Windows Defender Offline is a free standalone, bootable malware and virus remover from Microsoft that performs an offline scan of an infected PC to remove viruses, rootkits and other advanced malware.
This tutorial will show you how to update and use the Windows Defender Offline Tool to create a 32-bit or 64-bit Windows Defender Offline bootable CD/DVD, USB flash drive, or ISO file on any computer to help you start an infected 32-bit or 64-bit PC and perform an offline scan at boot to help identify and remove rootkits and other malicious malware. In addition, Windows Defender Offline can be used if you cannot install or start an antivirus program on your computer, or if the installed AV program can’t detect or remove malware on your computer.
The log files for Windows Defender Offline are stored in a MPLog-MM/DD/YYYY-HH/MM/SS .txt file in the folder below on the computer that was scanned at boot.
For both the PC infected with a virus or malware, and the PC that you are creating the bootable media on, you'll need PCs with the following minimum requirements.
Operating system:
Windows XP (Service Pack 3)
Windows Vista (RTM, Service Pack 1, or Service Pack 2, or higher)
Windows 7 (RTM, Service Pack 1, or higher)
Windows 8
Processor:
Windows XP: 500 MHz or higher
Windows Vista, Windows 7, and Windows 8: 1.0 GHz or higher
Memory:
Windows XP: 768 MB RAM or higher
Windows Vista, Windows 7, and Windows 8: 1 GB RAM or higher
Video resolution: 800 × 600 or higher
Available hard disk space: 500 MB
For the PC infected by a virus or malware:
The PC must have the same Windows operating system (OS) architecture 32-bit or 64-bit as Windows Defender Offline. Bootable media created on any version of Windows can be run on any other version of Windows. The only thing that needs to match is the architecture of Windows Defender Offline and the OS of the infected machine.
Internet connection: Only required to update the latest malware definitions for a Windows Defender Offline bootable USB flash drive.
In addition, BitLocker must be disabled to use Windows Defender Offline Beta.
For the PC on which you create the bootable media:
Administrator account: A user account with administrator privileges to create the bootable media.
Internet connection: An Internet connection to install and download the latest virus and spyware definitions for Windows Defender Offline.
Internet browser: Windows Internet Explorer 7.0 or higher, or Mozilla Firefox 3.0 or higher.
Media: A CD, DVD, or USB flash drive with at least 250 MB of free space.
Tip
If you get a Error Code 0x8004cc04, Error Code 0x8004cc05, or Error Code 0x8050800c while using Windows Defender Offline, then please see the same suggested solutions here for MSSS.
If you have UEFI, then Windows Defender Offline is now able to boot with Secure Boot ENABLED.
Warning
For obvious reasons, the "Windows Defender Offline" bootable CD/DVD, USB flash drive, or ISO should be created on a different computer other than the one that you suspect may be infected with malware.
STEP ONE
To Create a "Windows Defender Offline" Bootable CD/DVD, USB Flash Drive, or ISO File
1. If you have not already, you will need to download the same 32-bit or 64-bit version of Windows Defender Offline Tool at the download link below for the same 32-bit or 64-bit Windowsthat is installed on the computer that you will be scanning at boot, and save the exe file to your desktop.
2. Run the downloaded mssstool64.exe (64-bit) or mssstool32.exe (32-bit) file, and click on Next. (see screenshot below)
3. Click on the I accept button. (see screenshot below) NOTE:You will only be prompted for this the first time that you run the Windows Defender Offline Tool.
4. Do step 5, 6, or 7 below for what type of bootable "Windows Defender Offline" CD/DVD, USB, or ISO that you would like to create to scan with. (see screenshot below)
5. To Create a"Windows Defender Offline" Bootable CD or DVD
A) Insert a blank unformatted CD or DVD into the CD/DVD drive. NOTE:If a AutoPlay window opens afterwards, close it.
B) Select (dot) Use a blank CD or a DVD, and click on Next. (see screenshot below step 4)
C) If you have more than one DC/DVD drive, then select the CD/DVD drive with the blank CD/DVD in it, and click on Next. (see screenshot below)
D) When it's finished, click on Finish. (see screenshot below) NOTE:Be sure to label the CD/DVD as being able to only be used on a 32-bit or 64-bit Windows computer at boot.
E) Go to step 8.
6. To Create a "Windows Defender Offline" Bootable USB Flash Drive
Note
If you run the Windows Defender Offline Tool again on the same USB flash drive, and if the following conditions below are met, the tool will only download new updated malware definitions (approx. 69.48 MB) and update the USB drive without reformatting it.
The USB flash drive has Windows Defender Offline previously installed on it.
The Windows Defender Offline Tool version that was used to create the bootable USB flash drive the first run is the same as the one being used for the second run.
Files on the USB flash drive are not damaged or missing (the tool will verify that).
A) Connect a USB flash drive that is not password protected to your computer. WARNING:This USB drive will be formated during this process, so be sure to backup anything that you do not want to lose to another location first.
B) Select (dot) On a USB flash drive that is not password protected, and click on Next. (see screenshot below step 4)
C) If you have more than one USB drives connected, then select the one that you want to use, and click on Next. (see screenshot below)
D) When it's finished, click on Finish. (see screenshot below)
E) Go to step 8.
7. To Create a "Windows Defender Offline" Bootable ISO File
A) Select (dot) Create Standalone System Sweeper on an ISO File, and click on Next. (see screenshot below step 4)
B) Select (browse) where you would like to save the ISO file to, and click on Next. (see screenshots below)
C) When it's finished, click on Finish. (see screenshot below)
8. You will now be able to boot from the 32-bit or 64-bit CD/DVD, USB, or ISO that you created to run Windows Defender Offline on the same 32-bit or 64-bit computer as in the STEP TWO section below when you like.
STEP TWO
To Scan a Computer with the Bootable CD/DVD or USB Flash Drive
1. Insert or connect the same 32-bit or 64-bit Windows Defender Offline bootable CD/DVD or USB flash drive to the same type of 32-bit or 64-bit Windows computer that you want to scan at boot. NOTE:For example, you can only use a created 32-bit USB on a 32-bit computer at boot, and you can only use a created 64-bit USB on a 64-bit computer at boot.
2. In the BIOS or Boot Menu of the computer that you want to scan, be sure that you have it set to boot from the CD/DVD or USB flash drive created in the STEP ONE section above, and boot from it. NOTE:Please consult your computer's or motherboard's manual for exact details on how to do this.
3. This is what you will see while it's booting from the CD/DVD or USB flash drive.
4. When Windows Defender Offline has booted, you will be able to update the definitions and select what type of scan you would like to run on the computer. A Full Scan is recommended, and could take several hours to complete. NOTE:You will only be able to update the definitions at boot if you are using a bootable USB flash drive with a internet connection, and not with a bootable CD/DVD.
5. When finished, close Windows Defender Offline to restart the computer back into Windows.
One question....stated at the bottom of the download page is the message that your computer must be able to run Microsoft Security Essentials. Does this mean that MSE will be installed and will this conflict with Norton 360 version 5 which I currently use? I have always thought that one should never have two AV programmes installed since they may interfere with each other, and Windows doesn't like it.
System Manufacturer/Model Number Mesh 955 XGS OS Windows 7 64 bit CPU Athlon X4 955 Black edition Motherboard ASUS M4A78 Pro Memory 8GB DDR2 Graphics Card 1x Radeon 4890 Monitor(s) Displays IIyama ProLite E2208HDS Screen Resolution 1920X1080p
Keyboard MS wireless 6000 Mouse MS wireless laser 7000 PSU 600 watt Cooling Standard Hard Drives 2x 1TB Samsung SATA2
1x 320GB IDE Internet Speed Not as fast as it should be......
System Manufacturer/Model Number Airbot 2.0 OS Windows 7 Ultimate x64 SP1 CPU Core i7 920 (D0) @ 4Ghz, *26c idle *65c full load on air Motherboard Asus P6X58D Premium - Sata 6Gb/s - USB 3.0 Memory 12GB DDR3 Corsair Dominator -CMD12GX3M6A1600C8 at 1600MHz Graphics Card EVGA GeForce GTX 480 -Aftermaket Accelero Xtreme Plus cooler Sound Card ASUS Xonar D2X Monitor(s) Displays 1 LG 24" Flatron W2453V-PF 1 Samsung 24" P2450H both 2ms RT Screen Resolution 1920x1080@60hz
Keyboard Logitech Wireless MK700 Mouse Logitech Wireless MK700 PSU Corsair HX1000W Case Cooler Master HAF 932 Cooling Case Fans *3 230mm, *1 140mm/CPU - *Tuniq Tower 120 Extreme Hard Drives 1 OCZ Vertex2 180GB SSD
1 TB Samsung Spinpoint F1 7200RPM 32MB cache
2 500GB WD Caviar Blacks 7200RPM 32MB cache (WD5001AALS)
Pioneer DVD Burner DVR-S18M Internet Speed DL 15 Mbps UL 0.98 Mbps Antivirus None Browser Firefox Nightly Other Info Processor-7.7 *RAM- 7.9 *Graphics-7.9 *Gaming Graphics- 7.9 *SSD- 7.8 W.E.I final score= 7.7
*Phone- Samsung Galaxy Nexus
One question....stated at the bottom of the download page is the message that your computer must be able to run Microsoft Security Essentials. Does this mean that MSE will be installed and will this conflict with Norton 360 version 5 which I currently use? I have always thought that one should never have two AV programmes installed since they may interfere with each other, and Windows doesn't like it.
Hello Steve,
No, Microsoft Security Essentials (MSE) or anything else will not be installed. It was just a reference as an optional separate program that you could install on the computer and use if you did not already have a antivirus program installed on your computer.
Microsoft Standalone System Sweeper is a standalone program that runs at boot from the created CD/DVD, USB, or ISO instead, and does not install anything on your computer.
System Manufacturer/Model Number Dwarf Dwf/11/2012 OS Windows 7 Ultimate x64 Service Pack 1 CPU Intel Core-i5-3570K 4-core @ 3.4GHz (Ivy Bridge) (OC 4.2GHz) Motherboard ASRock Z77 Extreme4-M Memory 4 x 4GB DDR3-1600 Corsair Vengeance CMZ8GX3M2A1600C9B (16GB) Graphics Card 2 x AMD Radeon HD7770 1GB CrossFired (OC 1100MHz/1250MHz) Sound Card Realtek High Definition on board solution (ALC 898) Monitor(s) Displays ViewSonic VA1912w Widescreen (VGA) Screen Resolution 1440x900
Keyboard Microsoft Comfort Curve Keyboard 3000 (USB) Mouse Microsoft Comfort Mouse 3000 for Business (USB) PSU XFX Pro Series 850W Semi-Modular Case Gigabyte IF233 Cooling 1 x 120mm Front Inlet 1 x 120mm Rear Exhaust Hard Drives OCZ Agility 3 SSD 120GB SATA III x2 (RAID 0)
Samsung HD501LJ 500GB SATA II x2
Hitachi HDS721010CLA332 1TB SATA II
Iomega 1.5TB Ext USB 2.0
WD 2.0TB Ext USB 3.0 Internet Speed NetGear DG834Gv3 ADSL Modem/Router (Ethernet) ~4.0 Mb/s (O2) Antivirus Avast! 7.0.1474 Browser IE 9 Other Info Optical Drive: HL-DT-ST BD-RE BH10LS30 SATA Bluray
Lexmark S305 Printer/Scanner/Copier (USB)
CTF-430 Tablet & Pen
WEI Score: 7.7/7.9/7.4/7.4/7.9
Asus Eee PC 1011PX Netbook (Windows 7 x86 Starter)
Update definition on a USB thumb drive
(instructions below are relevant for version 1.0.856.0)
When running the tool again, if the following conditions are met, it will only download definitions (approx. 60MB) and update the USB drive without reformatting it:
A USB thumb drive media is selected.
The USB drive being has a previously installed Standalone System Sweeper.
The version that was used to create the bootable media is the same as being used at the second run.
Files on the USB drive were not damanged or missing (the tool will verify that).
As soon as I saw this, was hoping it was available in an ISO file.
Will add this to my rescue USB tool.
I'm glad you are happy with the ISO option. We were hoping it would be of use.
However, if you prepare the ISO now and keep it aside, it will not be up-to-date by the time you are using it (hopefully never ).
I have two suggestions for you:
Since the tool will reformat your USB, backup your rescue USB drive and create a bootable USB using the tool (you can then copy your data back onto the USB drive), and add the tool binary as well. By the time you have to use, it run the tool again with the same USB drive. The tool will detect the already installed product and will only update the definitions (without reformatting or altering your data).
The second option is indeed to keep an ISO and when the day comes use Brink's option #1 of manually updating the definitions. Please keep in mind that the latter option is not currently supported or intended by Microsoft. Use it at your own risk.
I found the ISO useful to run at boot on a virtual machine (ex: Windows Virtual PC) to scan it. You can just select the ISO file to act as a "DVD Drive" in the VM's settings to boot from.
Information
Note
Tip
Warning
STEP ONE 
Quote: Originally Posted by beauparc 
Update definition on a USB thumb drive
