Adjusting Windows Security

Unlike many other antivirus products, Windows Security has a blissfully small number of things that you can or should tweak. Here’s how to get to the settings:

1. Click or tap the search icon (magnifying glass) on the taskbar and type sec. At the top, click or tap Windows Security.

   The main Windows Security screen appears (refer to Figure 3-1).

2. Click or tap Virus & Threat Protection and then click or tap the Scan Options link.

   You see the options for manually running a quick scan, full scan, custom scan, or Microsoft Defender Offline scan. (See the “Microsoft Defender Offline” sidebar.) If you go back to Virus & Threat Protection, you can also change Windows Security’s behavior. If you really want to turn off the main antivirus protections, you can do so here.

3. If you have any reason to fear that your machine’s been taken over by a rootkit, select the Microsoft Defender Offline scan, click or tap Scan Now, and confirm your choice.

   You are signed out of Windows 11. Go have a cup of coffee, and by the time you come back, Microsoft Defender Offline will show you a list of any scummy stuff it caught.

Running Windows Security manually

Windows Security works without you doing a thing, but you can tell it to run a scan if something on your computer is giving you the willies. Here’s how:

1. Click or tap the search icon on the taskbar and type sec. Click or tap Windows Security in the list of search results.

   The main Windows Security screen appears (refer to Figure 3-1).

2. Click or tap Virus & Threat Protection.
3. Under Virus & Threat Protection Updates, click or tap Protection Updates.

4. On the resulting Protection Updates pane (see Figure 3-2), click or tap Check for Updates to get the latest antimalware definitions.

   When you tap or click Check for Updates, Windows Security retrieves the latest signature files from Microsoft but doesn’t run a scan. If you want to run a scan, you need to go back to the Virus & Threat Protection screen and run it.

   

5. Click or tap the back arrow in the top-left corner. Then, to perform a manual scan, click or tap Scan Options. Choose one of the following three options (see Figure 3-3):
   • To perform a quick scan, which looks in locations where viruses and other kinds of malware are likely to hide, select the Quick Scan option and then click or tap Scan Now.
   • To run a full scan, which runs a bit-by-bit scan of every file and folder on the PC, select the Full Scan option and then click or tap Scan Now.
   • To run a custom scan, which is like a full scan, but you get to choose which drives and folders get scanned, select the Custom Scan option, and then click or tap Scan Now and select the folder/partition you want scanned.

   

6. To see what Windows Security has caught and zapped historically, click or tap the Protection History link in the Virus & Threat Protection pane.

   The screen shown in Figure 3-4 appears. Once upon a time, Windows Security would flag infected files and offer them up for you to decide what to do with the offensive file. It appears as if that behavior has been scaled back radically. As best I can tell, in almost all circumstances, when Windows Security hits a dicey file, it quarantines the file — sticks it in a place you won’t accidentally find — and just keeps going. You’re rarely notified (although a notification may slide out from the right side of the screen), but the file just disappears from where it should’ve been.

   If you just downloaded a file and it disappeared, there’s a good chance that it’s infected and Windows Security has whisked it away to a well-guarded location, and the only way you’ll ever find it is in the Protection History tab of the Windows Security program.

   Should you decide to bring the file back, for whatever reason, click or tap the name of the threat, Actions, Allow on Device, and then Yes in the UAC (User Account Control) prompt.

A brief history of BIOS

To understand where Windows is headed, it’s best to look at where it’s been. And where it’s been with BIOS inside PCs spans the entire history of the personal computer. That makes PC-resident BIOS more than 40 years old. The first IBM PC had a BIOS, and it didn’t look all that different from the inscrutable one you swear at now.

The Basic Input/Output System, or BIOS, is a program responsible for getting all your PC’s hardware in order and then firing up the operating system (OS) — in this case, Windows — and finally handing control of the computer over to the OS. BIOS runs automatically when the PC is turned on.

Older operating systems, such as DOS, relied on the BIOS to perform input and output functions. More modern operating systems, including Windows, have their own device drivers that make BIOS control obsolete, after the OS is running.

Every BIOS has a user interface, which looks much like the one in Figure 3-9. You press a key while the BIOS is starting and, using different keyboard incantations, take some control over your PC’s hardware, select boot devices (in other words, tell BIOS where the operating system is located), overclock the processor, disable or rearrange hard drives, and the like.

How UEFI is different from and better than BIOS

BIOS has all sorts of problems, not the least of which is its susceptibility to malware. Rootkits like to hook themselves into the earliest part of the booting process — permitting them to run underneath Windows — and BIOS has a big Kick Me sign on its tail.

UEFI and BIOS can coexist: UEFI can run on top of BIOS, hooking itself into the program locations where the operating system may call BIOS, basically usurping all the BIOS functions after UEFI gets going. UEFI can also run without BIOS, taking care of all the runtime functions. The only thing UEFI can’t do is perform the power-on self-test (POST) or run the initial setup. PCs that have UEFI without BIOS need separate programs for POST and setup that run automatically when the PC is started.

Unlike BIOS, which sits inside a chip on your PC’s motherboard, UEFI can exist on a disk, just like any other program, or in non-volatile memory on the motherboard or even on a network share.

UEFI is very much like an operating system that runs before your final operating system kicks in. UEFI has access to all the PC’s hardware, including the mouse and network connections. It can take advantage of your fancy video card and monitor, as shown in Figure 3-10. It can even access the internet. If you’ve ever played with BIOS, you know that this is in a whole new dimension.

Compare Figure 3-9 with Figure 3-10, and you’ll have some idea where technology’s been and where it’s heading.

BIOS — the entire process surrounding BIOS, including POST — takes a long, long time. UEFI, by contrast, can go by quite quickly. The BIOS program itself is easy to reverse-engineer and has no internal security protection. In the malware maelstrom, it’s a sitting duck. UEFI can run in any malware-dodging way its inventors contrive.

Dual boot in the old world involves a handoff to a clunky text program; in the new world, it can be much simpler, more visual, and controlled by mouse or touch.

More to the point, UEFI can police operating systems before loading them. That could make rootkit writers’ lives considerably more difficult by, for example, refusing to run an OS unless it has a proper digital security signature. Windows Security can work with UEFI to validate OSs before they’re loaded. And that’s where the controversy begins.

How Windows 11 uses UEFI

A UEFI Secure Boot option validates programs before allowing them to run. If Secure Boot is turned on, operating system loaders have to be signed using a digital certificate. If you want to dual boot between Windows 11 and Linux, the Linux program must have a digital certificate — something Linux programs have never required before.

After UEFI validates the digital key, UEFI calls on Windows Security to verify the certificate for the operating system loader. Windows Security (or another security program) can go out to the internet and check to see whether UEFI is about to run an OS that has had its certificate yanked.

In essence, in a dual-boot system, Windows Security decides whether an operating system gets loaded on your Secure Boot-enabled machine.

That curls the toes of many Linux fans. Why should their operating systems be subject to Microsoft’s rules, if you want to dual boot between Windows 11 and Linux?

If you have a PC with UEFI and Secure Boot and you want to boot an operating system that doesn’t have a Microsoft-approved digital signature, you have two options:

• You can turn off Secure Boot.
• You can manually add a key to the UEFI validation routine, specifically allowing that unsigned operating system to load.

Some PCs won’t let you turn off Secure Boot. So, if you want to dual boot Windows 11 and some other operating system on a Windows 11-certified computer, you may have lots of hoops to jump through. Check with your hardware manufacturer.

Understanding Defender Firewall basic features

All versions of Windows 11 ship with a decent and capable, but not foolproof, stateful firewall named Windows Defender Firewall (WDF). (See the nearby sidebar, “What’s a stateful firewall?”)

Windows Defender Firewall inbound protection is on by default. Unless you change something, Windows Defender Firewall is turned on for all connections on your PC. For example, if you have a LAN cable, a wireless networking card, and a 4G USB card on a specific PC, WDF is turned on for them all. The only way Windows Defender Firewall gets turned off is if you deliberately turn it off or if the network administrator on your big corporate network decides to disable it by remote control or install Windows with Windows Defender Firewall turned off.

In unusual and rare circumstances, malware (viruses, Trojans, whatever) have been known to turn off Windows Defender Firewall. If your firewall kicks out, Windows lets you know loud and clear with balloon notifications near the system clock on the desktop.

You can change WDF settings for inbound protection relatively easily. When you make changes, they apply to all connections on your PC. On the other hand, WDF settings for outbound protection make the rules of cricket look like child’s play.

WDF kicks in before the computer is connected to the network. Back in the not-so-good old days, many PCs got infected between the time they were connected and when the firewall came up.

Speaking your firewall’s lingo

At this point, I must go through a bunch of jargon so that you can take control of Windows Defender Firewall. Hold your nose and dive in. The concepts aren’t that difficult, although the terminology sounds like a first-year advertising student invented it. Refer to this section if you become bewildered when wading through the WDF dialog boxes.

As you no doubt realize, the amount of data that can be sent from one computer to another over a network can be tiny or huge. Computers talk with each other by breaking the data into packets (or small chunks of data with a wrapper that identifies where the data came from and where it’s going).

On the internet, packets can be sent in two ways:

• User Datagram Protocol (UDP): UDP is fast and sloppy. The computer sending the packets doesn’t keep track of which packets were sent, and the computer receiving the packets doesn’t make any attempt to get the sender to resend packets that vanish mysteriously into the bowels of the internet. UDP is the kind of protocol (transmission method) that can work with live broadcasts, where short gaps wouldn’t be nearly as disruptive as long pauses, while the computers wait to resend a dropped packet.
• Transmission Control Protocol (TCP): TCP is methodical and complete. The sending computer keeps track of which packets it has sent. If the receiving computer doesn’t get a packet, it notifies the sending computer, which resends the packet. These days, almost all communication over the internet goes by way of TCP.

Every computer on a network has an IP address, which is a collection of four sets of numbers, each between 0 and 255. For example, 192.168.0.2 is a common IP address for computers connected to a local network; the web server that handles the Dummies.com website is at 104.18.4.55. You can think of the IP address as analogous to a telephone number.

Peeking into your firewall

When you use a firewall — and you should — you change the way your computer communicates with other computers on the internet. This section explains what Windows Defender Firewall does behind the scenes so that when it gets in the way, you understand how to tweak it. (You find the ins and outs of working around the firewall in the “Making inbound exceptions” section, later in this chapter.)

When two computers communicate, they need not only each other’s IP address but also a specific entry point called a port — think of it as a telephone extension — to talk to each other. For example, most websites respond to requests sent to port 80 when using HTTP and port 443 when using HTTPS. There’s nothing magical about the number 80 or 443; it’s just the port number that people have agreed to use when trying to get to a website’s computer. If your web browser wants to look at the Dummies.com website, it sends a packet to 104.18.4.55, port 80 or 443, depending on whether you’re using HTTP or HTTPS.

Windows Defender Firewall works by handling all these duties simultaneously:

• It keeps track of outgoing packets and allows incoming packets to go through the firewall if they can be matched with an outgoing packet. In other words, WDF works as a stateful inbound firewall.
• If your computer is attached to a private network, Windows Defender Firewall allows packets to come and go on ports 139 and 445, but only if they came from another computer on your local network and only if they’re using TCP. Windows Defender Firewall needs to open those ports for file and printer sharing. It also opens several ports for Windows Media Player if you’ve chosen to share your media files, for example.
• Similarly, if your computer is attached to a private network, Windows Defender Firewall automatically opens ports 137, 138, and 5355 for UDP, but only for packets that originate on your local network.
• If you specifically told Windows Defender Firewall that you want it to allow packets to come in on a specific port and the Block All Incoming Connections check box isn’t selected, WDF follows your orders. You may need to open a port in this way for online gaming, for example.
• Windows Defender Firewall allows packets to come into your computer if they’re sent to the Remote Assistance program, as long as you created a Remote Assistance request on this PC and told Windows to open your firewall (see Book 7, Chapter 3). Remote Assistance allows other users to take control of your PC, but it has its own security settings and strong password protection. Still, it’s a known security hole that’s enabled when you create a request.
• You can tell Windows Defender Firewall to accept packets directed at specific programs. Usually, any company that makes a program designed to listen for incoming internet traffic (Skype is a prime example, as are any instant-messaging apps) adds its program to the list of designated exceptions when the program is installed.
• Unless an inbound packet meets one of the preceding criteria, it’s simply ignored. Windows Defender Firewall swallows it without a peep. Conversely, unless you’ve changed something, any and all outbound traffic goes through unobstructed.

Making inbound exceptions

Firewalls can be infuriating. You may have a program that has worked for a hundred years on all sorts of computers, but the minute you install it on a Windows 11 machine with Windows Defender Firewall in action, it just stops working, for absolutely no apparent reason.

You can get mad at Microsoft and scream at Windows Defender Firewall, but when you do, realize that at least part of the problem lies in the way the firewall has to work. (See the “Peeking into your firewall” section, earlier in this chapter, for an explanation of what your firewall does behind the scenes.) It has to block packets that are trying to get in, unless you explicitly tell the firewall to allow them to get in.

Perhaps most infuriatingly, WDF blocks those packets by simply swallowing them, not by notifying the computer that sent the packet. Windows Defender Firewall has to remain stealthy because if it sends back a packet that says, “Hey, I got your packet, but I can’t let it through,” the bad guys get an acknowledgment that your computer exists, they can probably figure out which firewall you’re using, and they may be able to combine those two pieces of information to give you a headache. It’s far better for Windows Defender Firewall to act like a black hole.

Some programs need to listen to incoming traffic from the internet; they wait until they’re contacted and then respond. Usually, you know whether you have this type of program because the installer tells you that you need to tell your firewall to back off.

If you have a program that doesn’t (or can’t) poke its own hole through Windows Defender Firewall, you can tell WDF to allow packets destined for that specific program — and only that program — in through the firewall. You may want to do that with a game that needs to accept incoming traffic, for example, or for an Outlook extender program that interacts with smartphones.

To poke a hole in the inbound Windows Defender Firewall for a specific program:

1. Make sure that the program you want to allow through Windows Defender Firewall is installed.

2. Click or tap the search icon and type firewall. Choose Allow an App through Windows Firewall.

   Windows Defender Firewall presents you with a lengthy list of apps that you may want to allow (see Figure 3-13). If a box is selected, Windows Defender Firewall allows unsolicited incoming packets of data directed to that program and that program alone, and the column tells you whether the connection is allowed for private or public connections.

   These settings don’t apply to incoming packets of data that are received in response to a request from your computer; they apply only when a packet of data appears on your firewall’s doorstep without an invitation.

   

   In Figure 3-13, the Windows Maps app is allowed to receive inbound packets whether you’re connected to a private or public network. Windows Media Player, on the other hand, may accept unsolicited inbound data from other computers only if you’re connected to a private network: If you’re attached to a public network, inbound packets headed for Windows Media Player are swallowed by the Windows Defender Firewall Black Hole (patent pending).

3. Click or tap Change Settings, and do one of the following:

   • If you can find the program that you want to poke through the firewall listed in the Allow Programs list, select the check boxes that correspond to whether you want to allow the unsolicited incoming data when connected to a home or work network and whether you want to allow the incoming packets when connected to a public network. It’s rare indeed that you’d allow access when connected to a public network but not to a home or work network.
   • If you can’t find the program that you want to poke through the firewall, you need to go out and look for it. Click or tap the Allow Another App button at the bottom and then click or tap Browse.

   Windows Defender Firewall goes out to all common program locations and finally presents you with the Whack a Mol … er, Add an App list like the one shown in Figure 3-14. It can take a while.

   

4. Browse to the program’s location and select it. Then click or tap Open, and then Add.

   You return to the Windows Defender Firewall Allowed Apps list (refer to Figure 3-13), and your newly selected program is now available.

5. Select the check boxes to allow your poked-through program to accept incoming data while you’re connected to a private or a public network. Then click or tap OK.

   Your poked-through program can immediately start handling inbound data.

In many cases, poking through Windows Defender Firewall doesn’t solve the whole problem. You may have to poke through your modem or router as well — unsolicited packets that arrive at the router may get kicked back according to the router’s rules, even if Windows 11 would allow them in. Unfortunately, each router and the method for poking holes in the router’s inbound firewall differ. Check the site https://portforward.com/router.htm for an enormous amount of information about poking through routers.