Windows Defender Offline for win7

[greyrat]

Hi,

i've used windows defender offline for scanning win7 PC's for sometime and found it to be a very useful tool. I recently formatted the USB stick that had WDO on it to use for a different purpose. So today i went to put WDO back on the USB stick and ran into some problems. I was able to create the bootable WDO USB stick but when i tried to boot a PC and run the tool - I was met with "virus definitions are out of date" message and was unsuccessful at updating the definitions. Each failed with a "connection error" and would not allow a scan to be ran. This error happened on 5 different win7 x64 PC's - so i don't think it's a problem with a specific piece of hardware but with the some possible updates MS has made to tool.
So, my question is: Is WDO still working for anybody at this point? If you have a bootable USB WDO stick that is working - could you share some information about it (like the version of the mpam-fex64.exe file)
My current non-working USB WDO stick has this information
mpam-fex64.exe
file version: 1.315.917.0


FilesList64.dll
file version 4.9.221.0


thx

 

[SIW2]

Might be connected to sha2 signing support. Did you try integrating the sha2 update into your WDO boot.wim?

Note: Starting on Monday October 21, 2019, the Security intelligence update packages will be SHA2 signed.
Please make sure you have the necessary update installed to support SHA2 signing, see 2019 SHA-2 Code Signing Support requirement for Windows and WSUS.

https://download.microsoft.com/down...F02-B2A9A1238099/Windows6.1-KB3033929-x64.msu


did you try manually downloading from here:
https://www.microsoft.com/en-us/wdsi/defenderupdates

 

[SIW2]

Just checked. the sha2 update is not applicable to the winpe version mssstool64.exe made - at least not the version I had.

It integrates into winpe3.1, but not into the winpe3.0 that mssstool64.exe made a while ago.

edit: just made a new iso - it is a lot bigger than the older one. will do a test




edit - new one also not working

 

[greyrat]

Do you have an older version of WDO that is working? I'm a little mad at myself for wiping my USB drive on a working version.

I'm going to load win7 onto a virtual in Hyper-V and monitor it's traffic when i boot with a WDO iso and try to update the definitions. I want to monitor the handshake going on and see if any of the ciphers are not negotiating or if there are errors in the handshake.

 

[SIW2]

none of the ones i have work now. It might be able to download the definitions. I don't think it will be able to use them because they are sha 2 signed.

 

[greyrat]

I see what you mean now. If the virus signature is SHA2 signed - and win7 sp1 doesn't have SHA2 code signed support without KB updates - how do we get SHA2 support into the WDO boot environment? Hmm.


BTW trying to monitor a virtual guest (my Win7 guest) in Hyper-V using Netmon was a dud - Netmon on the host can't hook into the virtual guest NIC traffic.

 

[SIW2]

greyrat

I seem to have got it working

 

[SIW2]

:ar: WDOx64.iso

 

[greyrat]

Your ISO works for me too. Very impressive boot PE environment. Thx for sharing! Did you end up adding the SHA2 update to your source?

 

[SIW2]

Your ISO works for me too. Very impressive boot PE environment. Thx for sharing! Did you end up adding the SHA2 update to your source?

I made that one specially for WDO. It includes support for sha2 , nvme, most usb3 and some extra wired net drivers.

MS say they will keep supplying definition updates for windows 7 MSE till 2023 - presumably WDO will be the same.

 

[SIW2]

Fancier version of winpe running WDO:

 

[SIW2]

17514x64v26.iso