NEW BLOG POST: Windows Defender AV’s behavior monitoring coupled with cloud-powered machine learning models uncovered and blocked a massive Dofoil (Smoke Loader) coin mining campaign. Read the post
Troubleshoot malware detection and removal problems
Read this page if you're experiencing any of the following problems detecting and removing malware with Windows Defender Antivirus:
You can also view virus and malware discussions in Microsoft Community to see if someone else has experienced the same problem or has a solution.
This guide might also apply to Microsoft Security Essentials and other Microsoft antimalware solutions.
Scan could not complete
If scans are taking too long or appear to be progressing very slowly, consider the following solutions:
Ensure you have sufficient disk space
Windows Defender Antivirus requires disk space to remove and quarantine malware files. It might be prevented from completely removing a threat if there isn't enough space on your PC, particularly on your system drive (commonly drive C). See the following to help free up space:
After you've freed up some space, update and then run a scan again.
Speed up scans
In general, full scans can take a long time if you have a large disk with lots of files. Large files, especially archives such as ZIP files, take longer to scan.
Quick scans complete much faster than full scans and are designed to check areas that most often harbor threats. To speed up scans, close other applications and run scans while your computer is idle. Advanced users can also try running scans with special switches.
Windows Defender Antivirus encounters errors
If Windows Defender Antivirus continually encounters errors during scans or during malware removal, try the following solutions:
Malware is not detected
To detect the latest threats, use a robust antimalware product, like Windows Defender Antivirus, which is built into Windows 10 and Windows 8.1 (read about Microsoft antimalware solutions). Ensure that critical security features are turned on and that Windows Defender Antivirus is fully updated before scanning.
Use Windows Defender Antivirus with cloud-based protection
By default, the following advanced features are enabled. If you’ve turned them off, you should enable them for the best protection:
To turn on these features:
These features significantly increase the chances of detecting never-before-seen malware and enable the automated creation of new protection updates that help immunize all other computers running Windows Defender Antivirus from the newly discovered threats.
More information about configuration and central management options is available in Windows Defender Antivirus documentation.
Update Windows Defender Antivirus before scanning
By default, Windows Defender Antivirus updates definitions automatically at least once every day. You can also manually check for updates:
If you continue to encounter suspicious files that are not detected by Windows Defender Antivirus, submit the files to Microsoft for analysis.
Malware keeps coming back
Even after a malware has been removed, it might come back if you visit the website that hosts it or receive it again by email. Avoid websites that might contain malware, such as sites that provide illegal downloads.
To block threats from malicious websites, use a modern browser like Microsoft Edge, which uses Windows Defender SmartScreen to identify sites with poor reputation. Upgrade to the latest version of Windows to benefit from a host of built-in security enhancements.
In some cases, redetection of the same malware is due to an undetected malware component constantly dropping the detected malware. The malware is typically dropped and redected right after you restart your PC. To resolve this:
Scan with Windows Defender Offline
If the same malware keeps infecting your PC, use Windows Defender Offline to look for and remove recurring malware. Windows Defender Offline is a scanning tool that works outside of Windows, allowing it to catch and clean infections that hide themselves when Windows is running.
NOTE: Before initiating a Windows Defender Offline scan, ensure that you have saved your work. Your PC will restart before starting the scan.
Windows Defender Offline is incorporated in Windows 10. To start an offline scan on Windows 10 version 1703 (Creators Update) or later:
On Windows 8.1 or Windows 7, you will need to download Windows Defender Offline as a separate tool. For more information, see Help protect my PC with Windows Defender Offline.
Perform manual cleanup
Some threats can be very persistent, especially if they have elevated privileges. If a Windows Defender Offline scan has been unsuccessful, try a manual cleanup.
NOTE: This process should be performed by experienced users only. You should have backups of critical files before proceeding. If you have limited technical experience, you can choose to reset, restore, or reinstall your PC.
Here are some general steps you can take to manually remove malware:
To understand how to clean specific threats, read about the threat in the threat encyclopedia. Use the name of the threat as detected by Windows Defender Antivirus to search the threat encyclopedia. The threat encyclopedia describes the behavior of major threat families and provides special cleanup instructions for specific situations.
Malware has caused irreversible changes
If malware has caused irreversible changes to your PC, you can try to reset your PC. This might involve restoring data from backup.
Reset, restore, or reinstall your PC
Back up any files and settings you want to keep so that you can restore them later. Windows provides several options on how you can reset or refresh your PC. If you choose to manually reinstall, you will need to prepare installation discs, product keys, and setup files.
NOTE: Whenever possible, restore your files from backups generated before the infection and stored in an external location, such as OneDrive, which provides regular cloud-based backups with version histories. Backups that are on your PC during an infection might have already been modified by the malware.
See the following articles for more information about reinstalling or recovering Windows:
As soon as you restore your PC, make sure you have the latest software running. The latest versions of software include available fixes of known security issues. This will help ensure your PC is not infected by malware that exploit security vulnerabilities.
See the following articles for more information about updating Microsoft software and third-party applications:
Provide feedback to Microsoft
Microsoft continually works on enhancing the user experience on all current products, including Windows Defender Antivirus. We encourage all customers to make use of the following feedback channels included in Windows 10:
Read Diagnostics, feedback, and privacy in Windows 10 for questions about privacy and feedback settings.
Submit undetected malware
If you believe Windows Defender Antivirus is not detecting a malicious file, obtain a copy of that file and submit it to us for analysis. We will try our best to quickly review that file and update our solutions as appropriate.