Jump to content











Photo
- - - - -

Run Windows Defender Offline from WinPE


  • Please log in to reply
5 replies to this topic

#1 misty

misty

    Silver Member

  • Developer
  • 702 posts
  •  
    United Kingdom

Posted 18 May 2015 - 08:38 PM

So Windows Defender Offline is essentially a WinPE 3.0 modified to run the Windows Defender GUI. Looking at the \Windows\System32\winpeshl.ini file in boot.wim identifies the relevant program -
[LaunchApp] 
AppPath = "%ProgramFiles%\Microsoft Security Client\OfflineScannerShell.exe" 
In my case that's X:\Program Files\Microsoft Security Client\OfflineScannerShell.exe once WinPE has booted.

Now how about adding Windows Defender Offline to a customised WinPE? Let's say a very small MistyPE build.

So here's what I did - it's a bit rough, and it's not automated, but it seems to be working fine and will point you in the right direction if you are interested.
  • Downloaded Windows Defender Offline - there are various posts containing direct download links - I simply ran mssstool32.exe and selected the "As an ISO file on a disk (Advanced)." option to create an ISO file - in my case D:\WDO_Media32.iso.
  • Mounted D:\WDO_Media32.iso as drive F:\ (using imdisk).
  • Copied F:\FilesList32.dll and F:\mpam-fe.exe (the virus definition file) to the root of my existing MistyPE bootable USB drive (drive E:\)
  • Opened F:\sources\boot.wim in 7-zip and extracted the \Program Files\Microsoft Security Client\ directory to the root of drive E:\ (my USB drive).
Once the preperation was completed -
  • Booted my MistyPE USB drive - the relevant .wim file was mounted as drive X: and the USB drive (containing \FilesList32.dll and \mpam-fe.exe extracted/copied in step 3 above) was mounted as drive D:.
  • Copied the D:\Microsoft Security Client\ directory (extracted in step 4 above) to X:\Program Files\.
  • Ran X:\Program Files\Microsoft Security Client\OfflineScannerShell.exe.
It worked! Some notes -
  • OfflineScannerShell.exe wouldn't work from any path other than X:\Program Files\Microsoft Security Client\OfflineScannerShell.exe - when attempting to run it from another location it failed to start.
  • No packages were required - it worked in a minimal WinPE build.
  • Tested the above in 32-bit versions of WinPE 3.1 and WinPE 5.0 - it appeared to work fine in both.
  • A 32-bit version of Windows Defender Offline is required for scanning a 32-bit version of Windows. A 64-bit version of Windows Defender Offline is required for scanning a 64-bit version of Windows. Why? Well done Microsoft for imposing such a seemingly stupid limitation.
  • Some blogs suggest adding \FilesList32.dll and \mpam-fe.exe to boot.wim. This in my opinion just makes it more difficult to update the definitions file - it's located fine at the root of the USB drive or CD/DVD. Why rebuild boot.wim just to update the virus definitions? Exception might be when PXE booting.
  • The above steps can be adapted/applied to 64-bit versions of WinPE. The only difference is the names of the files extracted in step 3 above - \FilesList64.dll and \mpam-fex64.exe are required in 64-bit builds.
  • \Microsoft Security Client\ can be added to an offline boot.wim so it's available when booted - just remember to add it to \Program Files\Microsoft Security Client\
  • It's possible to automate most (probably all) of the above steps during the build process - this was just a rough test.
Have fun.

Regards,

Misty
  • pscEx likes this

#2 RedRamIH

RedRamIH

    Newbie

  • Members
  • 17 posts
  •  
    United States

Posted 20 May 2015 - 01:57 AM

Misty, I can see Windows Defender needing to be different between the 32 and 64 bit flavors, maybe not as much in the programs as in the definitions - because of the file differences between the two architectures.  If I get a chance, I'll look at both and see if the programs are similar - but of course the definition files will be different.

That's just a random thought....

BTW, thanks for posting this - it lets people know the offline version of Defender exists (which most people probably don't know).



#3 misty

misty

    Silver Member

  • Developer
  • 702 posts
  •  
    United Kingdom

Posted 20 May 2015 - 01:04 PM

@RedRamIH

Misty, I can see Windows Defender needing to be different between the 32 and 64 bit flavors, maybe not as much in the programs as in the definitions - because of the file differences between the two architectures....

This is where I disagree. The programs definitely need to be different as, as far as I'm aware, MS have never released a 64-bit WinPE with SysWOW64 support - a native 64-bit executable is therefore required in 64-bit WinPE builds. There are obviously a number of Winbuilder projects that include SysWOW64 support - just no official MS builds.

The virus definitions on the other hand should logically be able to scan 32-bit and 64-bit OS's - aren't they looking for the same signatures and patterns anyway? Remember, we are talking about scanning an offline system - surely it shouldn't matter whether this is 64-bit or 32-bit. Also, in the case of a 64-bit Windows Defender scanning a 64-bit OS it has to include support for scanning 32-bit programs anyway - just think of all the stuff in the \Program Files (x86)\ and \Windows\SysWOW64 directories that would otherwise be left unscanned!
 

BTW, thanks for posting this - it lets people know the offline version of Defender exists (which most people probably don't know).

My pleasure.

Regards,

Misty

#4 pscEx

pscEx

    Platinum Member

  • Team Reboot
  • 12688 posts
  • Location:Korschenbroich, Germany
  • Interests:What somebody else cannot do.
  •  
    European Union

Posted 20 May 2015 - 05:06 PM

Sounds very interesting! :smiling9:

 

Will try!

 

Peter



#5 spleenharvester

spleenharvester

    Member

  • Members
  • 91 posts
  •  
    United Kingdom

Posted 28 January 2016 - 11:01 PM

Can anyone get the updates to work properly? For me, mpam-fe doesn't seem to work, and inbuilt updates gives error 0x80070490 (still seems to download and install but I'm not sure if it's worked?)

 

Same thing happens on the actual Windows Defender Offline official WinPE too.


Edited by spleenharvester, 28 January 2016 - 11:03 PM.


#6 alacran

alacran

    Frequent Member

  • Advanced user
  • 441 posts
  •  
    Mexico

Posted 2 weeks ago

Download link in Microsoft page for 32 bits version is OK, but for 64 bits version it is in an unknown language, I tried several times from diferent location servers (en-us, es-es, es-mx), and all give me same version, well I will assume this is another way to do not give support for Win7 x64 users, trying to force them to Win10 (I do not belive in mistakes anymore, all they do is deliverate).

 

EDIT:  x64 version language  sr-Latn-CS = Serbian (Latin, Serbia) (sr-Latn-CS), from: http://www.localepla...t/sr-Latn-CS/is

 

alacran






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users