when necessary, organizations whose users occasionally

needed administrator privileges simply tended to configure their users as administrators on

their local machines.

NOTE WHAT IS ELEVATION?

The term elevation is used when a user adopts administrator privileges to perform a task.

How Does UAC Address the Problem of Administrator Privileges?

UAC is the result of a new Windows security design in which both standard users and

administrators use the limited privileges of a standard user to perform most actions. When

users are logged on, UAC prompts them in different ways to confirm actions that make

important changes to the computer. If an administrator is logged on, the action is performed

only if he or she confirms it. If a standard user is logged on, the action is performed only if

he or she can provide administrator credentials. In both cases, the elevation to administrator level

privileges is temporary and used to perform only the action required. Through this new

system, UAC inhibits malware from secretly using a logged-on administrator’s privileges.

Understanding UAC Notifications for Administrators

By default, UAC is configured to notify administrators only when programs request elevation.

For example, administrators see UAC notification when they attempt to run a program

(such as Cmd.exe) at elevated administrator privileges, as shown in Figure 5-1. According to

this default setting, administrators in Windows 7 do not see a UAC notification when they

adjust Windows settings that require administrator privileges. Understanding UAC

UAC is a set of security features designed to minimize the danger of running Windows as an

administrator and to maximize the convenience of running Windows as a standard user. In

versions of Windows before Windows Vista, the risks of logging on as an administrator were

significant, yet the practice of doing so was widespread. Meanwhile, running as a standard

user was generally safe, but the inconveniences prevented many from adopting the practice.

In versions of Windows before Windows Vista, malware could use the credentials of

a locally logged-on administrator to damage a system. For example, if you were logged

on to Windows XP as an administrator and unknowingly downloaded a Trojan horse from

a network source, this malware could use your administrative privileges to reformat your hard

disk drive, delete all your fi les, or create a hidden administrator account on the local system.

The main reason that users in previous versions of Windows often ran as administrators

despite these dangers is that many common tasks, such as installing an application or adding

a printer, required a user to have administrator privileges on the local machine. Because

in previous versions of Windows there was no easy way to log on as a standard user and

“elevate” to an administrator only when necessary, organizations whose users occasionally

needed administrator privileges simply tended to configure their users as administrators on

their local machines.

NOTE WHAT IS ELEVATION?

The term elevation is used when a user adopts administrator privileges to perform a task.

How Does UAC Address the Problem of Administrator Privileges?

UAC is the result of a new Windows security design in which both standard users and

administrators use the limited privileges of a standard user to perform most actions. When

users are logged on, UAC prompts them in different ways to confirm actions that make

important changes to the computer. If an administrator is logged on, the action is performed

only if he or she confirms it. If a standard user is logged on, the action is performed only if

he or she can provide administrator credentials. In both cases, the elevation to administrator level

privileges is temporary and used to perform only the action required. Through this new

system, UAC inhibits malware from secretly using a logged-on administrator’s privileges.

Understanding UAC Notifications for Administrators

By default, UAC is configured to notify administrators only when programs request elevation.

For example, administrators see UAC notification when they attempt to run a program

(such as Cmd.exe) at elevated administrator privileges, as shown in Figure 5-1. According to

this default setting, administrators in Windows 7 do not see a UAC notification when they

adjust Windows settings that require administrator privileges.

FIGURE 5-1 Opening an elevated command prompt

NOTE CHANGES IN WINDOWS 7 UAC BEHAVIOR

For administrators, the default behavior of UAC in Windows 7 has changed significantly

from that in Windows Vista and Windows Server 2008. In those operating systems, UAC

generated a prompt by default whenever any type of elevation was requested, including

when an administrator attempted to change Windows settings. Administrators see UAC

prompts less frequently in Windows 7.

The UAC notification that normally appears for administrators is called a consent prompt

and is shown in Figure 5-2. Note that by default, the entire screen darkens when the

notification appears and freezes until the user responds to the prompt. This feature is called

the Secure Desktop and can be disabled.

NOTE EDUCATE USERS ABOUT UAC PROMPTS!

The point of UAC notifications is to alert users when malware might be harming your

computer. If malware were to request elevation for a particular purpose, it too would

generate a notification such as the one shown in Figures 5-2 or 5-3. Consequently,

an essential factor in the ability of UAC to thwart malware is appropriate user response. You

need to educate users—and gently remind your fellow administrators—that they should

click No or Cancel whenever they see a UAC notification message that they did not initiate.

FIGURE 5-2 By default, UAC displays a consent prompt on a Secure Desktop to administrators who

request to run a program with elevation.

Understanding UAC Notifications for Standard Users

The UAC notifications shown to standard users are distinct from those shown to

administrators in that the notifications for standard users prompt these users to provide

administrator credentials. As with administrators, standard users by default receive UAC

notifications when they attempt to run a program such as a command prompt at elevated

privileges, or when a program independently requests elevation. In addition, standard users

by default receive UAC notifications when they attempt to make changes on the system that

require administrator privileges. For example, if standard users open the System page in

Control Panel and click Remote Settings, they see the credential prompt shown in Figure 5-3.

NOTE THE DEFAULT BEHAVIOR OF UAC IS THE SAME FOR STANDARD

USERS IN WINDOWS 7

Although UAC in Windows 7 offers many notification levels that did not exist in Windows

Vista or Windows Server 2008, the default behavior for standard users is the same.

Whenever standard users attempt to make a change that requires administrator privileges,

a credential prompt appears on a Secure Desktop.

FIGURE 5-3 By default, UAC displays a credential prompt on a Secure Desktop to standard users who

request elevation.

Configuring UAC in Control Panel

In a domain environment, it is recommended that UAC be controlled centrally by Group

Policy instead of by configuration settings on each local machine. However, in workgroup

environments or in domain environments in which Group Policy allows local UAC

configuration, you can configure UAC through Control Panel.

To configure UAC in Control Panel, perform the following steps:

1. In Control Panel, click System and Security.

2. Under Action Center, click Change User Account Control Settings, as shown in Figure 5-4.

FIGURE 5-4 You can access UAC settings through the Action Center.

This step opens the User Account Settings window, one version of which is shown in

Figure 5-5. Note that the set of options that appears is different for administrators and

standard users, and that each user type has a different default setting.

FIGURE 5-5 UAC allows you to choose among four notification levels.

3. Choose one of the following notification levels:

■ Always Notify This level is the default for standard users, and it configures UAC

to act as it does in Windows Vista. At this level, users are notified whenever any

changes that require administrator privileges are attempted on the system.

■ Notify Me Only When Programs Try To Make Changes To My Computer This

level is the default for administrators and is not available for standard users.

At this level, administrators are not notified when they make changes that require

administrator privileges. However, users are notified through a consent prompt

when a program requests elevation.

■ Always Notify Me (And Do Not Dim My Desktop) This level is not available for

administrators. It is similar to the default setting for standard users, except that at

this particular level, the Secure Desktop is never displayed. Disabling the Secure

Desktop tends to reduce protection against malware, but it improves the user

experience. This setting might be suitable for standard users who very frequently

need to request elevation.

■ Notify Me Only When Programs Try To Make Changes To My Computer

(Do Not Dim The Desktop) This level is available for both standard users

and administrators. At this level, the behavior is the same as with the default

administrator level (“Notify me only when programs try to make changes to my

computer”), but with this option the Secure Desktop is not displayed.

■ Never Notify This level disables notifications in UAC. Users are not notified of

any changes made to Windows settings or when software is installed. This option is

appropriate only when you need to use programs that are incompatible with UAC.

4. Click OK.

Configuring UAC Through Group Policy

You can configure UAC through Local Security Policy or Group Policy settings. To find

UAC-related policy settings in a GPO, navigate to the following node:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies

\Security Options

This location is shown in Figure 5-6.

FIGURE 5-6 You can find UAC settings in Security Options in a GPO or in Local Security Policy

The following 10 UAC-related policy settings are available. The next section describes each

of these configurable settings.

■ User Account Control: Admin Approval Mode For The Built-in Administrator

Account This policy applies only to the built-in Administrator account, and not to

other accounts that are members of the local Administrators group. When you enable

this policy setting, the built-in Administrator account sees UAC notifications just as other

administrative accounts do. When you disable the setting, the built-in Administrator

account behaves just like it does in Windows XP, and all processes run using

Administrator privileges. This setting is disabled in Local Security Policy by default.

■ User Account Control: Allow UIAccess Applications to Prompt For Elevation Without

Using The Secure Desktop This setting controls whether user Interface Accessibility

(UIAccess) programs can disable the Secure Desktop automatically. When enabled,

UIAccess applications (such as Remote Assistance) automatically disable the Secure

Desktop for elevation prompts. Disabling the Secure Desktop causes elevation prompts to

appear on the standard desktop. By default, this setting is disabled in Local Security Policy.

■ User Account Control: Behavior Of The Elevation Prompt For Administrators In

Admin Approval Mode This policy setting controls the behavior of the elevation

prompt for administrators. Six options are available:

• Elevate Without Prompting With this option, administrators never see elevation

prompts.

• Prompt For Credentials On The Secure Desktop When this option is chosen,

administrators see credential prompts on a Secure Desktop when elevation is

requested.

• Prompt For Consent On The Secure Desktop With this option, administrators

see a consent prompt on a Secure Desktop when elevation is requested.

• Prompt For Credentials When this option is selected, administrators see

a credential prompt on a normal desktop when elevation is requested.

• Prompt For Consent When this option is selected, administrators see a consent

prompt on a normal desktop when elevation is requested.

• Prompt For Consent For Non-Windows Binaries This option is the default

setting in Local Security Policy. It causes a consent prompt to appear any time

an application requests elevation.

■ User Account Control: Behavior Of The Elevation Prompt For Standard Users This

policy setting controls the behavior of the elevation prompt for standard users. Three

options are available:

• Automatically Deny Elevation Requests When this option is enforced, standard

users are not able to perform tasks that require elevation.

• Prompt For Credentials On The Secure Desktop With this option (the default

setting in Local Security Policy), standards users see a credential prompt on the

Secure Desktop when elevation is requested.

• Prompt For Credentials When this option is chosen, standard users see

a credential prompt on the normal desktop whenever elevation is requested.

■ User Account Control: Detect Application Installations And Prompt For

Elevation When enabled, this policy setting configures UAC to prompt for

administrative credentials when the user attempts to install an application that

makes changes to protected aspects of the system. When disabled, the prompt won’t

appear. Domain environments that use delegated installation technologies such as

Group Policy Software Install (GPSI) or Microsoft Systems Management Server (SMS)

can disable this feature safely because installation processes can escalate privileges

automatically without user intervention. By default, this setting is enabled in Local

Security Policy.

■ User Account Control: Only Elevate Executables That Are Signed And

Validated When this policy setting is enabled, Windows 7 refuses to run any

executable that isn’t signed with a trusted certificate, such as a certificate generated

by an internal Public Key Infrastructure (PKI). When disabled, this policy setting allows

users to run any executable, potentially including malware. If your environment

requires all applications to be signed and validated with a trusted certificate, including

internally developed applications, you can enable this policy to increase security

greatly in your organization. This setting is disabled in Local Security Policy by default.

■ User Account Control: Only Elevate UIAccess Applications That Are Installed In

Secure Locations When enabled, this policy setting causes Windows 7 to grant

user interface access only to those applications that are started from Program Files

or subfolders, from Program Files (x86) or subfolders, or from \Windows\System32\.

When disabled, the policy setting grants user interface access to applications

regardless of where they are started in the fi le structure. This policy setting is enabled

by default in Local Security Policy.

■ User Account Control: Run All Administrators In Admin Approval Mode This

policy setting, enabled by default in Local Security Policy, causes all accounts with

administrator privileges except for the local Administrator account to see consent

prompts when elevation is requested. If you disable this setting, administrators never

see consent prompts and the Security Center displays a warning message.

■ User Account Control: Switch To The Secure Desktop When Prompting For

Elevation The Secure Desktop is a feature that darkens the screen and freezes

all activity except for the UAC prompt. It reduces the possibility that malware can

function, but some users might find that the feature slows down their work too much.

When enabled, this policy setting causes the Secure Desktop to appear with a UAC

prompt. When disabled, this policy setting allows UAC prompts to appear on a normal

desktop. This policy setting is enabled by default in Local Security Policy.

■ User Account Control: Virtualize File And Registry Write Failures To Per-User

Locations This policy setting, enabled by default in Local Security Policy, improves

compatibility with applications not developed for UAC by redirecting requests for

protected resources. When disabled, this policy setting allows applications not

developed for UAC to fail.

Disabling UAC Through Local or Group Policy

To force UAC to a disabled state, you can use Local Security Policy or Group Policy. First, set

the User Account Control: Behavior Of The Elevation Prompt For Administrator In Admin

Approval Mode setting to Elevate Without Prompting. Then, disable the User Account

Control: Detect Application Installations And Prompt For Elevation and User Account Control:

Run All Administrators In Admin Approval Mode settings. Finally, set User Account Control:

Behavior Of The Elevation Prompt For Standard Users setting to Automatically Deny Elevation

Requests. Then, restart the computers on which you want to apply the new settings.

Best Practices for Using UAC

To receive the security benefits of UAC while minimizing the costs, follow these best practices:

■ Leave UAC enabled for client computers in your organization.

■ Have all users—especially IT staff—log on with standard user privileges.

■ Each user should have a single account with only standard user privileges. Do not give

standard domain users accounts with administrator privileges to their local computers.

■ Domain administrators should have two accounts: a standard user account that they

use to log on to their computers, and a second administrator account that they can use

to elevate privileges.

■ Train users not to approve a UAC prompt if it appears unexpectedly. UAC prompts

should appear only when the user is installing an application or starting a tool that

requires elevated privileges. A UAC prompt that appears at any other time might have

been initiated by malware. Rejecting the prompt helps prevent malware from making

permanent changes to the computer.

Quick Check

■ Which Group Policy setting could you enable to prevent executables from

running if they aren’t signed with a trusted certificate?

Quick Check Answer

■ User Account Control: Only Elevate Executables That Are Signed And Validated

Whereas UAC is a set of features that broadly aims to protect core areas of the operating

system, another Windows 7 tool—Windows Defender—has a much narrower goal of

detecting and removing unwanted software.

Protecting Clients from Spyware with Windows Defender

Windows Defender is a tool in Windows 7 whose purpose is to detect and remove spyware

on a client system. By default, Windows Defender is configured to download new spyware

definitions regularly through Windows Update and then use these definitions to scan for

spyware on the local system. Often, you do not need to change this default configuration,

though in large networks you might want to disable some Windows Defender features

through Group Policy.

NOTE USE WINDOWS DEFENDER IN SMALL NETWORKS

Windows Defender is a basic anti-malware program that is suitable for use in small

networks or as a temporary solution before an advanced anti-malware solution is

purchased. In large networks, you should use a centrally managed anti-malware solution

such as Microsoft Forefront Client Security.

To view Windows Defender, open Control Panel, select View By Large Icons, and then scroll

down to click Windows Defender, as shown in Figure 5-7. (Alternatively, you can click Start,

type windows defender, and select Windows Defender in the Start menu.)

FIGURE 5-7 Opening Windows Defender

Windows Defender is shown in Figure 5-8.

By default, Windows Defender provides two types of protection:

■ Automatic scanning Windows Defender is configured by default to download new

definitions and then perform a quick scan for spyware at 2 A.M. daily.

■ Real-time protection With this feature, Windows Defender constantly monitors

computer usage in areas such as the Startup folder, the Run keys in the registry, and

Windows add-ons. If an application attempts to make a change to one of these areas,

Windows Defender prompts the user either to Permit (allow) or Deny (block) the change.

FIGURE 5-8 Windows Defender automatically checking for spyware

Besides providing this automatic functionality, Windows Defender also lets you perform

a manual scan of the system. You can start a manual scan by selecting Quick Scan, Full Scan,

or Custom Scan from the Scan menu, as shown in Figure 5-9.

FIGURE 5-9 Performing a manual scan in Windows Defender

These three scan types are described in the following list:

■ Quick Scan This type of scan scans only the areas of a computer most likely to be

infected by spyware or other potentially unwanted software. These areas include the

computer’s memory and portions of the registry that link to startup applications.

A quick scan is sufficient to detect most spyware.

■ Full Scan This type of scan scans every fi le on the computer, including common types

of fi le archives and applications already loaded in the computer’s memory. A full scan

typically takes several hours and can even take more than a day. You need to run a full

scan only if you suspect that a user’s computer is infected with unwanted software

after the quick scan is run.

■ Custom Scan Custom scans begin with a quick scan and then perform a detailed scan

on the specific portions of a computer that you choose.

NOTE YOU CAN WORK ON A COMPUTER WHILE A SCAN IS IN PROGRESS

Although scans slow the computer down, a user can continue to work on the computer

while a scan is in progress. Note also that scans consume battery power on mobile

computers very quickly.

Handling Detected Spyware

If Windows Defender finds spyware or potentially unwanted software as a result of a scan,

it displays a warning and provides you with four options for each item detected:

■ Ignore This option allows the detected software to remain untouched on your

computer and stay detectable by Windows Defender whenever the next scan is

performed. This option might be appropriate when you need to research the software

that Windows Defender has found before you decide to remove it.

■ Quarantine This option isolates the detected software. When Windows Defender

quarantines software, it moves it to another location on your computer and then

prevents the software from running until you choose to restore it or remove it from

your computer. This option is used most often when the detected software cannot be

removed successfully.

■ Remove This option deletes the detected software from your computer. You should

choose this option unless you have a compelling reason not to.

■ Always Allow The option adds the software to the Windows Defender Allowed list

and allows it to run on your computer. Windows Defender stops alerting you to actions

taken by the program. You should choose this option only if you trust the software and

the software publisher.

Configuring Windows Defender Through Group Policy

In an AD DS environment, it is recommended that you configure clients by using Group

Policy instead of individually on each machine. To find the Group Policy settings for Windows

Defender, open a GPO and navigate to Computer Configuration\Policies\Administrative

Templates\Windows Components\Windows Defender, as shown in Figure 5-10.

FIGURE 5-10 Group Policy settings for Windows Defender

The following seven policy settings for Windows Defender are available:

■ Turn On Definition Updates Through Both WSUS And Windows Update If you

enable or do not configure this policy setting and the Automatic Updates client is

configured to point to a WSUS server, Windows Defender obtains definition updates

from Windows Update if connections to that WSUS server fail. If you disable this

setting, Windows Defender checks for updates only according to the setting defined for the Automatic Updates client—either by using an internal WSUS server or

Windows Update.

■ Turn On Definition Updates Through Both WSUS And The Microsoft Malware

Protection Center If you enable or do not configure this policy setting and the

Automatic Updates client is configured to point to a WSUS server, Windows Defender

checks for definition updates from both WSUS and the Microsoft Malware Protection

Center if connections to that WSUS server fail. If you disable this setting, Windows

Defender checks for updates only according to the setting defined for the Automatic

Updates client—either by using an internal WSUS server or Windows Update.

■ Check For New Signatures Before Scheduled Scans If you enable this policy setting,

Windows Defender always checks for new definitions before it begins a scheduled

scan of the computer. When you disable or do not configure this setting, Windows

Defender does not check for new definitions immediately before beginning

scheduled scans.

■ Turn Off Windows Defender If you enable this policy setting, Windows Defender no

longer performs any real-time or scheduled scans. (However, users can still perform

manual scans.) You should enable this setting if you have implemented a more

advanced anti-spyware solution such as Microsoft Forefront Client Security. If you

disable or do not configure this policy setting, Windows Defender performs both

real-time scans and any scheduled scans.

■ Turn Off Real-Time Monitoring If you enable this policy setting, Windows Defender

does not automatically prompt users to allow or block activity in protected areas of

the operating system. If you disable or do not configure this policy setting, by default

Windows Defender prompts users to allow or block potential spyware activity on their

computers.

■ Turn Off Routinely Taking Action If you enable this policy setting, Windows

Defender only prompts the user to choose how to respond to a threat but not to take

any automatic action. If you disable or do not configure this policy setting, Windows

Defender automatically takes action on detected threats after approximately 10 minutes.

■ Configure Microsoft SpyNet Reporting SpyNet is an online community that pools

information about threats experienced by its members. SpyNet learns from the user

responses to these threats to determine which threats are benign and which are

malicious.

If you enable this policy setting and choose the "No Membership" option, SpyNet

membership is disabled, and no information is sent to Microsoft. If you enable this

policy setting and choose the "Advanced" option, SpyNet membership is set to

Advanced, and information about detected threats and the responses to those threats

is sent to Microsoft.

If you disable or do not configure this policy setting, SpyNet membership is disabled

by default, but local users can change the membership setting.

NOTE USING A BOOTABLE ANTIVIRUS CD

When a computer has become severely infected with malware, the computer might run

so slowly that it’s difficult to perform an anti-malware scan. In this case, it’s a good idea

to perform an offline scan from a bootable CD if you have one available. By performing

the scan outside of Windows, you avoid running the malware programs that consume

resources and slow down the system.

Best Practices for Using Windows Defender

To receive the security benefits of Windows Defender while minimizing the costs, follow these

best practices:

■ Before deploying Windows 7, test all applications with Windows Defender enabled

to ensure that Windows Defender does not alert users to normal changes that the

application might make. If a legitimate application does cause warnings, add the

application to the Windows Defender Allowed list.

■ Change the scheduled scan time to meet the needs of your business. By default,

Windows Defender scans at 2 A.M. If third-shift staff uses computers overnight, you

might want to find a better time to perform the scan. If users turn off their computers

when they are not in the office, you should schedule the scan to occur during the day.

■ Use WSUS to manage and distribute signature updates.

■ Use antivirus software with Windows Defender. Alternatively, you might disable

Windows Defender completely and use client-security software that provides both

anti-spyware and antivirus functionality.

■ Do not deploy Windows Defender in large enterprises. Instead, use Forefront or

a third-party client-security suite that can be managed more easily in enterprise

environments.

MORE INFO WINDOWS DEFENDER

For more information about Windows Defender, visit the Windows Defender Virtual Lab

Express at http://www.microsoftvirtuallabs.com/express/registration.aspx?LabId=92e04589-

cdd9-4e69-8b1b-2d131d9037af.

Determining When Your System Is Infected with Malware

As an enterprise support technician, you need to know how to recognize the symptoms of

a malware infection on your client computers. Then, if your antivirus and anti-spyware are not

functioning or not detecting any malware, you need to know how to remove malware manually.

Here are a few common signs of a computer being infected by a virus, worm, or Trojan

horse:

■ Sluggish computer performance

■ Unusual error messages

■ Distorted menus and dialog boxes

■ Antivirus software repeatedly turning itself off

■ Screen freezing

■ Computer crashing

■ Computer restarting

■ Applications not functioning correctly

■ Inaccessible disk drives, or a CD-ROM drive that automatically opens and closes

■ Notification messages that an application has attempted to contact you from the

Internet

■ Unusual audio sounds

■ Printing problems

Note that, although these are common signs of infection, these symptoms might also

indicate other types of hardware or software problems that are unrelated to malware.

Signs of a spyware infection tend to be slightly different from those of other types of

malware. If you see any of the following symptoms, suspect spyware:

■ A new, unexpected application appears.

■ Unexpected icons appear in the system tray.

■ Unexpected notifications appear near the system tray.

■ The Web browser home page, default search engine, or favorites change.

■ New toolbars appear, especially in Web browsers.

■ The mouse pointer changes.

■ The Web browser displays additional advertisements when visiting a Web page,

or pop-up advertisements appear when the user is not using the Web.

■ When the user attempts to visit a Web page, she is redirected to a completely different

Web page.

■ The computer runs more slowly than usual.

Some spyware might not have any noticeable symptoms, but it still might compromise

private information.

How to Resolve Malware Infections

The most important way to resolve malware infections is to prevent them in the first place

by running antivirus and anti-spyware programs daily with the latest virus and spyware

definitions. If malware is discovered on a system, use the application to remove the malware

if possible and quarantine it if not. If it is a new malware program, you might need to run

a removal tool or perform a series of steps to remove it manually.

These steps naturally apply to malware that is detected. However, as important as it is to

remember to use antivirus and anti-spyware daily, it is just as important to remember that

no anti-malware application is foolproof. Many malware programs are in fact written around

anti-malware software so that they cannot be detected. And if even a single malicious feature

remains after a scan, that remaining malware program can install other malware programs.

If you suspect a problem related to malware after running antivirus and anti-spyware

applications with the latest definitions, take the following steps:

1. If you notice changes to Windows Internet Explorer, such as unwanted add-ons

or a new home page, use Control Panel to look for and uninstall any unnecessary

programs.

2. Use the Startup tab of the System Configuration utility (Msconfi g.exe) to clear any

unnecessary startup programs. Note the Registry entry associated with any of these

programs. (You can use this Registry information to delete the associated Registry keys

if necessary.) Use the Services tab to disable any unnecessary services.

3. Open Task Manager. Note any unusual services listed on the Services tab or unusual

processes listed on the Processes tab. (Be sure to click Show Processes From All Users

so you can see all running processes.) Use the Go To Process option on the Services

tab and the Go To Service(s) option on the Processes tab to help learn the connection

between services and processes that are unknown to you. Then, perform Web searches

on services and processes that lack descriptions or that otherwise seem suspicious.

If you can determine from your research that any services or processes are associated

with malware, right-click them to stop them. Then, in the Services console, disable the

associated service so that it cannot run again.

4. Open the Registry Editor (Regedit.exe). Navigate to HKLM\Software\Microsoft\

Windows\CurrentVersion\Run. In the details pane, note any Registry values associated

with unwanted started programs. Write the path names provided to the target fi les in

the Data column, as shown in Figure 5-11, and then delete the Registry values. Then,

navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and do the same.

FIGURE 5-11 Copy down the path names to files associated with unwanted startup programs,

and then delete the Registry values.

5. Using the path name information that you copied in step 4, visit these locations in the

Windows fi le structure and delete the target fi les.

6. If you still see signs of malware, install an additional anti-spyware and antivirus

application from a known and trusted vendor. Your chances of removing all traces of

malware increase by using multiple applications, but you should not configure multiple

applications to provide real-time protection.

7. If problems persist, shut down the computer and use the Startup Repair tool to

perform a System Restore. Restore the computer to a date prior to the malware

infection. System Restore typically removes any startup settings that cause malware

applications to run, but it does not remove the executable fi les themselves. Do this

only as a last resort: Although System Restore does not remove a user’s personal fi les,

it can cause problems with recently installed or configured applications.