One of the tricks used by malware is to prevent anti-malware tools from working. There are a variety of techniques involved, most of which rely on the fact that Windows is running, that opened files cannot be deleted, and that the malware itself is actually a program running on the machine.
The solution is not to run Windows, not to have any files open, and not to have the malware itself running.
In other words, the solution is to boot from a CD, DVD, or USB disk containing a stand-alone anti-malware tool.
Become a Patron of Ask Leo! and go ad-free!
Booting from “something else”
In years past, booting from a CD was a relatively simple operation: locate the setting in your computer’s BIOS that controlled the boot order, and adjust it to ensure that the optical drive was examined before the computer’s hard disk. If bootable media was found there , then the computer would boot from that instead of the operating system on the hard disk.
With the advent of UEFI – the more secure BIOS replacement – the concept remains similar. The UEFI needs to be instructed to check the optical drive, or USB ports, before checking the hard drive at boot time.
While the steps to changing the BIOS were always unique to each machine or manufacturer, UEFI has made the process even more complex.
How do I boot from CD/DVD/USB in Windows 8? has an overview of the process at a high level (for both Windows 8 and 10 UEFI-based systems), but the bottom line is, you need to determine exactly how to boot from something other than the computer’s hard drive from your computer manufacturer or documentation. (How do I boot from CD/DVD? has the equivalent discussion for BIOS-based systems running Windows prior to Windows 8).
The key aspect of any of these tools is that they will boot from something other than your hard disk in order to bypass the effects of running your infected copy of Windows or the malware itself.
If you have an anti-malware tool already installed, check that product’s documentation and/or website. You may have a stand-alone version available that will probably be more familiar to you, and may be more current or full-featured than some of these free alternatives.
However, if you suspect your existing anti-malware tool didn’t catch something, you may want to try a different tool.
There are several other free stand-alone anti-malware tools:
These are all free downloads you burn to CD or DVD. Then you boot from that to run the anti-malware software.
Which to use? Conventional wisdom is: all of them. It’s to be expected that some tools catch malware other tools miss; it’s the nature of the fight against malware.
More practically, having one or two of your favorites “on call” – meaning you’ll know where to get them and perhaps have some experience running them – is typically enough. You’ll want to download and create the CD when you need it, not before, so it’s as up to date as possible.
Microsoft’s Windows Defender Offline
Missing from the list above is Microsoft’s own offering, Windows Defender Offline. I generally recommend trying it first, but changes in how it’s been distributed has made that a more complex recommendation.
- Windows 7 (and prior): Download Windows Defender Offline from the Microsoft website. Basically you can treat it exactly like any of the other alternatives listed above: burn it to a CD and then boot from that CD. My article Windows Defender Offline – Scan Your Computer for Malware Without Booting Windows has more details.
- Windows 8: Windows Defender Offline is, apparently, not available. Use one of the third-party alternatives listed above.
- Windows 10: Windows Defender Offline is included as part of the operating system. See Windows Defender Offline in Windows 10 for details.
As always, prevention and having backups are alternatives that are, honestly, more effective and easier in the long term than trying to clean up an infection and hoping you got it all. However, sometimes the practical reality is that you need to do your best to clean and scan a possibly infected machine.
Offline tools are another alternative to be aware of and keep in your toolkit.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Download (right-click, Save-As) (Duration: 5:46 — 5.4MB)
13 comments on “Offline Anti-Malware Tools”
How to get into Windows Defender Offline:
I pressed the Windows Icon Key and typed “Windows Defender Offline” and got “No results found”. I was able to get into Windows Defender Offline by opening the Control Panel then opening Windows Defender Offline, scrolling down to the Scan Offline button.
Here are three links with more information about, and how to use, Windows Defender Offline.
Just clicking MpCmdRun.exe from within Windows flashes some pop-up, otherwise does nothing. So, the only way to run it is through the roundabout methods in these articles. It sure would be nice if we could pin a working link to the start page for easy access.
It wasn’t killed, it was placed in moderation. We do that because website comment spam often has multiple links. Once a real person (i.e. me) gets a chance we go in and approve the comment. You’ll see it’s there now.
I want to check for understanding. “Each” are an “are”; “each” are not an “is”.
Are that what you intend?
To be technically correct, the sentence should start with: Each of these is a free download ….
However, in common usage, the way Leo put it gets the idea across – and that is really the purpose of any language.
Being too formal ain’t no good.
Being too formal maybe ain’t TOO good – but being formal and using ‘correct’ English minimises the risk of confusion and misunderstanding! ‘Each of these IS a free download’ is indeed correct and it’s maybe not a bad idea to point out the reasoning behind this. There is a word which doesn’t feature in the sentence as written but its presence is implied. Try ‘Each ONE of these are a free download’ – ouch! :)
I changed it to “These are all ” so all you grammar Nazis can sleep easier. :-)
When several links appear in a comment, WordPress puts the comment in moderation until one of us gets to it to approve the post. It’s an anti-spam precaution. It usually only takes a few hours till it’s approved.
That’s my goal anyway, but technically I say “up to 24 hours” because … well … life. :-) And that 24 primarily is for the opposite scenario: where spam makes it past the filter and we need to manually remove it. I don’t want spam lasting more than 24 hours. Few posts actually include multiple links so we don’t moderate legit posts very often.
The only thing that I can think of is that you may have inadvertently entered it in the wrong field. I occasionally do that myself :-)
Quite possible: To error is human, but sometimes I am a little too human. (-;
Thanks for cleaning the extraneous entries.
The free Emsisoft Emergency Kit is also a very powerful anti-Malware app that, while not bootable, can be placed on a USB Flash drive to scan as many computers as one likes. It simply needs to be extracted to a pre-created folder (name it ‘EEK’, easy to remember) and then update the software & first perform a Malware scan, which is fairly fast, especially if ran on a SSD. If anything comes back (or not), then run the Custom scan, which scans all files on all attached drives. May be a good idea to disconnect the computer from the Internet to perform the scan, or once it’s running, and if any infections are found, reboot both the modem and router by removal of the power cords, allow to sit for a minute & plug back in. This purges any infectious data that these may retain.
If there’s any drives that’s externals used for Data only, it’s also good to scan these with EEK, to include any USB Flash drives with content.
Note that EEK uses a dual threat scan engine, their own, as well as that of Bitdefender, both of which I trust more than any Windows Defender offline scan, as I run both Emsisoft Anti Malware & Internet Security on different computers. EEK uses the same latest definitions that these does.
Malwarebytes also has tools on their site to run, one while still officially a Beta, can find rootkits in areas that many installed solutions can’t. They’re now also the distributor of AdwCleaner, which can remove nasty adware & search engines from the bowsers, as well as any associated registry entries. It’s not enough to disable or uninstall the engine or toolbar, the registry keys must be deleted also, these aren’t simply benign objects, like some entries left behind when uninstalling a no longer wanted app via the Control Panel, another reason why I like Revo Uninstaller Free, which now supports total removal of 64 bit software.
However for PUP’s, a term used to describe potentially unwanted programs, it’s best to allow a powerful scanner to handle these. Note that some of the bootable rescue media cannot access the Windows Registry for cleaning, just the software & any folders. So one would still after successful boot, run some deep cleaning anti-Malware & anti-rootkit software. Malwarebytes 3.0.6 (current version as of this date) can deep scan the registry, and one must select the rootkit scan, and I suggest anyone who hasn’t ran it for the first time to accept the 14 day Trial & allow it to clean up the system as good as possible. Be sure to check the option for Context Menu scan, which means one can right click onto a folder (or even an entire partition) & perform a Full scan of every file on the drive.
There’s no shortage of tools we can use to cleanse & keep our computers clean with, it’s a matter of finding these to work with.