Using Windows Defender as Antispyware on a domain

[Geoff]

Quick and dirty guide on how to use Windows Defender Beta 2 as an Antispyware solution on a domain, and control the (basic) settings.

Requirements:

A Domain enviroment (duh).
A WSUS Server.

Instructions:

1. Download Windows Defender.

http://www.microsoft.com/downloads/d...displaylang=en

2. Create a new GPO, set it up however you want so it only gets sent to the machines you want (I'm presuming you have 100% XP, I haven't tested w2k).

3. Add the Windows Defender MSI as a software distribution in the machine policy.

4. Go to your WSUS Server. Enable Definition updates for Windows Defender. Autoapprove them too if you like.


Optional (Control settings):

The defaults that the MSI uses are fairly sane. Howver if you want to have a bit more control follow these steps.

1. run 'gpupdate /force /boot' on one of your machines you deployed the MSI to.

2. Once its rebooted, login as admin.

3. Setup Windows Defender how you want it.

4. Run regedit, export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender to defender.reg

5. Manually remove the cruft about Definitions, last scans, and empty keys. You should get a defender.reg that similar to this:

Code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection]
"EnableUnknownPrompts"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000001
"CheckForSignaturesBeforeRunningScan"=dword:00000000
"ScheduleTime"=dword:000002d0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates]
"UpdateOnStartUp"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet]
"SpyNetReporting"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration]
"AllowNonAdminFunctionality"=dword:00000000

6. Go back to your Windows Defender GPO. Create a new machine startup script that runs 'regedit /s defender.reg'

7. Your done!

[Netman]

Thanks Geoff - very useful... has anyone tried running this alongside existing AV progs yet?

[Geoff]

Working ok here with Sophos...

[ICTNUT]

Running here as above with McAfee Enterprise Virus Scan ver8.0i

Same here with Sophos.

[tarquel]

Small point but say that you have VNC installed.... how can you make it that Windows Defender will automatically allow installation of it on all machines?

If its already installed and you choose the setting of automatically use the default action during a scan, it will remove it otherwise.

Any thoughts?
Nath

[Geoff]

Alter the exceptions on a client machine. Export the extra registry entries and add them to your .reg file.

[tarquel]

hmmm...perhaps I'm missing something here but I dont see it.

I've allowed it each time on this machine - I Take a look at the reg key you put in the first post and i see no mention in the registry where it allows VNC [i.e. doesnt stop it in its tracks]

Nath.

[Geoff]

Because I didn't have any exceptions at that point in time. I removed all the empty subkeys. Including the one that does exceptions.

Here's the extra line I have for UltraVNC.

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction]
"16555"=dword:00000006