Windows Defender APIs

Previous page
Table of content
Next page

Windows Vista includes Windows Defender to help detect and remove certain kinds of potentially unwanted software, such as spyware. It is not a replacement for a full-featured antivirus package, however. If you are an ISV that builds an antimalware tool, you may want to disable Windows Defender programmatically. To protect users, you should only disable Windows Defender after:

  1. You have successfully turned on your antispyware solution with the recommended settings and

  2. You have notified the user that Windows Defender is going to be disabled.

Windows Vista exposes two functions to enable and disable Windows Defender and another to determine the current status of Windows Defender. Only administrators can enable or disable Windows Defender.

The following code detects if Windows Defender is disabled and if it is, turns it on. 

 typedef HRESULT (WINAPI *WDSTATUS)(BOOL*); typedef HRESULT (WINAPI *WDENABLE)(BOOL); // Get the path to Program Files, it might be localized wchar_t wszPath[MAX_PATH]; HRESULT hr = SHGetFolderPathAndSubDir(                      NULL,                      CSIDL_PROGRAM_FILES,                      NULL,                      SHGFP_TYPE_CURRENT,                      L"Windows Defender",                      wszPath); if (FAILED(hr))     return hr; wcscat_s(wszPath, MAX_PATH, L"\\MpClient.dll"); HMODULE h = LoadLibrary(wszPath); if (!h) {    DWORD dwErr = GetLastError();    return dwErr; } WDSTATUS pfnWDStatus = (WDSTATUS)GetProcAddress(h,"WDStatus"); WDENABLE pfnWDEnable = (WDENABLE)GetProcAddress(h,"WDEnable"); if (pfnWDStatus && pfnWDEnable) {    BOOL fEnabled = FALSE;    HRESULT hr = pfnWDStatus(&fEnabled);    if (SUCCEEDED(hr)) {       if (fEnabled) {          wprintf(L"Windows Defender is already enabled.");       } else {          hr = pfnWDEnable(TRUE);          if (SUCCEEDED(hr)) {             wprintf(L"Windows Defender is now enabled.");          } else {             wprintf(L"Could not enable Windows Defender, err = %X.",hr);          }      }   } } FreeLibrary(h);

Read the Windows Defender Policy Documentation!

As soon as possible, you should read two very important Windows Defender policy documents, “Windows Defender Antispyware Cycle” (Microsoft 2006c) and “How Windows Defender Identifies Spyware” (Microsoft 2006d).

Sign Your Code

We have already discussed how important signing your code is to provide users a smoother UAC experience, but signing software also has a less obvious benefit in that it allows an analyst at Microsoft to speed the analysis process, resulting in a shorter time period where new software is listed as “Not Yet Classified” in Windows Defender's Software Explorer. Windows Defender is designed to provide visibility and control to the individual as to what is allowed to run on his or her computer. To do this, the Microsoft Security Research & Response team must analyze and rate software based on the specific behaviors of the software. In cases where the behaviors go against the objective criteria described at the Windows Defender Web site (Microsoft 2006d) that software will generate an alert. In the case where the analysis shows the software is free of potentially unwanted behaviors, it can be marked as known, thereby suppressing alerts. In cases where the software has not yet been analyzed, it will appear in Windows Defender’s Software Explorer (and potentially in events in the event log) as “Not Yet Classified,” which is discussed next.

Request to Be Added to the Windows Defender “Known or Not Yet Classified” Lists

Microsoft does not accept submissions from vendors or individuals for inclusion of a specific piece of software in the “Known” list. Programs are considered for addition to the “Known” list based on input from users through SpyNet, the optin telemetry system used by Windows Defender. A high threshold of Windows Defender users must have reported the program to SpyNet, and a significant majority of those users must have elected to “Allow” the program to run on their computer. After these criteria have been met, Microsoft’s research team then reviews this list of candidates to confirm that these programs are not known to have issues with potentially unwanted behavior and are not currently under investigation.

Programs listed as “Known” are commonly used and allowed by SpyNet participants and do not appear to have issues with potentially unwanted behavior. Programs raised as “Unknown” to the user are less commonly used and/or allowed among SpyNet participants. It is important to note that programs marked “Unknown” are not necessarily spyware or other forms of potentially unwanted software. These programs are raised to the user's attention so that they can make an informed decision about what runs on their computer. To help minimize the possibility of confusion, alerts relating to software that is “Not Yet Classified” are suppressed by default but will appear in the Event Log and in Windows Defender Software Explorer.


Previous page
Table of content
Next page
Writing Secure Code for Windows Vista
Writing Secure Code for Windows Vista (Best Practices (Microsoft))
ISBN: 0735623937
EAN: 2147483647
Year: 2004
Pages: 122
Authors: Michael Howard, David LeBlanc
BUY ON AMAZON
SQL Tips & Techniques (Miscellaneous)
Image Processing with LabVIEW and IMAQ Vision
Systematic Software Testing (Artech House Computer Library)
InDesign Type: Professional Typography with Adobe InDesign CS2
Special Edition Using FileMaker 8
User Interfaces in C#: Windows Forms and Custom Controls
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy