From Mark Minasi's latest newsletter:
"You know Windows Defender. It's been built into Windows since (if memory serves) Vista. It fought spyware in Vista and Windows 7, and then Microsoft expanded its focus to include regular old virus-y malware in Windows 8/8.1. It's a perfectly nice in-the-box tool, but like all anti-malware tools, it hasn't a chance to detect the strains of malware designed to hide themselves in plain site, malware with a kind of "cloaking device" wherein the malware modifies the operating system so that scanning an infected file just turns up a "nope, no malware, nobody but us chickens in here!" report. And if you're on this mailing list, the chances are very good that you know that we call such hard-to-detect malware "rootkits."
Invisible malware like rootkits sounds dire, but given that they can only remain invisible while the infected OS is running, there's an obvious way to find them -- run the malware scanner under another, uninfected OS. One way to do that would be to physically remove the boot hard disk of the machine in question, plug it into an uninfected machine and scan the questionable drive, but that's a lot of work.
The better answer arrived a few years ago when Microsoft released a free, cut-down version of Windows that fits on a CD or a USB stick called "Windows PE" and I'm hoping that most of you are using it now for maintenance and deployment tasks. (Look at Newsletter 59 if you've never created a USB stick. I use it heavily in my free Steadier State tool as well as when trying to revive dead systems.) Anyway, WinPE's great, but there wasn't much in the way of anti-malware tools that could run atop WinPE. Microsoft fixed that by building and giving away a WinPE image that includes a version of Defender -- they call it "Windows Defender Offline -- built right in. Stick it on a USB stick or CD, cold boot a system with it and rootkits are revealed. Neat. You can find it here with download links at the bottom of the page:
http://windows.microsoft.com/
Permit me to offer a few notes on it:
1) This is NOT new, as Defender Offline's been around since December 2011. I'm telling you about it in February 2014, however, because I mention it a LOT when I do talks and invariably get totally blank looks from 98% of the crowd. (That's true even when I'm talking to security experts. Eek.) If you're on my mailing list, the chances are that you're Windows tech support for SOMEBODY, whether you're getting paid for it or not, and starting off with a rootkit check can save you a whole LOT of time. I recommend that everyone reading this put Offline Defender on a USB stick and keep it in their bag of tricks. (I've found that Sony's "Microvault" USB sticks are a nicely matte white, allowing me to write on them with a Sharpie to keep track of which USB stick is the Defender, which runs Clonezilla, and so on. If anyone out there knows a cheaper USB stick that you can write on, please drop me a line.)
2) As I mentioned before, this works perfectly well on Windows Server. We had a malware scare a few months ago and I tested my Server 2012 systems with it, and it didn't refuse to run on a Server SKU. Similarly, I've got an ISO of Defender Offline that I boot my Hyper-V VMs from when I need to test them for rootkits as well.)
3) I've just noticed that the Defender Offline page says that you need a newer version, a Windows Defender Offline beta, to run it on Windows 8.1 systems. I'm fairly certain that I've run Defender Offline on my 8.1 systems, but if Microsoft says you need the beta, I guess you should get it for 8.1 and presumably 2012R2."
