Microsoft’s Free Security Tools – Windows Defender Offline

This article in our series focused on Microsoft’s free security tools is on a tool called Windows Defender Offline.  Windows Defender Offline is a standalone software application that is designed to help detect malicious and other potentially unwanted software, including rootkits that try to install themselves on a PC.  Once on a PC, this software might run immediately, or it might run at unexpected times. Windows Defender Offline works by scanning an operating system to check the authenticity of any communication the operating system has with the Internet. If there is an application deemed unsafe, it will alert the user and block the contents of the application until the user either accepts or denies the risk.

Many of the enterprise customers I talk to about malware have told me that when they find a system in their environment that is infected, they simply reformat the system and install a clean copy of their standard desktop or server image.  They do this because for them it’s the fastest, most efficient way to recover the system.  In these types of situations, running Windows Defender Offline might help to resolve the issue and eliminate the need to reformat the system.  It might also provide valuable information on the malware infection that could help to protect other systems in the environment. 

The primary benefit of using this tool is that it runs before malware, such as rootkits, can hide. When you perform a post-event malware scan and remediation by running the scan on a system infected with advanced low-level malware, the malware has a chance to run first. The malware itself may be intercepting the antimalware software’s attempts to inspect, take actions, or communicate to the user. When you run an “offline” tool like Windows Defender Offline, you’re bringing your own known-good, clean operating environment with you along with the scanner. You are booting the computer from that clean operating environment, and then running the scanner and inspecting the potentially compromised hard disk’s operating system, programs and data. As such, there’s integrity in the system during the “offline” scan. Malware that’s deeply rooted in the operating system won’t have the opportunity to run and hide before the scanner starts. The malware exists on the disk where it can be found and mitigated but is not actually running, so it’s inhibited from being able to intercept and interfere with the scanner’s activities.

Microsoft provides both a 32-bit and 64 -it version of the software for download:

Because Windows Defender Offline works from a clean environment, it’s a good idea if you can get access to another computer running Windows that you know is free from infection. You can use this “known-good” computer to download and install Windows Defender Offline onto removable media, such as a CD, DVD or USB flash drive, as described in Step #1 below. Using a second, known-good computer will ensure that any malware you may have on your infected PC doesn’t interfere with the download of Windows Defender Offline.  If you can’t use a separate, known-good computer, then by all means it’s worth trying to download and install the tool with the infected PC, however Windows Defender Offline may not operate correctly.

To use Windows Defender Offline, you need to follow four basic steps:

Step #1 Find a blank CD, DVD, or USB flash drive with at least 250 MB of free space. On a known-good (or “uninfected”) machine, download and run Windows Defender Offline – the tool will help you install it on your blank CD, DVD or USB flash drive:

Step #2 Insert the Windows Defender Offline media you created in Step #1 into the potentially infected PC and restart the PC.  You will be prompted to run a scan:

 Step #3 Scan your PC for malicious and other potentially unwanted software.

Step #4 If Windows Defender Offline finds any malware on the infected PC, it will allow you to ‘Clean PC’, which will remove or quarantine the affected files:

Windows Defender Offline will walk you through the details of these four steps when you’re using the tool. If you’ve been prompted in Microsoft Security Essentials or Windows Defender to download and run Windows Defender Offline, it’s important that you do so to make sure that your data and your PC isn’t compromised.

Because new threats appear daily, it’s important to always have the most up-to-date version of Windows Defender Offline. Armed with up-to-date definition files, Windows Defender Offline can detect malicious and potentially unwanted software, and then notify you of the risks.

Tim Rains
Trustworthy Computing







About the Author
Tim Rains

Chief Security Advisor, Microsoft Worldwide Cybersecurity & Data Protection

Tim Rains is Chief Security Advisor of Microsoft’s Worldwide Cybersecurity & Data Protection group where he helps Microsoft’s enterprise customers with cybersecurity strategy and planning. Formerly, Tim was Director Cybersecurity & Cloud Strategy in Trustworthy Computing at Microsoft, where he Read more »