Looks like a handy tool. I've used various recovery discs including those based on Windows PE.
From
Mark Minasi's latest newsletter:
"You know Windows Defender. It's been built into Windows since (if
memory serves) Vista. It fought spyware in Vista and Windows 7, and
then Microsoft expanded its focus to include regular old virus-y malware
in Windows 8/8.1. It's a perfectly nice in-the-box tool, but like all
anti-malware tools, it hasn't a chance to detect the strains of malware
designed to hide themselves in plain site, malware with a kind of
"cloaking device" wherein the malware modifies the operating system so
that scanning an infected file just turns up a "nope, no malware, nobody
but us chickens in here!" report. And if you're on this mailing list,
the chances are very good that you know that we call such hard-to-detect
malware "rootkits."
Invisible malware like rootkits sounds dire, but given that they can
only remain invisible while the infected OS is running, there's an
obvious way to find them -- run the malware scanner under another,
uninfected OS. One way to do that would be to physically remove the
boot hard disk of the machine in question, plug it into an uninfected
machine and scan the questionable drive, but that's a lot of work.
The better answer arrived a few years ago when Microsoft released a
free, cut-down version of Windows that fits on a CD or a USB stick
called "Windows PE" and I'm hoping that most of you are using it now for
maintenance and deployment tasks. (Look at Newsletter 59 if you've
never created a USB stick. I use it heavily in my free Steadier State
tool as well as when trying to revive dead systems.) Anyway, WinPE's
great, but there wasn't much in the way of anti-malware tools that could
run atop WinPE. Microsoft fixed that by building and giving away a
WinPE image that includes a version of Defender -- they call it "Windows
Defender Offline -- built right in. Stick it on a USB stick or CD,
cold boot a system with it and rootkits are revealed. Neat. You can
find it here with download links at the bottom of the page:
http://windows.microsoft.com/en-us/windows/what-is-windows-defender-offline
Permit me to offer a few notes on it:
1) This is NOT new, as Defender Offline's been around since December
2011. I'm telling you about it in February 2014, however, because I
mention it a LOT when I do talks and invariably get totally blank looks
from 98% of the crowd. (That's true even when I'm talking to security
experts. Eek.) If you're on my mailing list, the chances are that
you're Windows tech support for SOMEBODY, whether you're getting paid
for it or not, and starting off with a rootkit check can save you a
whole LOT of time. I recommend that everyone reading this put Offline
Defender on a USB stick and keep it in their bag of tricks. (I've found
that Sony's "Microvault" USB sticks are a nicely matte white, allowing
me to write on them with a Sharpie to keep track of which USB stick is
the Defender, which runs Clonezilla, and so on. If anyone out there
knows a cheaper USB stick that you can write on, please drop me a line.)
2) As I mentioned before, this works perfectly well on Windows Server.
We had a malware scare a few months ago and I tested my Server 2012
systems with it, and it didn't refuse to run on a Server SKU.
Similarly, I've got an ISO of Defender Offline that I boot my Hyper-V
VMs from when I need to test them for rootkits as well.)
3) I've just noticed that the Defender Offline page says that you need a
newer version, a Windows Defender Offline beta, to run it on Windows
8.1 systems. I'm fairly certain that I've run Defender Offline on my
8.1 systems, but if Microsoft says you need the beta, I guess you should
get it for 8.1 and presumably 2012R2."
