Viruses and Worms

Viruses and worms are self-replicating programs that spread from one computer to the next, usually via the Internet. A virus needs a host file to spread from one computer to the next. The host file can be anything, although viruses are typically hidden in e-mail attachments and programs you download.

A worm is similar to a virus in that it can replicate itself and spread. However, unlike a virus, a worm doesn't need a host file to travel around. It can go from one computer to the next right through your Internet connection. That's one reason it's important to always have a firewall up when you're online — to keep out worms that travel through Internet connections.

The harm caused by viruses and worms ranges from minor pranks to serious damage. A minor prank might be something like a small message that appears somewhere on your screen where you don't want it. A more serious virus might erase important system files, rendering your computer useless.

Spyware and Adware

Spyware and adware is malware that isn't designed to specifically harm your computer. Rather, it's designed to help people sell you stuff. A common spyware tactic is to send information about the websites you visit to computers that send out advertisements on the Internet. That computer analyzes the websites you visit to figure out what types of products you're most likely to buy. That computer then sends ads about such products to your computer.

Adware is the mechanism that allows ads to appear on your computer screen. When you get advertisements on your screen, seemingly out of the clear blue sky, there's usually some form of adware behind it. Spyware and adware often work in conjunction with one another. The adware provides the means to display ads. The spyware helps the ad server (the computer sending the ads) choose ads for products you're most likely to buy.

Trojan Horses and Rootkits

You may have heard the term Trojan horse in relation to early mythology. The story goes like this. After 10 years of war with the city of Troy, the Greeks decided to call it quits. As a peace offering, they gave the people of Troy a huge horse statue named the Trojan horse.

While the people of Troy were busy celebrating the end of the war, Greek soldiers hidden inside the horse snuck out and opened the gates to the city from inside. They allowed other Greek soldiers, lying in wait hidden outside the city, to storm into the town and conquer it. (This is a case in which it would have been wise to look a gift horse in the mouth.)

A Trojan horse is a program that works in a similar manner. In contrast to other forms of malware, a Trojan horse is a program you can see on your screen and use. On the surface, it does something useful. However, hidden inside the program is a smaller program that does bad things, usually without your knowledge.

A Trojan horse can also be a program that hides nothing but could be used in bad ways. Take, for example, a program that can recover lost passwords. On the one hand, it can be a good thing if you use it to recover forgotten passwords from files you created yourself. But it can be a bad thing when used to break into other people's password-protected files.

A rootkit is a program that can hide itself, and the malicious intent of other programs, from the user and even from the system. As with Trojan horses, not all rootkits are inherently malicious. However, they can be used in malicious ways. Windows 10 protects your system from rootkits on many fronts, including Windows Defender.

Some rootkits can remain hidden on a computer for long periods of time, even for as much as several years. Rootkits provide a stealthy way for a person or organization (such as a rogue government or company) to infect a device. The rootkit stays dormant on the computer until a specific time or event, when it activates and causes malicious behavior to occur. Some of the most commonly known rootkits are Alureon, Sirefef, Rustock, Sinowal, and Cutwail.

Removing Malicious Software

Windows Defender offers many tools for fighting malicious software. One of them is the ability to scan your system for malicious programs or files that you might have already acquired. On the Home tab of Windows Defender, you see these three scan options:

• Quick: As its name implies, the quick scan takes less time because it focuses on areas where malicious software is most likely hiding.
• Full: A full scan takes a while but gives you the peace of mind of knowing that your system is free of malicious software.
• Custom: A custom scan lets you choose which drives you want to scan.

To perform a scan, select the desired scan option and click the Scan Now button, as shown in Figure 38.2.

A full scan takes several minutes (or longer depending on the size of the storage drives you are scanning), so you need to be patient. When the scan is complete, you should see a clean bill of health. If not, suspicious items will be quarantined (disabled). You should be taken to the quarantined list automatically, though you can get there any time by choosing History ⇨ Quarantined Items and then clicking View Details. You can see details on quarantined items, allowed items (which are items you let run on your computer), or all detected items.

Each item in the quarantined list has an alert level associated with it. Here's what each alert level means:

• Severe or High: This item is known to compromise the security of your computer. Or, this item may be too new to be well known. But all indications point to malicious intent, so the item should be removed immediately.
• Medium: This item appears to collect personal information or change Internet settings. Review the item details. If you do not recognize or trust the publisher, block or remove the item.
• Low: This is a potentially unwanted item that you should remove if you did not intentionally install it yourself.

To remove an item, click its name and click Remove. You can usually click Remove All, because valid, useful programs are rarely detected as viruses, spyware, or other potentially unwanted items. If in doubt, you can leave the item quarantined for a while. Use your computer normally to see whether some useful program no longer works. After you've determined that everything is okay, you can go back into Quarantined Items and remove anything you left behind.

Doing a Custom Scan

A custom scan lets you scan a specific drive or folder. For example, if someone sends you a flash drive, you might want to check that disk before copying or opening any files from it.

For downloads, you might consider creating a subfolder within your Downloads folder, perhaps named Unscanned or something similar. Whenever you download a file or save an e-mail attachment that you don't trust 100 percent, save it to that Unscanned folder. Then scan just the folder to make sure all is well. If the files check out okay, you can then move them to any folder you like. Or, in the case of a downloaded program, click the icon to start the program installation.

To do a custom scan, choose the Custom option on the Home tab in Windows Defender and click the Scan Now button. Click to select the drive you want to scan, like the example shown in Figure 38.3. Or, expand any drive icon and select the specific folder you want to scan. Then click OK to start the scan.

Preventing Malicious Software from Using Real-Time Scanning

You've probably heard the saying “An ounce of prevention is worth a pound of cure.” That's certainly true of viruses, spyware, and other malicious software. Getting rid of malicious software that has already infected your computer is a good thing. But preventing it from getting there in the first place is even better. That's where real-time protection comes into play. The term “real-time” means “as it's happening.”

The Windows Defender real-time protection analyzes files as they approach your computer from the Internet. Any virus, spyware, or suspicious-looking files are blocked to keep your computer from being infected. If Defender detects a potential threat, it alerts you to the issue and quarantines the threat.

To turn on real-time protection (it is turned on by default), perform the following steps:

1. Click the Settings button. The Windows Defender settings window appears (see Figure 38.4).
2. Click the Real-Time Protection option to On.
3. Click the close button at the top right of the window to return to the Windows Defender window.

If you turn off real-time scanning, Windows displays a red banner on the top of the Windows Defender window that specifies that your PC is at risk. In addition, a Windows alert appears on the task bar indicating that you need to protect your computer, which you can do by re-enabling the real-time protection option.

Windows Defender Updates

Each virus and malware item that Defender identifies has a definition that specifies its intent, severity, and recommended actions. The definitions are created by human experts who have previously found and analyzed the item. To keep up with threats posed on the Internet and other online locations, Windows Defender definitions are added seemingly every day.

To keep your system as safe as possible, definitions are updated automatically to Windows Defender based on your Windows Update schedule. See Chapter 7 for more information about Windows Updates. You can view information about the Windows Defender updates by clicking the Update tab on the Windows Defender window, as seen in Figure 38.5.

The Update tab includes the date and time when the last definitions were created and the last time you updated your copy of Windows Defender. You also can see the version numbers of the virus and spyware defenders installed on your computer. This information can be helpful for troubleshooting in the future.

If you want to update your definitions manually, click the Update Definitions button. Windows Defender searches for and downloads all new virus and spyware definitions.

Excluding Files and Folders

In some situations, you might want to exclude certain files or folders from being scanned by Windows Defender. For example, if you know certain folders or files are safe, and they may take a long time for Windows Defender to scan, or they may cause problems when scanned, you can exclude them. You can also exclude files based on their file type. Finally, you can exclude processes, including .exe, .com, and .scr files.

To set exclusions, perform the following steps:

1. Click the Settings button on the Windows Defender window. The Windows Defender settings window appears (as shown earlier in Figure 38.4).
2. Click the Add an Exclusion link under the Exclusions area. The Add an Exclusion window appears (see Figure 38.6).
3. Click Exclude a File. The Open dialog box appears, as shown in Figure 38.7.
4. Locate and select the file you want to exclude.
5. Click Exclude This File button. The file name is added below the Exclude a Folder option. As you add files and folders to exclude, this list grows.
6. Click Exclude a Folder to specify a folder to exclude. The Open dialog box appears.
7. Locate and select a folder you want to exclude.
8. Click the Exclude This Folder button. The folder name is added below the Exclude a Folder option.
9. Click the Exclude a File Extension. The Add Exclusion window appears (see figure 38.8).
10. Type a file extension, such as .jpg, into the Enter a New Exclusion Name field.
11. Click OK. The file extension is added below the Exclude a File Extension Name option.
12. Click Exclude a .exe, .com, or .scr. The Add Exclusion window appears (see Figure 38.9).
13. Type a process name, such as the name of a program you want to exclude. You might, for example, choose to exclude Microsoft Word from scanning processes. Type WORD.EXE in the field.
14. Click OK. The process you entered is added below the Add a Process option.
15. Repeat the process for any other exclusion.
16. When finished, click the close button on the top right of the window.