What is Windows Defender Offline Beta?

During the July, 2011 meeting of the Montgomery Windows IT Professional Group, member Jamie Gelhaus gave a demonstration of Microsoft's Standalone System Sweeper.  For those of you who saw this, Jamie showed how we can actually boot to a CD or USB with this product installed, and then use it to scan the hard drive for malware.  This boot function especially applies to rootkits, which are notoriously hard to get off a machine, as they embed themselves on the MBR below where the operating system is loaded. 

Microsoft has changed the name to the Windows Defender Offline, but it's still the same quality product.

I found one such virus recently.  Since the Windows Kernel 6 (Vista, Windows Server 2008 & Windows 7) came out and User Account Control (UAC) is very much a part of Kernel 6, it's harder for malware to load itself because you have to give it permission to do so.  Let me say, as an aside, that you should NOT disable UAC for this and other reasons.  Anyway, we've all seen the ubiquitous Adobe Flash updates, which will launch UAC in order to run.  Well, there is a new virus, or a new manifestation of an old one, that asks your permission to run the Flash update…  This is indeed a rootkit!  So, does that mean don't run Flash updates?  Well, no…  But if Flash wants to update itself, look carefully for the Adobe certificate, and don't expect the update to happen midway through a session.  The legitimate update always runs early in the logon process.

So what happened to me?  Well, if you guessed I clicked OK to this, you’d be right.  Took a copy of the Windows Defender Offline beta, PLUS Malwarebytes to kill it.

Moral is, pay attention to UAC queues, and have the right tools on hand for those times you don't!