Microsoft Windows Defender helps provide real-time protection

INTRODUCTION

Microsoft Windows Defender helps provide real-time protection by implementing the following interfaces:
  • IShellExecuteHook
  • IAttachmentExecute
  • IOfficeAntiVirus
Windows Defender registers itself as a shell execute hook. Windows Defender can block known bad commands from passing through the shell execute chain before they are executed.

Windows Defender implements the IOfficeAntiVirus interface to scan Microsoft ActiveX controls that Internet Explorer installs. Additionally, the IAttachmentExecute interface calls the IOfficeAntiVirus interface after Windows Defender enables the Attachment Manager Group Policy object. The IAttachmentExecute interface calls the IOfficeAntiVirus interface at that time to request that antivirus providers scan attachments.

You can configure the IAttachmentExecute Group Policy setting in the following ways.
Group PolicyRegistry entry
User Configuration\Administrative Templates\Windows Components\Attachment ManagerHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus
By default, the IAttachmentExecute Group Policy setting is set to Off. The corresponding registry value of the ScanWithAntiVirus registry entry is 1. When the value is set to 2, the policy is set to On.

When you install Windows Defender, it enables the Attachment Manager policy. It enables this policy so that Windows Defender will scan files that you download by using Microsoft Internet Explorer or by using Microsoft Outlook Express before you open the files.

More Information

For more information about the IOfficeAntiVirus interface, visit the following Microsoft Web site:
For more information about the IAttachmentExecute interface, visit the following Microsoft Web site:
Properties

Article ID: 914922 - Last Review: Jul 1, 2010 - Revision: 1

Feedback