“Windows Defender Offline” in Windows 10 Eliminates Complex Malware

Windows Defender Offline scanning is one of the new settings added by the Windows 10 Anniversary Update. Although Defender Offline has already been a built-in feature in Windows 10 since the early builds, the GUI option is added in the Windows Defender Settings page only after you install the Anniversary Update (v1607).

Nowadays malware are more complex than they were many years ago. They operate at the filter driver, service or rootkit level and to eliminate them is very tough. In some cases, you need to boot to the Windows RE environment (or using a Linux boot media) and then delete the core malware files and services added in your Windows installation.

Windows Defender Offline takes care of this situation by running a quick scan even before the Operating System loads. When Windows Defender detects a rootkit or any other tough malware when Windows is running, it suggests you run an offline scan, showing the following message or similar.

Additional cleaning required.
To complete the cleaning process your PC needs to be rebooted and cleaned with Windows Defender Offline. This will take approximately 15 minutes. Please save all your files before clicking on the button.

Start “Windows Defender Offline” Scan Using Windows Defender Settings

Open Settings (WinKey + i), click Update & Security and select Windows Defender.

windows defender offline in anniversary update

Click Scan Offline. It silently downloads a light-weight offline scanner, restarts the system and runs a scan before loading Windows.

The light-weight offline scan image is about ~2 MB comprising the following files in it:

EppManifest.dll
mpasdesc.dll
MpClient.dll
MpCmdRun.exe
MpCommu.dll
MpSvc.dll
MpTpmAtt.dll
MsMpCom.dll
MsMpEng.exe
MsMpLics.dll
MsMpRes.dll
msseces.exe
OfflineScannerShell.exe
EN-US\MpSwpHelp.RTF
EN-US\MsMpRes.dll.mui
EN-US\offlinescannershell.exe.mui
EN-US\EppManifest.dll.mui
EN-US\EULA.RTF
EN-US\mpasdesc.dll.mui

Presumably OfflineScannerShell.exe is the one that powers the scan in Windows RE, including the task of locating the correct Operating System against which the scan has to be run. It’s completely automated and preconfigured to run a Quick scan using the definitions that’s already in the system.

windows defender offline in anniversary update

Start “Windows Defender Offline” scan Using PowerShell

Previously, Windows Defender offline scan could only be initiated using the following PowerShell cmdlet, or if Windows Defender automatically suggests an offline scan when dealing with complex malware or rootkit infection.

To start Windows Defender Offline scan using PowerShell, launch PowerShell as Administrator, and then run the following command:

Start-MpWDOScan

windows defender offline in anniversary update

Press ENTER. The system will restart automatically within in a minute and complete a quick scan in offline mode. There is no setting available to change it to full scan though.

Windows Defender Offline in Windows 7 and Windows 8

Windows Defender Offline is now an integrated feature in Windows 10. If you’re using Windows 7 or 8, you can create a Windows Defender Offline boot media (USB drive or CD/DVD) using the scan image which you can download from Microsoft site. Check out Help protect my PC with Windows Defender Offline – Windows Help to download the bootable Windows Defender Offline scan image in Windows 7 or Windows 8. Make sure you download the correct version (x86 vs x64) for your system.

See also How to Create a Windows Defender Offline Bootable Media and Run a Scan.

About the author

Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and has a vast experience in the ITeS industry — delivering support for Microsoft's consumer products. He has been a Microsoft MVP [2003 to 2012] who contributes to various Windows support forums.

1 thought on ““Windows Defender Offline” in Windows 10 Eliminates Complex Malware

Comments are closed.