Microsoft KB Archive/944019

= Description of how Windows Defender detects software that is not categorized by risk level =

Article ID: 944019

Article Last Modified on 1/3/2008

-

APPLIES TO


 * Windows Defender

-



INTRODUCTION
Windows Defender can be configured to monitor changes that cause unclassified software to automatically run on your computer. This article describes how Windows Defender detects software that is not classified by risk category.



MORE INFORMATION
If a user selects the option to be notified when unclassified software is detected, Windows Defender displays prompts that contain details of the changes to the user.

Note This option is selected automatically for users who join the SpyNet community as advanced users. (This setting can be disabled or re-enabled after a user joins SpyNet.)

Unclassified software still starts and runs correctly unless the user takes explicit action to block the software by using Windows Defender or other methods. Windows Defender does not prompt users about unclassified software that does not automatically start or that does not modify the configuration of the computer.

The Microsoft Malware Protection Center research team analyzes unclassified software for violations by using objective criteria. For more information, visit the following Microsoft Web site:

http://www.microsoft.com/athome/security/spyware/software/msft/analysis.mspx

Software is added to a list of known malware by the prevalence of recent reports. This prevalence is measured by reports from valid Authenticode code signing certificates and then by recent reports from individuals. For more information, visit the following Microsoft Web site:

http://msdn2.microsoft.com/en-us/library/ms537359.aspx

Many files can be signed by using the same Authenticode certificate, and Windows Defender can recognize that these certificates are legitimate. This behavior guarantees that new correctly Authenticode-signed files that have that certificate will automatically be on a known software list without additional action by the ISV or by the research team. If any harmful or potentially unwanted software is Authenticode-signed by a certificate, that signing certificate will not be added to the known software list, or the certificate will be removed from the known software list.

Vendors should not contact Microsoft directly if their software is on the known malware list. However, vendors can help protect their customers who have Windows Defender by using the following methods:  Follow the guidelines that are described in the &quot;Microsoft Privacy Guidelines for Developing Software Products and Services&quot; document. To download these guidelines, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en

 Use Authenticode code signing. Encourage users to join the SpyNet community.

Keywords: kbexpertiseinter kbinfo KB944019

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.