The Windows Malicious Software Removal Tool has been updated for WannaCry

Microsoft offers a number of free anti-malware tools. Windows 10 and 8.1 users have Windows Defender. Windows 7 users can chose between the full-featured Microsoft Security Essentials (MSE) or the limited Windows Defender. But all Windows users have access to the Malicious Software Removal Tool (MSRT) even though they may not be aware of it.

MSRT is part of the monthly patch Tuesday bug fixes. Windows Update downloads a new version of MSRT and runs a scan with it as part of its normal processing. The last patch Tuesday was May 9th and Microsoft dutifully issued a new version of MSRT.

I mention this because on May 23rd someone contacted me to ask why MSRT had just been updated. He had seen a new version appear in Windows Update on a 32 bit Windows 7 machine that had been dutifully updated on the 9th.

Windows Update running on Windows 7. I Michael Horowitz/IDG

Windows Update installed MSRT on May 21st and then again on May 25th

I checked a 64 bit Windows 7 machine that had been updated on the 21st. Sure enough, running Windows Update on the 25th, installed a new version of the software (shown above).

The May 9th release was version 5.48.13801, the May 22nd edition is version 5.48.13803. The May 9th edition is 149MB (156,335,152 bytes), the May 22nd version is 126MB (132,223,576 bytes).

What changed? Initially, Microsoft didn't say, the home page for MSRT, had not been updated as of the 25th.

However, when asked, a company representative said that the May 22nd update was "to detect and remove WannaCrypt malware." WannaCrypt is another name for WannaCry.

You can run MSRT manually by simply typing "MRT" into the Run box. Or, you can find it at
C:\Windows\system32\MRT.exe

When you run it manually, the initial window has a link to "View a list of malicious software that this tool detects and removes." The May 22nd version includes Win32/WannaCrypt in this list, the May 9th version does not. 

Running it manually offers the option of a Full scan. When its run as part of Windows Update, it only does a Quick scan. 

MSRT can be downloaded at any time from here. The 32bit edition is currently Windows-KB890830-V5.48.exe, the 64 bit edition is Windows-KB890830-x64-V5.48.exe.

A nice thing about MSRT is that it's portable. You make a copy of MRT.exe on a non-infected PC, rename it to SomethingElse.exe for good luck, and run a full scan with it on an infected machine. Can't hurt.

microsoft malicious software removal tool Michael Horowitz/IDG

2017 additions to MSRT

On the other hand, MSRT is very limited in scope. The page documenting the malware it targets (see above), shows only two strains were added in all of 2017. 

FEEDBACK

Get in touch with me privately by email at my full name at Gmail or publicly on twitter at @defensivecomput.

Related:
Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon