Microsoft Windows Defender helps provide real-time protection by implementing the following interfaces:
- IShellExecuteHook
- IAttachmentExecute
- IOfficeAntiVirus
Windows Defender registers itself as a shell execute hook. Windows Defender can block known bad commands from passing through the shell execute chain before they are executed.
Windows Defender implements the IOfficeAntiVirus interface to scan Microsoft ActiveX controls that Internet Explorer installs. Additionally, the IAttachmentExecute interface calls the IOfficeAntiVirus interface after Windows Defender enables the Attachment Manager Group Policy object. The IAttachmentExecute interface calls the IOfficeAntiVirus interface at that time to request that antivirus providers scan attachments.
You can configure the IAttachmentExecute Group Policy setting in the following ways.
| Group Policy | Registry entry |
| User Configuration\Administrative Templates\Windows Components\Attachment Manager | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus
|
By default, the IAttachmentExecute Group Policy setting is set to Off. The corresponding registry value of the ScanWithAntiVirus registry entry is 1. When the value is set to 2, the policy is set to On.
When you install Windows Defender, it enables the Attachment Manager policy. It enables this policy so that Windows Defender will scan files that you download by using Microsoft Internet Explorer or by using Microsoft Outlook Express before you open the files.