Utility Spotlight: Scan for Malware Outside of Windows
The Microsoft Windows Defender Offline tool scans a PC before Windows loads via a bootable CD or USB drive.
You’re undoubtedly running antivirus software on your Windows client computers. Sometimes, however, your PCs can be infected by rootkit viruses and other malware that surfaces during the initial boot sequence. In these cases, you might need to scan a PC before Windows even loads, especially if Windows is unable to load at all. That’s where you’ll need a tool like Microsoft Windows Defender Offline (WDO).
WDO lets you scan for and remove malware outside of Windows. The tool creates a bootable CD or USB drive with the necessary files to scan a PC and remove any viruses it uncovers. WDO also offers a variety of options that let you customize the scan routines.
Download WDO from its dedicated product page. Choose either the 32-bit or 64-bit version, depending on the edition of Windows you need to scan. Then run the downloaded executable file mssstool32.exe or mssstool64.exe.
The WDO welcome screen explains the purpose of the tool and what you’ll need to use it (see Figure 1). Click Next. Then click Accept at the Software License Terms screen.
Figure 1 The Microsoft Windows Defender Offline Tool welcome screen lets you know what you’ll need to successfully run the tool.
At the startup media screen (see Figure 2), insert the media you wish to use. You can choose a blank CD or a USB drive with at least 256MB of space. Make sure the USB drive doesn’t have any critical files and isn’t password-protected. WDO will need to format your USB drive during the process of creating the boot media. A third option lets you create an ISO file you can burn onto a CD at a later time. Finally, you also need to be online, as the tool will download the latest file updates from Microsoft.
Figure 2 The Microsoft Windows Defender Offline Tool provides three options for media installation.
For this example, we’ll choose the USB drive option. Insert the USB media in your PC and click Next. If you have more than one USB device connected to your PC, you’ll need to confirm which one to use for installing the tool. The tool downloads and processes the necessary files, formats the USB drive and then loads the files to the drive (see Figure 3). When the process is completed, click Finish.
Figure 3 The Microsoft Windows Defender Offline tool status bar and installation steps let you follow the process.
Insert the USB drive into the computer you wish to scan and choose the option to boot off the USB media. Your PC loads the Windows Preinstallation Environment and then launches WDO.
WDO starts by running a quick scan on your PC, which checks your Windows system folder, startup folders and Registry. The scan takes several minutes, depending on the number of files it needs to analyze. The tool alerts you if it discovers any malware. At that point, you have several options.
You can clean the file. This process will attempt to remove the virus, but keep the infected file intact. You can also let the file remain as is if you believe the malware detection to be a false positive.
You can remove the infected file completely, though that could be problematic if it’s a critical system file. You can quarantine the file if you wish to save it for further analysis. You can also choose to clean the computer. This will clean all infected files on the PC. The tool reports back on the success of the action you chose.
If the quick scan doesn’t reveal any malware, you can run a full scan from the tool’s Home tab. This will analyze all the files and locations on your hard drive. Another option is a custom scan, which lets you choose which folders and files to analyze.
The Update tab is supposed to let you update the virus definition files stored on the bootable media. However, during my testing, this process failed to work consistently. A more reliable way to update your boot media is to simply rerun the initial process from the mssstool32.exe or mssstool64.exe files. You’ll want to update the media from time to time as Microsoft releases new definition files on a regular basis.
The History tab displays a list of all files you have quarantined, allowed or detected. The Settings tab lets you exclude specific files, file types and locations from the scan. Finally, you can opt to join the Microsoft Active Protection Service, which sends the company key information about any malware and infected files discovered on your PCs.
You can create your boot media on any Windows computer. WDO itself is compatible with Windows XP SP3, Windows Vista, Windows 7 and Windows 8 RTM.
WDO works only outside of Windows. As such, it doesn’t provide any type of active scanning. Therefore, it’s not a substitute for standard antivirus software. You’ll find it can be useful if one of your client PCs is infected by a rootkit virus or similar malware that you need to remove before you load Windows on that system.