Microsoft has recently released the new Windows Defender Offline (WDO) Beta. It doubles up as a self-booting rootkit/bootkit analyzer while also providing some useful Windows recovery features. Let’s now take a closer look at the rootkit/bootkit analyzer component.
Windows Defender Offline (WDO) is similar to the up and coming Windows 8 Secure Boot (more on this later) feature. Both allow you to scan your system before Windows boots to perform a detailed malware scan of the entire system including nasty bootkits and rootkits in the Kernel and system firmware. It’s a useful tool to have in your ant-virus armoury.
Here are some simple steps to follow on downloading, installing and running WDO:
- Download WDO from this link: http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline You can download either a 32 bit or 64 bit version. Both versions are a little over 200MB in size, so you should be able to get away with only needing 1GB of storage space.
- Run the downloadable file to launch the WDO installer. It will offer you three options to save the file: CD/DVD; USB flash drive and an ISO file. I actually used a 32GB USB flash drive. Note: It will delete/format everything on the USB flash drive prior to installation though – beware!
- Next step is to restart your system with either the CD/DVD, USB flash drive or ISO file inserted. Your BIOS settings may need some tweaking here, but in most instances you shouldn’t have to make any changes.
- If you have successfully rebooted as above you should now see the WDO command screen console window. You can choose to run a Quick, Full or Custom scan. If you decide to run a Full scan, be prepared for a long wait. Some Full scans have been known to last hours!*
*A Full scan will scan every file on your system, hence the long wait.
WDO doesn’t depend on the Windows OS, it looks at the Kernel and system firmware, including Master Boot Record (MBR), which has been (and will continue to be) a target for malware writers. As for WDO, it appears (although I cannot confirm it), that it uses signatures from Microsoft Security Essentials (MSE) (hopefully one day we will see the everyday use of behavioural anti-malware).
So what is Windows 8 Secure Boot?
- Defines a set of rules that the operating system must use before it’s accepted into the boot sequence.
- Is designed to stop malware from allocating code into memory before the Windows OS starts to load.
Secure Boot therefore actually goes some way to stopping malware from circumventing the operating system and anti-malware protection software. However…
When you use a Windows 8 system that supports UEFI-based Secure Boot, Windows secured boot will help ensure that all firmware and firmware updates are secure, and the Windows boot path up to the anti-malware driver has not been tampered with. This means it will only allow properly signed and validated code into the boot path. The techie readers will know this helps to ensure malicious code will not be able to boot which therefore helps protect your system (Kernel/system firmware) from a boot-sector and boot-loader viruses as well as rootkit and bootkit malware drivers.
UPDATE: You can turn off Secure Boot, but one of the key elements of Secure Boot is that it will block any OS from booting that is not signed by a trusted Certificate Authority. Therefore if you decide to turn off Secure Boot — and Microsoft does mandate that PCs have the option to disable Secure Boot — Windows 8 won’t run. 🙁
With ultrabooks on the horizon and users wanting faster loading times, Windows Defender with full protection enabled adds 4% to boot time, but it does reduce CPU time during boot by 75%. Would this be an issue? I actually believe you might have an option to switch this feature off – but it will be activated by default. Switching off might not be an option for me though! I’m not entirely sure what code base WDO is using (as stated previously), but one guess might be it is closely related to MSE. If anyone has any ideas, please let me know.
Safe surfing folks!