Windows Defender Offline made easy

Topic

New Reply

Hey Y’all,

Ever get frustrated trying to run, or even more trying to see what it did, with Windows Defender Offline Scan?

I’ve just written a PowerShell script that will automate the process for you.

The program will report the results of the scan in the form of a return code, you want to see ZERO of course, for all scans, along with the date and time, in the database.

You can also use it to run a scan (updating the definitions first) and if desired clear the database of past scans. Upon completion of the scan it will automatically report the results when Windows reboots. No more guessing.

I’ve found that if you have an AV other than Defender as your main AV you need to disable it first and the script will give you a message to that effect.

The report of the scans looks like this:

You can download the zip file from my OneDrive shared folder.

I’d love to hear from those of you who have AV other that Malwarebytes, what I use, as your main AV and how the program reacts.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

Cybertooth

Reply | Quote

Replies

Looks like Malwarebytes is registered in the Security Center.  Correct?  This effectively disables Defender scans.  Just curious why do you have you machine setup that way?

Reply | Quote

I’ve used MB for years (lifetime licenses) both as main AV and Secondary (not registered) with both Defender and MB ACTIVE (my “Canary” machine is set up this way). I find it works well both ways as I’ve never had any type of infection.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I run MB as non-registered.  They both “play” together fine and they tend to complement each other.  I have 2 lifetime licenses from about 2009!

Reply | Quote

RetiredGeek wrote:

I’d love to hear from those of you who have AV other that Malwarebytes, what I use, as your main AV and how the program reacts.

Using AVG free which, like Malwarebytes, is registered in the security center and disables Defender scans.

The results of your script were.

1 user thanked author for this post.

RetiredGeek

Reply | Quote

n0ads,

Looks like you’ve never run an Offline Defender Scan?

Did you try running it with the -RunScan option?

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

My Windows Security settings show this.

So I’ve never had any reason to run Defender.

So exactly how would I run the scan you suggested?

Reply | Quote

Vitus Threat and protection – defender scan

Reply | Quote

Here’s my Virus & threat protection screen.

And, just like @Alex5723’s, there’s no Defender scan option.

So my question is still, exactly how do I run Defender with the -RunScan option @RetiredGeek suggested?

Reply | Quote

In PS

[d:\Path\]Get-Defender_Offline_Results.ps1 -RunScan

To read the help

Get-Help [d:\path\]Get-Defender_Offline_Results.ps1

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

The Get-Help option works just fine but the -RunScan option generates the following error.

Reply | Quote

noads,

That’s what happens when you don’t wait long enough after turning off your non-defender AV program. I need to trap that error and provide a better error message.

Thanks for testing!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

n0ads,

Well this is interesting!

I went into debug on the program and tested things line by line the problem is that AVG Free isn’t setting it self as active!

Here’s what I get when I look at the $AV array:

PS> $av | Select displayname, productstate

displayname      productstate
-----------      ------------
Windows Defender       393472  -Disabled!
AVG Antivirus          266240  -Disabled!

Note: the Disabled comments are mine as can be found in the program in the Get-AVStatusText function.

While looking a this it did point to a problem with the code as I assumed that if Defender was inactive the other product would be Active…bad on me. In either case AVG has a problem as it is not setting the code, in the registry I guess, to tell Windows it is the Active AV.

I also tried turning AVG off and trying to run the scan but it still doesn’t work

I’ve put error traps with appropriate error messages so you won’t see any messages as before. I’ll post an updated version as soon as I fix the Defender first problem, check back at original link.

FYI: The AVG install changed my Ethernet network to Public causing me to loose access to my local network on my test laptop! Y’all be aware of this as IMHO this is a security hole.

Update: I uninstalled AVG re-booted and ran the program and it worked just fine.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

I pointed out in my initial post, AVG disables Defender when it’s installed but, your script didn’t prompt me to disable AVG before running, so it makes sense I’d get that error.

I did some checking and, in order to run Defender, you can’t just disable AVG, it must be placed in passive mode (which requires a reboot).

BTW, the Manage Providers option on the right-hand side of the “Virus & threat protection” screen indicates Windows does know whether AVG is active or not.

And your test mode results does show AVG is being detected as active.

RetiredGeek wrote:

Here’s what I get when I look at the $AV array:

The switch ($AVStatusCd) section indicates productState 266240 = “Up to date” and “Enabled“.

That means that section isn’t properly assigning the AV status text.

Reply | Quote

n0ads wrote:

And, just like @Alex5723’s, there’s no Defender scan option.

I have defender scan. Look at the second .png

Scan Options :

Reply | Quote

My Windows 10 22H2 has no such options in the Virus & threats protection section.

Here’s the bottom of that section on my system.

FYI, even though the Periodic scanning option is not “greyed out, I can’t turn it ON. When I try to slide it to ON, it moves back to OFF as soon as I release it!

Reply | Quote

n0ads wrote:

FYI, even though the Periodic scanning option is not “greyed out, I can’t turn it ON. When I try to slide it to ON, it moves back to OFF as soon as I release it!

Perhaps this behavior is part of AVG’s self-defense mechanism? I haven’t used AVG since I dumped them along with Windows 7, (back in 2020), but I seem to recall that there used to be a setting in AVG that had something to do with self-protection. See if that still exists and, if it does, try to disable it and then see what happens with the periodic scan setting in Defender.

BTW, I always used AVG Free, never paid, and the crap they got caught up in after being acquired by Avast totally soured me from their products.

Reply | Quote

Ref. https://www.askwoody.com/forums/topic/windows-defender-offline-made-easy/#post-2673210

@Alex5723: Starting from the Home screen in Settings, what is the full path to the screen that you showed there?

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

Cybertooth wrote:

@Alex5723: Starting from the Home screen in Settings, what is the full path to the screen that you showed there?

‘search’ defender – windows security – virus & threat protection – (scroll down) scan options

1 user thanked author for this post.

Cybertooth

Reply | Quote

Thanks for that. After posting my question, I did ultimately figure out how to get there, and tried to run a Defender offline scan. But now the information is written down, so that someone else reading this thread can benefit from it.

Norton 360 objected, recommending that I turn off Defender, but I had the scan proceed anyway and it seemed to start OK. After a couple of hours, though, the scan seemed to get stuck, showing no further progress.

I let it run overnight, and this morning the progress bar was in the same place where it had been 10 hours earlier! (See screenshot below.)

Clicking on Cancel took me back to the previous screen, where Windows claimed that an offline scan had never been run.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

C.T.,

Thanks for testing!

It’s beginning to look like these “all inclusive” packages really don’t like you using anything else.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

1 user thanked author for this post.

Cybertooth

Reply | Quote

Hey Y’all,

Updated code post to link in OP.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

@RetiredGeek,

No change!

Still no prompt to disable AVG before running and, when I run it, I still get the same results.

BTW, my post #2673378 above covers what I found in your script that seems to be causing the lack of a prompt to disable AVG prior to running the script.

Reply | Quote

n0ads,

You’re still running version 1.0.4 the one I posted today is version 1.0.6.

The message you are getting would indicate that you have never performed an Offline Scan as the directory storing the information from the scan is not present.

This would be remedied if you could do an Offline Scan but since you can’t at present you’re stuck. I need to rethink the logic a bit to see how I might handle this situation.

Thanks again for your continued testing!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

RetiredGeek wrote:

You’re still running version 1.0.4 the one I posted today is version 1.0.6.

Actually, I did download and run the new 1.0.6 version.

I simply copied/pasted the previous v1.0.4 image into my reply because the result was still the same.

Reply | Quote

Just FYI…

I discovered the extra Defender options shown on the Virus & threat protection screen @Alex5723 posted only show up when the “Periodic scanning” option is turned ON.

After I placed AVG in passive mode, I was able to turn Periodic scanning ON and they appeared on my system too.

So…

Periodic scanning ON = Defender options available.

Periodic scanning OFF = no Defender options.

1 user thanked author for this post.

Alex5723

Reply | Quote

Hey Y’all,

I just posted Version 1.0.7. Use the link in the OP.

This version checks for an Active recovery partition. If not found a message will be displayed and the program will terminate.

An Active recovery partition is required to perform Defender Offline Scans.

Thanks again for all who have tested!

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote

Hey Y’all,

Program updated to Vers 2.0.0. Use original link to get it.

May the Forces of good computing be with you!

RG

PowerShell & VBA Rule!
Computer Specs

Reply | Quote