lolloj - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does Windows Defender Offline protect endpoints?

Windows Defender Offline can help tackle malware infections that the basic version of Windows Defender can't remove. Expert Michael Cobb explains how.

How does Windows Defender Offline work; is it different from Windows Defender? Should it be used in addition to other malware defense?

Windows Defender was first released by Microsoft as a free download for Windows XP to scan for malicious spyware. Later releases of Windows included it by default, and since Windows 8, it has included antivirus capabilities as well as anti-spyware features. It starts running as soon as the Windows operating system starts, but it will turn itself off if an alternative antivirus application is installed on the machine. Most enterprises deploy antimalware software from vendors such as ESET, McAfee and Kaspersky Lab, so Windows Defender, although present, is typically not providing malware protection on employees' client devices. However, for individuals, it is an important security tool that provides ongoing protection with regularly scheduled malware scans.

If Windows Defender finds a malware program it can't remove, it will prompt the user to download and run Windows Defender Offline. This is a standalone antimalware program that runs from a bootable disk and can run a more complete scan of an infected system while the operating system is offline. If possible, it's best to download Windows Defender Offline and create a CD, DVD or USB flash drive using a PC that isn't infected with malware, as any malware that is present may be able to block the download and media-creation process. Note that both PCs must have the same Windows operating system architecture -- either 32-bit or 64-bit -- as the downloaded version of Windows Defender Offline.

For users who don't have access to more than one computer, it would clearly be best to download Windows Defender Offline before they receive a prompt from Microsoft Security Essentials or Windows Defender. However, Windows Defender Offline relies on definitions to be able to recognize and remove any threats, so it would need to be repeatedly downloaded to keep it up to date. A USB flash drive is the best option, as it can be reused and Windows Defender Offline will update the definitions whenever the wizard is run.

To run Windows Defender Offline, the up-to-date CD, DVD or USB flash drive should be inserted into the PC, all open work saved and closed, and the PC restarted. Some PCs will detect removable media and offer the option of starting up from the CD, DVD or USB flash drives. Others require the user to press the F12, F10, ESC or DEL key during the startup process to select the boot order or the drive on which Windows Defender Offline is installed. For those users downloading Windows Defender Offline directly to the infected PC, it will automatically restart into the recovery environment and run Defender as soon as the download is complete. In all cases, BitLocker must be disabled to use Windows Defender Offline.

The AV-TEST Institute tests 22 antivirus software programs for Windows home users and ranks them on protection, performance and usability. Although Windows Defender doesn't place that highly on this list, it is free, and is certainly better than having no antimalware protection.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn more about Microsoft's Wi-Fi Sense for Windows 10

Read about how Microsoft Device Guard for Windows 10 tackles malware

Discover the issues around privacy settings for Windows 10

This was last published in February 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal