Windows Defender and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2
Applies To: Windows 7, Windows Server 2008 R2
In this section
Benefits and purposes of Windows Defender and the online Microsoft SpyNet community
Overview: Using Windows Defender and information from the Microsoft SpyNet community in a managed environment
How Windows Defender communicates with Internet sites (without Microsoft SpyNet membership)
How Windows Defender communicates with Internet sites when combined with Microsoft SpyNet
Procedures for configuring Windows Defender
Additional references
This section discusses how Windows® Defender in Windows 7 and Windows Server® 2008 R2communicates across the Internet, and it explains steps to take to limit, control, or prevent that communication in an organization with many users.
Benefits and purposes of Windows Defender and the online Microsoft SpyNet community
Windows Defender
With Windows Defender, users can be alerted when spyware or potentially unwanted software attempts to install or run on their computers. Windows Defender also alerts users when programs attempt to change important Windows settings.
When Windows 7 is installed and the computer is started for the first time, prompts appear to help the user enable various recommended features, including Windows Defender.
Note
On systems running Windows Server 2008 R2, Windows Defender is installed as part of the Desktop Experience Feature set.
With Windows Defender, users can schedule scans on a regular basis, and they can be alerted to harmful software that is detected or removed during the scan.
Windows Defender receives updates to respond to evolving malicious and unwanted software. It is designed to be automatically updated by using the Windows Update service. It can also be updated from a WSUS server in an environment with Windows Server Update Services (WSUS). The following list briefly describes how Windows Defender obtains updates:
- If Windows Defender is enabled, by default it checks for software updates and updated definitions (of spyware and other unwanted software) before each scheduled scan. It checks for these updates on the Windows Update service (or in an environment with WSUS, it checks a WSUS server). This check for updates helps ensure that Windows Defender uses the latest available software and definitions when scanning.
Important
The first time that a user contacts a Windows Update Web server, the user receives a message that prompts the user to validate their copy of Windows. To complete the validation process, called Windows Genuine Advantage, the user is prompted to download an ActiveX® control that checks the authenticity of the Windows software. This ActiveX control is downloaded the first time the user’s copy of Windows is validated and any time a new version of the ActiveX control is available from Microsoft®. If the validation is successful, a special license file is stored on the computer for future verification. The Windows Genuine Advantage validation process does not collect any information that can be used by Microsoft to identify or contact the user. If the computer fails the Windows Genuine Advantage validation process, some updates (including Windows Defender updates) are not downloaded or installed during the Windows Update process. Other security updates are not part of Windows Genuine Advantage, and they are available for download and installation even if this validation fails. For more information, see Genuine Windows in the Enterprise on the Microsoft Web site.
Scheduled scans occur daily by default, so these checks for software updates also occur daily by default.
- Through commands on the Help menu, the user can request that Windows Defender check immediately for updated definitions. (Users can also view a Web-based privacy statement.)
For more details about how Windows Defender checks for software updates, see How Windows Defender communicates with Internet sites (without Microsoft SpyNet membership) later in this section.
The online Microsoft SpyNet community
The online Microsoft® SpyNet community is designed to help Microsoft continually update and improve definitions of spyware and other potentially unwanted software and to help Microsoft improve Windows Defender and related technologies.
New types and versions of potentially unwanted software are emerging regularly, so SpyNet ratings help Microsoft researchers discover new threats more rapidly and determine which software to investigate. For example, if many people remove software that has not yet been classified, Microsoft will analyze that software to see if it should be included in future definitions.
Joining the online Microsoft SpyNet community is optional but recommended. When the computer is first started after installing Windows 7, or after installing the Desktop Experience features on Windows Server 2008 R2, prompts appear that recommend steps that can help protect the computer. These include joining the online Microsoft SpyNet community.
Overview: Using Windows Defender and information from the Microsoft SpyNet community in a managed environment
In a managed environment, Windows Defender can help prevent potentially unwanted software from causing problems and help keep it off of users' computers. Membership in the online Microsoft SpyNet community can provide additional information that might be useful when you are making decisions about questionable software.
However, you might choose solutions other than Windows Defender for defending against potentially unwanted software. There are a variety of ways to control Windows Defender, including the following:
Prevent users from running Windows Defender by using a Group Policy setting.
Use Windows Defender and set up WSUS in your environment, which will cause Windows Defender to check your WSUS servers for updates. To ensure that Windows Defender uses the latest definitions when scanning, if the WSUS servers are unavailable, Windows Defender checks the Windows Update Web site for updates.
For more information, see Windows Server Update Services.
Limit access to resources such as the online Microsoft SpyNet community by allowing only designated people to become members. You can prevent users from joining Microsoft SpyNet by using a Group Policy setting.
How Windows Defender communicates with Internet sites (without Microsoft SpyNet membership)
The following list describes how Windows Defender communicates with sites on the Internet when users do not have membership in the online Microsoft SpyNet community. (Communication that results with Basic or Advanced membership in the online Microsoft SpyNet community is described in the next section.)
When enabled by itself, Windows Defender communicates with sites on the Internet as follows:
Specific information sent or received: The following list describes the information that is received in specific situations:
Each time Windows Defender performs a scheduled scan (if there is a connection to the Internet). By default Windows Defender checks the Windows Update Web site for software updates and updated definitions. This is the same process that is used to check for updates for other operating system features, which means that the information sent includes the version of the current set of definitions. If updates are available, they are downloaded by Windows Defender.
For more information, see Windows Update and Resulting Internet Communication in Windows 7 and Windows Server 2008 R2 in this document.
When the user clicks Help options and then clicks Check for updates. Windows Defender performs the same check described in the previous item.
When the user clicks Help options and then clicks View Privacy Statement Online. The following privacy statement is displayed:
Default settings: If Windows Defender is enabled, by default it scans the computer daily. (Prompts recommending that Windows Defender be enabled are displayed the first time the computer is started after setup.)
Triggers: When Windows Defender performs a scheduled scan, by default it also searches the Windows Update Web servers for the latest definition file. To cause Windows Defender to check immediately for updates or display the privacy statement online, the user must click the Help options that are offered.
User notification: When a scan is in progress and the Windows Defender interface is open, status about the scan is displayed. Also when a scan is in progress, the user can click the Windows Defender icon in the notification area to view status.
Logging: Windows Defender logs the following types of information on the local computer:
Events are logged in Event Viewer in the System log.
Update failures are logged to systemroot**\Temp\Mpsigstub.log**.
Actions taken to protect against spyware or potentially unwanted software are logged in the same location as other events for that software.
Encryption: Windows Defender uses the same encryption methods as Windows Update, which means initial data is transferred using HTTPS, and updates are transferred using HTTP.
Access: The Microsoft staff maintains the functionality of the Windows Update Web servers, and as part of maintaining the servers, they monitor the version information that Windows Defender sends when it checks for updates.
Privacy: To view the privacy statement, see Windows Defender Privacy Statement.
Transmission protocol and port: Windows Defender uses the same transmission protocols and ports as Windows Update: HTTP with port 80 and HTTPS with port 443.
Ability to disable: You can disable Windows Defender through Control Panel or Group Policy.
How Windows Defender communicates with Internet sites when combined with Microsoft SpyNet
The following list describes communication that results from using Windows Defender with membership in the online Microsoft SpyNet community. When a user has joined the online Microsoft SpyNet community, Windows Defender communicates with sites on the Internet as follows:
Specific information sent or received: The following list describes the information that is sent with different levels of membership in Microsoft SpyNet. The information is sent whenever Windows Defender detects software that has not been analyzed for risks:
For Basic members: The report that is sent by Windows Defender to the Microsoft SpyNet Web site includes the following information:
About the computer: A randomly generated, globally unique identifier (GUID) that is used to uniquely identify the computers of Microsoft SpyNet members as they communicate with the Microsoft SpyNet Web site. (Windows Defender creates the GUID unless the operating system was upgraded from Windows XP, in which case the GUID might have been created previously by the Microsoft Malicious Software Removal Tool running on Windows XP.) This GUID does not contain any personal information.
Information collected also includes the operating system name and version (including any service packs that have been applied), the Web browser software and version, and identifiers for the country or region and locale. In addition, the report might contain information related to the possible presence of spyware or other potentially unwanted software—for example, information about registry key entries that control actions such as automatically starting an application when the system starts.
About the software in question: This information includes file name, size, date stamps, and where applicable, vendor and cryptographic hashes. In addition, full URLs can be collected that indicate the origin of the file. Defender attempts to filter out personal information in the URL and fil paths for basic members. The report can also include the action that the user chose to take when the program was detected (Block or Allow).
Note
The user's membership in Microsoft SpyNet means that the user might sometimes see a pop-up request for a Sample Submission report. This report requests specific files that Microsoft suspects might be potentially unwanted software on a computer, and they are used for further analysis. The report is sent only if the user consents.
- **For Advanced members**: The report that is sent to the Microsoft SpyNet Web site includes the information that is sent with a Basic membership, plus additional details about the software in question including file paths and partial memory dumps (rarely). These file paths and partial memory dumps might unintentionally contain personal information. To the extent any personal information is included in a report, the information is not used to identify a user or contact a user.
Note
The user's membership in Microsoft SpyNet means that the user might sometimes see a pop-up request for a Sample Submission report. This report requests specific files that Microsoft suspects might be potentially unwanted software on a computer, and are used for further analysis. The report is sent only if the user consents.
Default settings: If a person opts-in to Microsoft SpyNet during the Windows Defender configuration process, the membership is a Basic membership by default.
Triggers: When Windows Defender detects software that has not been analyzed for risks (software not previously categorized in the Windows Defender definition file) and the user is a member of Microsoft SpyNet, Windows Defender sends a report about the software in question.
User notification: For Basic Microsoft SpyNet members, the user notification is the same as for anyone using Windows Defender. For more information, see How Windows Defender communicates with Internet sites (without Microsoft SpyNet membership) earlier in this section.
For Advanced Microsoft SpyNet members, if software is present that has not yet been classified for risk, and it attempts to change computer settings, a prompt asks whether to allow or block the change. (For users who are Basic Microsoft SpyNet members, such software is not blocked.)
Logging: Logging for Windows Defender does not change when the user is a Microsoft SpyNet member. For more information, see How Windows Defender communicates with Internet sites (without Microsoft SpyNet membership) earlier in this section.
Encryption: Windows Defender uses Secure Sockets Layer (SSL) to encrypt the information that it sends to Microsoft SpyNet.
Access: Microsoft SpyNet reports are used to improve Microsoft software and services. The reports may also be used for statistical or other testing or analytical purposes, trending, and signature generation. Only Microsoft employees, contractors, and vendors who have a business need to use the reports are provided access to them.
Privacy: To view the privacy statement, which covers Microsoft SpyNet, see Windows Defender Privacy Statement.
Transmission protocol and port: When Windows Defender sends information to Microsoft SpyNet, it uses HTTPS with port 443.
Ability to disable: A user can decline or end membership in Microsoft SpyNet from an individual computer running Windows 7 or Windows Server 2008 R2, and an administrator can prevent users from being members by using a Group Policy setting.
Procedures for configuring Windows Defender
This subsection provides procedures for:
Viewing or changing Windows Defender settings, including Microsoft SpyNet settings, on a computer running Windows 7 or Windows Server 2008 R2.
Disabling Windows Defender by using Group Policy.
Preventing Microsoft SpyNet membership by using Group Policy.
To view or change Windows Defender and Microsoft SpyNet settings on a computer running Windows 7 or Windows Server 2008 R2
Click Start, then click Control Panel. In the Search text box, type Defender, then click Windows Defender.
Click Tools, and then click Options.
View or change the settings, and then click Cancel or Save.
With the Tools and Settings interface still displayed, click Microsoft SpyNet.
View or change the settings, and then click Cancel or Save.
To disable Windows Defender by using Group Policy
See Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2 for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows 7 or Windows Server 2008 R2, open Group Policy Management Console (GPMC) by running gpmc.msc, and then edit an appropriate Group Policy object (GPO).
Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Defender.
In the details pane, double-click Turn off Windows Defender, and then click Enabled.
Note
If this Group Policy setting is enabled, the user can still click the command to open Windows Defender. However, Windows Defender displays a pop-up window that says it is turned off by Group Policy.
To prevent Windows SpyNet membership by using Group Policy
See Appendix B: Resources for Learning About Group Policy for Windows 7 and Windows Server 2008 R2 for information about using Group Policy. Using an account with domain administrative credentials, log on to a computer running Windows 7 or Windows Server 2008 R2, open Group Policy Management Console by running gpmc.msc, and then edit an appropriate GPO.
Expand Computer Configuration, expand Administrative Templates, expand Windows Components, and then click Windows Defender.
In the details pane, double-click Configure Microsoft SpyNet Reporting, click Enabled, and then click No Membership.
Important
To prevent Microsoft SpyNet reporting, do not disable this setting. You can only block SpyNet reporting by enabling this setting and then choosing No Membership.
Additional references
For more information, see the following Microsoft Web sites: