How Windows Vista Helps Protect Computers From Malware

Introduction & Understanding Malware


A significant portion of enterprise help desk costs are related to malware, and computer manufacturers spend millions each year handling support calls related to malware. Microsoft Windows Vista, Microsoft's next client operating system, includes technologies to reduce these costs.

This paper first explains Microsoft's definition of malware. Then, the paper discusses the most significant malware countermeasures in Windows Vista, including User Account Control (UAC), Internet Explorer Protected Mode, Windows Defender, Windows Service Hardening, and the Windows Security Center. Finally, this paper discusses how these technologies can prevent and mitigate malware in real-world scenarios.

Understanding Malware

Security threats have changed quickly throughout the history of computing to adapt to each generation of operating system. In the past several years, malware (a broad term that encompasses viruses and worms as well as spyware and other potentially unwanted software) has been an area of significant growth.

The malware landscape is complicated. Some software, such as viruses and worms are simple to classify as malware because they are clearly malicious. Other software is clearly legitimate and is not classified as malware. However, many applications exist in the space between clearly malicious and clearly legitimate software. These applications are more difficult to classify because they exhibit behaviors that may be legitimate or may be unauthorized, depending on the context. Table 1 below specifies some of the ambiguous behaviors that malware and legitimate software may share.

Potential for harm Behavior Description Example Category
None Advertising Display ads

+ Ad-supported software

– Unauthorized pop-ups

Not malware

Collects data

Collects personal data

+ Authorized search toolbar

– Covert data collector

Potential spyware or other unwanted software

Changes settings Changes configuration

+ Settings utilities

– Browser hijacker

Potential spyware or other unwanted software

Moderate Monitoring Records keystrokes

+ Parental controls

– Keystroke loggers

Potential spyware or other unwanted software
Dialing Auto-dials toll numbers

+ ISP software

– 900-number dialers

Potential spyware or other unwanted software
Remote usage Remotely uses resources

+ Cycle sharing programs

– Backdoor software

Potential spyware or other unwanted software
Extreme Known bad Clearly malicious (e.g. virus) – Sasser Viruses

Because of this ambiguity, the user's intentions are the ultimate determinant of whether an application that exhibits potentially unwanted behavior is malware. For example, most users would consider keystroke monitoring software to be malware. However, to a parent monitoring their child's safety online, it serves a very useful and valid purpose.

Microsoft uses the term "spyware and potentially unwanted software" to refer to software that is unwanted but is not unambiguously harmful. Our definition of malware includes both clearly malicious viruses and worms and the more ambiguous spyware and potentially unwanted software.

Software such as viruses and worms can spread from computer to computer by exploiting software vulnerabilities or tricking users with social engineering techniques. Spyware and potentially unwanted software spread via these techniques and also by seemingly legitimate installations initiated by users. Users may install an application and due to inadequate notice and consent not be aware of the undesired functionality of the program or the software it came bundled with.

Due to the challenges in identifying malware, it may be impossible to eliminate the threat completely. However, with Windows Vista, Microsoft has attempted to put users in control of malware threats. Windows Vista provides more protection from applications that would run or install without user consent, the ability to detect and remove many types of malware, and other security features that limit the damage caused by malware. The sections that follow describe how Windows Vista provides this control.