MSRT is free and can be downloaded from http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=, but it normally downloads, runs, and then uninstalls before significant Microsoft installs and updates. It downloads and runs monthly using Automatic Updates, Windows Update/Microsoft Update, or Windows Server Update Services. Normally, an end user license agreement (EULA) must be agreed to the first time MSRT is run. The automated versions run in the background, and are almost unnoticeable unless an infection is found. The separate stand-alone version may be downloaded and installed to run on-demand scans.
| Note |
Users running the manual version must be logged in with Administrator credentials. As the version distributed via Microsoft Update runs as a normal Windows Update, it does not require any special privileges to run.
|
Currently, each version of MSRT is cumulative, detecting current and past threats. MSRT detects over seventy five popular malware families (http://www.microsoft.com/security/malwareremove/families.mspx), which is far less than the 10,000 different malware programs that the normal antivirus software product can detect. MSRT is not intended to replace a user's other anti-malware programs. It is developed as an adjunct tool.
Microsoft only adds detection and removal capability to MSRT for a very small subset of all threats. In order for Microsoft to add detection and removal for a new malware family, the threat must be very common (or predicted to be very common soon), contain malicious instructions, and be actively running in memory when MSRT executes.
MSRT can be run on computers running Windows 2000 or above. When MSRT (Mrtstub.exe) runs, it creates a randomly named temp directory in the root drive of the computer. Normally, the temp folder is automatically deleted after the tool is finished running although it can be manually deleted after the tool is finished if present.
The Malicious Software Removal Tool supports the following four command-line switches:
-
/Q quiet mode, suppresses end-user dialog boxes
-
/N forces detect-only mode
-
/F forces an extended scan
-
/F:Y forces extended scan and automatic cleaning of found infections
Results of the latest scan are stored in \%Windir%\Debug\Mrt.log along with a copy of the previous log (Mrt.old. When downloaded and run automatically, the most common method, MSRT runs in quiet mode by default. The tool notifies the first administrator to log on about the infection, detection, and removal that occurred, using a Windows balloon dialog box message.
By default, MSRT only runs a quick scan, checking only the most common autorun areas. In extended mode, MSRT scans the local hard drive(s) and detected removable media as well. An extended scan can take hours to complete. Figure 1 shows a manual MSRT in progress.
With millions of users running the tool, Microsoft also uses MSRT to judge the prevalence of a particular malware program. Microsoft is able to collect near real-time statistics that impact how quickly they respond to new threats.
For instance, during the early days of the WMF exploit (http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx) in January 2006, several security Web sites and media outlets published stories indicating that millions of computers were being infected by the WMF exploit. A high-risk outbreak would force Microsoft to develop and release a patch to the detriment of patch's quality.
Microsoft included WMF worm detection in MSRT and discovered only 16 infected computers out of millions of computers-an infection rate of 0.000016 in a million. Using facts, and not hyperbolic speculation, Microsoft slowed down the patch response time, and delivered a quality patch. Microsoft continues to use MSRT to assist in setting appropriate patch development response times.
New tool updates are kept as small as possible. When a user with a previous version of the tool installed is detected, only the delta updates are downloaded (when using Windows Update/Microsoft Update and Automatic Updates). Delta updates save approximately 1MB per user or download.
MSRT can be installed using normal software push mechanisms, and is fully scriptable. It can be rolled out using SMS and monitored and executed using WMI and other scripting interfaces.
If MSRT finds an infection, it removes the malware and reports the findings (see Figure 2). Unfortunately, MSRT does not tell you at what location the malware was detected. Hopefully, in future versions Microsoft will add more details.
When malware is found, relevant computer and malware information is sent back to Microsoft (except on WSUS delivered versions). According to Microsoft, the information sent to it is only used to allow the Microsoft Anti-malware team to better serve its customers.
