Fact-checked by Grok 2 weeks ago

Microsoft Safety Scanner

Safety Scanner is a free, scan tool developed by to detect and remove from Windows computers , without providing ongoing protection or installation requirements. Unlike comprehensive antivirus solutions such as , which offer continuous monitoring and automatic updates, the Safety Scanner is designed for manual, one-time use to address suspected infections or verify system cleanliness. It supports various scan types, with results logged for review. The tool requires no permanent installation; users simply the (msert.exe), run it, select a type, and manually remove the after use. However, it expires 10 days after to ensure the latest threat definitions are used, necessitating a fresh for subsequent s, with aligned to 's definitions . Compatible with Windows 11, 10, 8.1, 8, 7, and various Server editions (subject to Microsoft's Lifecycle Policy), it mandates SHA-2 code signing support and is recommended as a supplementary tool rather than a primary defense mechanism.

History

Development

The discontinuation of Windows Live OneCare in April 2011, including its associated Safety Scanner component, prompted Microsoft to develop a new standalone malware removal tool to fill the gap in on-demand scanning options. Microsoft's primary motivation was to offer a free, portable utility for occasional, thorough scans without the overhead of a full-time antivirus solution like Microsoft Security Essentials, targeting users seeking simple remediation for potential infections. This initial development aligned with early elements of the Microsoft Defender ecosystem, emphasizing accessibility for non-technical users through a lightweight design that required no installation and ran directly from the executable. Key design choices included making the tool a time-limited executable that expires 10 days after download, ensuring users obtain the most current anti-malware definitions for each use rather than relying on outdated versions. The portable nature avoided system modifications or registry entries, enhancing ease of deployment across various Windows environments without administrative hurdles. It serves as a complement to broader security tools like the (MSRT), providing deeper on-demand scanning for persistent threats when real-time protections fall short.

Release timeline

The Microsoft Safety Scanner was first publicly released on April 15, 2011, as a direct replacement for the discontinued OneCare Safety Scanner. Its initial version, 1.0.3001.0, launched in 2011 to provide on-demand scanning for early supported Windows versions including and . By 2014, the tool had progressed to version 1.165.2952.0, reflecting improvements in detection capabilities aligned with evolving threats. Subsequent updates have occurred frequently, with major version refreshes tied to monthly security intelligence updates from , ensuring the scanner incorporates the latest definitions without requiring a persistent . The tool integrates with and ecosystems, maintaining compatibility through ongoing releases that align with OS updates. A key design feature is its expiration mechanism: the executable expires 10 days after download, prompting users to re-download for access to the most current definitions and preventing reliance on outdated scans. As of November 2025, the latest versions incorporate security intelligence update 1.441.243.0 released on November 15, 2025, continue this pattern of timely refreshes.

Functionality

Core scanning capabilities

The Microsoft Safety Scanner employs signature-based detection by leveraging regularly updated Microsoft security intelligence definitions to identify known viruses, , rootkits, and other variants. These definitions, downloadable from Microsoft's Windows Defender Security Intelligence site, enable the tool to match file characteristics against a comprehensive database of threat signatures. Additionally, the incorporates and behavior-based analysis to detect potentially unknown threats through and anomalous activities, such as suspicious file behaviors that may indicate emerging . Upon detection, the tool automatically attempts to remove identified threats and reverse associated malicious changes, including alterations to files, registry entries, and configurations. This remediation process prioritizes restoring affected components to their pre-infection state where possible, minimizing residual impacts on integrity. Scan results are logged in a detailed text file named msert.log, located at %SYSTEMROOT%\debug\msert.log, which records detected threats, removal actions, and any evaluation outcomes for further analysis. For low-fidelity detections—preliminary matches that require validation—the scanner integrates with Microsoft Active Protection Service (MAPS) to perform post-scan cloud-based evaluations if an internet connection is available, helping to confirm threats and reduce false positives. The scanner supports offline operation as a standalone , allowing threat detection and removal without an connection during the itself, though MAPS checks occur afterward if connectivity is established.

Supported scan types

The Microsoft Safety Scanner provides three main types to accommodate varying user needs for detection and removal: quick , full , and custom . These options allow users to balance thoroughness with efficiency, leveraging the tool's engine to identify threats including viruses, , and rootkits. The quick scan focuses on high-risk areas prone to infection, such as running processes, memory, system files, and the Windows registry. It prioritizes speed for initial assessments, often completing in just a few minutes on typical systems, and is ideal for verifying if a computer is clean without extensive resource use. A full scan offers comprehensive coverage by examining every file, folder, drive, and system sector accessible to the tool. This mode detects a broad spectrum of malware, including persistent rootkits that may hide in boot sectors or kernel components, but it requires significantly more time—potentially hours—depending on the volume of data and hardware performance. The custom scan enables targeted inspections by letting users select specific paths, such as individual folders, drives, or files, for analysis. This approach is efficient for isolating potential issues in designated locations, avoiding the need for a complete system sweep while still applying the tool's full detection capabilities. Although the Microsoft Safety Scanner runs within the Windows environment and lacks a native boot-time mode, it integrates with offline-like procedures through manual execution in or from to tackle rootkits that resist active OS scans, requiring user-initiated triggers for such scenarios.

System requirements and compatibility

Hardware and software prerequisites

The Microsoft Safety Scanner has minimal software prerequisites to promote widespread accessibility on Windows systems. The tool requires a compatible Windows operating system and support for , as it is exclusively signed using certificates to align with modern security standards. It supports both 32-bit and 64-bit architectures, with dedicated executable files available for each to match the user's system configuration. Administrative privileges are required to execute the tool effectively, enabling full access to files, registry entries, and system components for comprehensive scanning and remediation. An connection is recommended upon initial run to fetch the most current definitions from Update, though the tool includes embedded definitions that allow offline operation if connectivity is unavailable. Hardware requirements are not explicitly detailed by , reflecting the tool's lightweight design intended for quick deployment without imposing stringent demands. It operates on standard configurations that satisfy the baseline specifications of supported Windows versions. As a Windows-exclusive utility, the Microsoft Safety Scanner does not support mobile devices, such as smartphones or tablets, nor any non-Windows operating systems like macOS, , or . This limitation ensures focused optimization for desktop and server environments where prevalent threats are targeted.

Supported Windows versions

The Microsoft Safety Scanner provides compatibility with various Windows client and server editions, focusing on modern and legacy systems while adhering to Microsoft's lifecycle policies for ongoing support. Full support is available for (version 1507 and later) and all builds of as of 2025, ensuring the tool can effectively scan and remediate threats on these platforms. Legacy support extends to older client versions, including Service Pack 1 (SP1), , and , though users should note end-of-support caveats—particularly for , which reached end of support on January 14, 2020, after which no further security updates are provided outside of optional Extended Security Updates (ESU) programs that concluded in 2023. On the server side, the tool supports , , , , and , with similar lifecycle considerations applying to older editions like 2008 R2, which ended mainstream support in 2015 and extended support in 2020. Discontinued support applies to and earlier versions, which are no longer compatible following the operating system's end of extended support on April 11, 2017, rendering the Safety Scanner incompatible due to unmaintained dependencies and security signing requirements like SHA-2.

Usage

Downloading and setup

The Safety Scanner is available for free download from the official Microsoft Defender for Endpoint documentation page or the Windows Security support resources on Microsoft's website. Users should select the version matching their system's architecture: msert.exe for 32-bit Windows or msert64.exe for 64-bit Windows. As a , the tool requires no formal and does not create persistent entries in the or . To ensure authenticity, users should verify the of the executable file, which is signed by Corporation using certificates; devices must support SHA-2 signing for validation. Due to its time-limited nature, the tool expires 10 days after download, necessitating a re-download for access to current definitions. Setup involves right-clicking the executable file and selecting "Run as " to launch the tool with elevated privileges. On first run, users must accept the End User Agreement (EULA). The tool then prompts to update its definitions automatically before proceeding.

Performing and reviewing scans

To perform a scan with the Microsoft Safety Scanner, users the executable file to launch the (GUI). Upon opening, the tool prompts acceptance of the terms, followed by a selection screen for the scan type, such as Quick scan, Full scan, or Custom scan. After choosing the desired option—for instance, a Custom scan allows specifying folders or drives—the user clicks Next to initiate the process. During the scan, a in the GUI displays the number of files scanned, estimated time remaining, and a running count of potential threats detected. The tool operates without requiring additional user input until completion, though scans can be interrupted by closing the application or system shutdown. There is no built-in pause or reliable resumption feature; if interrupted, Microsoft recommends restarting the tool and running a full scan from the beginning to ensure thorough coverage. Upon finishing, the provides a summary of results, indicating the number of threats found and automatically removed, or stating that no threats were detected. The tool performs direct removal actions, such as deletion of infected files, without an automatic option. For detailed examination, users access the log file at %SYSTEMROOT%\debug\msert.log, which records timestamps, file paths, detection names, and actions taken (e.g., cleaning by deletion). To view the log, press Windows + R, enter the path, and open the file in a . If the scan identifies items believed to be false positives—such as legitimate files flagged erroneously—users can submit them for analysis via the Security Intelligence submission portal. The tool does not include an integrated mechanism for excluding or restoring items post-removal; affected users should contact support for further assistance in verifying and addressing potential misdetections.

Comparison with other tools

Versus Microsoft Defender Antivirus

The Microsoft Safety Scanner serves as a supplementary, on-demand scanning tool designed specifically for deep, manual malware detection and removal on Windows systems, whereas Microsoft Defender Antivirus functions as a comprehensive, always-active security solution that includes continuous real-time monitoring, an integrated firewall, and cloud-delivered protection to safeguard against threats proactively. Safety Scanner operates as a portable executable that users must download and run manually, making it ideal for targeted investigations but without the persistent background operations that Defender maintains to block threats in real time. Both tools leverage the same security intelligence definitions for detection, ensuring consistency in identifying known threats, but Safety Scanner does not incorporate 's advanced real-time behavioral analysis or automatic definition updates, which require manual re-downloads every 10 days to remain current. This overlap in definitions allows Safety Scanner to complement effectively, particularly in scenarios where the primary antivirus may encounter issues or require a secondary verification. In terms of use cases, Safety Scanner is recommended for situations involving suspected infections that Defender might have overlooked or failed to remediate fully, such as during troubleshooting persistent malware issues, while Defender excels in everyday prevention through its ongoing scanning, credential protection, and defense against ransomware and unauthorized access. Users are advised to rely on Defender for routine security and deploy Safety Scanner only as needed for thorough, one-off scans to avoid redundancy. Regarding performance, Safety Scanner can be more resource-intensive during full system scans, potentially taking hours or even days on large drives as it examines millions of files without the optimized, scheduled approach of 's scans, though it remains non-intrusive when not actively running. In contrast, balances real-time protection with configurable CPU limits to minimize impact on daily operations.

Versus Malicious Software Removal Tool

The Microsoft Safety Scanner and the Windows (MSRT) are both portable, non-installing utilities provided by to detect and remove from Windows systems, but they differ significantly in scope, targeting, and operational approach. While MSRT is designed as a lightweight, targeted intervention for high-prevalence threats, the Safety Scanner leverages the comprehensive engine to address a wider array of potential infections. In terms of targeted threats, MSRT concentrates on a limited number of prevalent families per monthly release, prioritizing those causing the most widespread damage based on global , such as 5 families in recent releases like October 2025 (NetFleek, ShadowLink, RogueSpy, ShadowWraith, TofuStation), including of Blaster, Sasser, or more recent ones like LummaStealer. In contrast, the Safety Scanner employs the full signature database and heuristics from the Microsoft Defender engine, enabling it to scan for thousands of known , including viruses, trojans, , and rootkits beyond just the most common ones. This makes the Safety Scanner suitable for broader threat hunting, while MSRT serves as a specialized check for top-priority infections. Deployment methods for both tools emphasize ease of use without permanent installation, but their update mechanisms vary. MSRT integrates directly with , automatically downloading and running silently on the second Tuesday of each month to maintain currency without user intervention. The Safety Scanner, however, requires manual downloading from Microsoft's site, with its definitions expiring after 10 days, necessitating re-download for ongoing protection against evolving threats. Regarding comprehensiveness and integration, the Safety Scanner supports user-selected scan types, including full system scans, quick scans, and custom options, allowing for thorough, on-demand deep cleaning when persistent issues are suspected. MSRT, by design, operates in a default quiet mode for rapid execution, focusing primarily on detection and removal for its targeted families, with an optional full scan triggered only if an infection is found during the initial pass. This positions MSRT as a background, automated supplement to routine maintenance, whereas the Safety Scanner is intended for explicit, user-initiated remediation in response to suspected or confirmed compromise.

Licensing and availability

License terms

The Microsoft Safety Scanner is offered free of charge for both personal and commercial use under the Software License Terms, with no associated costs beyond the requirement to accept the End User Agreement (EULA) displayed upon the tool's first execution. This limited license grants users the right to install and run the tool solely for the purpose of scanning and removing from supported Windows devices. The EULA permits use for both personal and commercial purposes. Key restrictions in the EULA prohibit , decompiling, or disassembling the software; redistributing it without 's explicit permission; or incorporating it into any competing products or services. Additionally, the tool is time-limited, expiring 10 days after to ensure users obtain the latest definitions for ongoing , after which a new version must be downloaded. retains full ownership and all rights to the software, providing only a revocable, non-exclusive without transferring any title or ownership to the user.

Distribution and updates

The Safety Scanner is primarily distributed as a free, standalone downloadable tool from official websites, such as the Microsoft Defender for Endpoint documentation page. Users access it by navigating to the section, selecting the appropriate 32-bit or 64-bit version based on their system architecture, and saving the file (msert.exe), which requires no installation and does not integrate into the Windows or system programs. Unlike continuously updated , the Safety Scanner does not feature automatic updates; instead, it relies on a manual re-download process to obtain the latest version, which incorporates updated definitions released monthly by . Each downloaded version expires 10 days after acquisition to ensure users obtain fresh definitions for optimal detection, tying updates directly to Microsoft's broader cadence without providing archived or older versions for and efficacy reasons. The tool is available globally with multilingual support, as evidenced by localized and pages in multiple languages on Microsoft's site, making it accessible to users worldwide without regional restrictions. While primarily offered as a standalone , users must accept Microsoft's standard license terms during the download process to proceed. It is not bundled in standard Windows installation media or distributed through the , emphasizing its role as an on-demand, supplementary scanning utility.

References

  1. [1]
    Microsoft Safety Scanner Download - Microsoft Defender for Endpoint
    Apr 4, 2025 · Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Download it and run a scan to find malware.Important information · System requirements
  2. [2]
    Latest security intelligence updates for Microsoft Defender Antivirus ...
    Latest security intelligence update ; Version: 1.441.189.0 ; Engine Version: 1.1.25100.9002 ; Platform Version: 4.18.25090.3009 ; Released: 11/13/2025 10:49:46 AM ...Release notes · Real time protection · Turn on cloud protection
  3. [3]
    https://www.microsoft.com/wdsi/definitions
  4. [4]
    Ending Support in 2011 - Microsoft Lifecycle
    The following products, governed by the Modern Policy, will retire in 2011. Expand table. Product, Retirement. Windows Live OneCare, April 12, 2011. Products ...
  5. [5]
    [PDF] Microsoft Security Intelligence Report
    Apr 12, 2011 · The Microsoft Safety Scanner is a free downloadable security tool that provides on-demand scanning and helps remove malware and other malicious ...Missing: announcement | Show results with:announcement
  6. [6]
    Microsoft Safety Scanner, Free On-Demand Virus Scanner - Ghacks
    Apr 14, 2011 · Microsoft has released a program called Microsoft Safety Scanner, a free on-demand virus scanner for the Windows operating system.
  7. [7]
    Download Microsoft Safety Scanner Free
    1.0.3001.0 ... Microsoft released Microsoft Safety Scanner to the public back in 2011. In the first seven days after the security software solution was released ...Missing: initial | Show results with:initial
  8. [8]
    MS Safety Scanner (msert.exe) version display. - Microsoft Q&A
    Jan 29, 2014 · The version of the Microsoft Safety Scanner itself is 1.0.3001.0. The same definition file is also used for Microsoft Security Essentials and ...Missing: initial | Show results with:initial
  9. [9]
    Microsoft Safety Scanner - CISA
    Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. It can run scans to find malware and try to reverse changes.Missing: replacement OneCare
  10. [10]
    Where is the report on MSERT scanned viruses found?
    Apr 24, 2024 · Log file location is C:\Windows\Debug\msert.log. > https://learn ... Microsoft Safety Scanner Download - Microsoft Defender for Endpoint.Missing: name | Show results with:name
  11. [11]
    Safety Scanner finds infected files but then claims nothing was found!
    Apr 17, 2023 · Get the Microsoft Safety Scanner tool to find and remove malware from Windows computers. Prevent malware infection - Microsoft Defender for ...
  12. [12]
    How to troubleshoot an error when you run the Microsoft Safety ...
    Start the Microsoft Safety Scanner, then click Next. In Scan Type, select which type of scan you prefer, and then click Next. Run a full scan.
  13. [13]
    How to remove the PC Repair virus - Microsoft Support
    Click Quick Scan, then click Next. The Microsoft Safety Scanner will scan your computer. This may take a few minutes. Once the scan is complete, click View ...
  14. [14]
    Are there any 64-bit Microsoft rootkit detection tools?
    Apr 16, 2019 · I'm looking for a rootkit detection tool that works with Windows 10. Is there anything available from Microsoft? Something similar to the Sysinternal toolkit?
  15. [15]
    Windows Defender Live - Microsoft Q&A
    Oct 23, 2013 · Are you perhaps referring to the Microsoft Safety Scanner, which can run from a Flash drive, but does not have a boot environment for the ...
  16. [16]
    Microsoft Safety Scanner 32-bit or 64-bit
    Jun 6, 2019 · If it says you have a 64 bit operating system installed, download the 64 bit Safety Scanner. If it says you have a 32 bit operating system ...
  17. [17]
    Windows 7 - Microsoft Lifecycle
    **End of Support Date and Security Updates for Windows 7:**
  18. [18]
    Windows Vista - Microsoft Lifecycle
    ### End of Support Date for Windows Vista
  19. [19]
    Windows Malicious Software Removal Tool 64-bit - Microsoft
    File Size: 79.5 MB. KB Articles: KB890830. Use ... For comprehensive malware detection and removal, consider using Microsoft Safety Scanner.
  20. [20]
    Downloaded Microsoft Safety Scanner and got a warning: msert.exe ...
    Jun 23, 2013 · and, when you right click on msert.exe and click on Properties then on the Digital Signature tab it says it is signed by Microsoft Corporation ...Missing: verification | Show results with:verification
  21. [21]
    Safety Scanner found 12 infected files but scan results said no ...
    Safety Scanner found 12 infected files, but the scan results said no viruses, spyware, or other unwanted software were detected.
  22. [22]
    Microsoft safety scanner stuck
    Aug 25, 2024 · 1.Restart the Scan: Sometimes scans can get stuck due to various reasons. You might want to restart your system and try running the Microsoft Safety Scanner ...Missing: resume | Show results with:resume
  23. [23]
    how i find what microsoft safety scanner what it detected threats it ...
    May 29, 2021 · To view detailed logs, type 'Run' in search, paste %SYSTEMROOT%\debug\msert.log, and press enter. This will show a text file with details.Missing: name | Show results with:name
  24. [24]
    https://learn.microsoft.com/en-us/answers/questions/3795913/how-i-find-what-microsoft-safety-scanner-what-it-d
  25. [25]
    https://www.microsoft.com/en-us/wdsi/filesubmission
  26. [26]
    MS Defender vs. MS Safety Scanner - Microsoft Q&A
    Jul 12, 2020 · Windows Defender and Microsoft Safety Scanner use the same definitions. The Safety Scanner is good to use if something is wrong in Windows Defender.
  27. [27]
    Microsoft Safety Scanner Strange Results
    Jun 3, 2023 · I ran Microsoft Safety Scanner's full scan on my Windows 10 PC. It ran for over seven days. It scanned over 25,000,000 files!
  28. [28]
    Troubleshoot Microsoft Defender Antivirus scan issues
    Apr 29, 2025 · Troubleshoot scan issues by understanding scan launch methods, using Event Viewer, and reviewing scan status via the Microsoft Defender portal ...Missing: resume | Show results with:resume
  29. [29]
    Remove specific prevalent malware with Windows Malicious ...
    Discusses the release of the Malicious Software Removal Tool (MSRT) to help remove specific prevalent malicious software from Windows-based computers.
  30. [30]
    Microsoft Safety Scanner - Microsoft Q&A
    May 17, 2024 · This tool scans for and help remove viruses, spyware, and other potentially unwanted software from your computer.
  31. [31]
    MSRT or MSS - Microsoft Q&A
    Oct 26, 2022 · MSRT (Malicious Software Removal Tool) is less comprehensive compared to the other as this is only designed to scan for common malware attacks.
  32. [32]
    Microsoft Services Agreement
    Jul 30, 2025 · The Microsoft Services Agreement is an agreement between you and Microsoft (or one of its affiliates) that governs your use of Microsoft consumer online ...FAQs · Updates · Microsoft Change Locale · HEVC Virtual Patents MarkingMissing: Scanner | Show results with:Scanner
  33. [33]
    Microsoft Defender Application license terms
    Jan 18, 2023 · These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft ...Missing: Scanner | Show results with:Scanner