Troubleshoot malware detection and removal problems

Read this page if you're experiencing any of the following problems detecting and removing malware with Windows Defender Antivirus:

You can also view virus and malware discussions in Microsoft Community to see if someone else has experienced the same problem or has a solution.

This guide might also apply to Microsoft Security Essentials and other Microsoft antimalware solutions.


Scan could not complete

If scans are taking too long or appear to be progressing very slowly, consider the following solutions:

  • Ensure you have sufficient disk space
  • Run focused scans while your PC is idle

Ensure you have sufficient disk space

Windows Defender Antivirus requires disk space to remove and quarantine malware files. It might be prevented from completely removing a threat if there isn't enough space on your PC, particularly on your system drive (commonly drive C). See the following to help free up space:

After you've freed up some space, update and then run a scan again.

Speed up scans

In general, full scans can take a long time if you have a large disk with lots of files. Large files, especially archives such as ZIP files, take longer to scan.

Quick scans complete much faster than full scans and are designed to check areas that most often harbor threats. To speed up scans, close other applications and run scans while your computer is idle. Advanced users can also try running scans with special switches.

Windows Defender Antivirus encounters errors

If Windows Defender Antivirus continually encounters errors during scans or during malware removal, try the following solutions:

Malware is not detected

To detect the latest threats, use a robust antimalware product, like Windows Defender Antivirus, which is built into Windows 10 and Windows 8.1 (read about Microsoft antimalware solutions). Ensure that critical security features are turned on and that Windows Defender Antivirus is fully updated before scanning.

Use Windows Defender Antivirus with cloud-based protection

By default, the following advanced features are enabled. If you’ve turned them off, you should enable them for the best protection:

  • Cloud-based protection
  • Automatic sample submission

To turn on these features:

  1. Search for Windows Defender Security Center to open the app.
  2. Go to Virus & threat protection, then Virus & threat protection settings.
  3. Make sure the switches for Cloud-delivered protection and Automatic sample submission are set to On.
Windows Defender Security Center Virus and threat protection settings
Cloud-delivered protection and Automatic sample submission turned on

These features significantly increase the chances of detecting never-before-seen malware and enable the automated creation of new protection updates that help immunize all other computers running Windows Defender Antivirus from the newly discovered threats.

More information about configuration and central management options is available in Windows Defender Antivirus documentation.

Update Windows Defender Antivirus before scanning

By default, Windows Defender Antivirus updates definitions automatically at least once every day. You can also manually check for updates:

  1. Search for Windows Defender Security Center to open the app.
  2. Go to Virus & threat protection, then Protection updates.
  3. Click Check for updates.
Windows Defender Security Center Protection updates screen
Windows Defender Security Center Protection updates screen

See more about definition updates for Windows Defender Antivirus and other Microsoft antimalware.

If you continue to encounter suspicious files that are not detected by Windows Defender Antivirus, submit the files to Microsoft for analysis.

Malware keeps coming back

Even after a malware has been removed, it might come back if you visit the website that hosts it or receive it again by email. Avoid websites that might contain malware, such as sites that provide illegal downloads.

To block threats from malicious websites, use a modern browser like Microsoft Edge, which uses Windows Defender SmartScreen to identify sites with poor reputation. Upgrade to the latest version of Windows to benefit from a host of built-in security enhancements.

In some cases, redetection of the same malware is due to an undetected malware component constantly dropping the detected malware. The malware is typically dropped and redected right after you restart your PC. To resolve this:

Scan with Windows Defender Offline

If the same malware keeps infecting your PC, use Windows Defender Offline to look for and remove recurring malware. Windows Defender Offline is a scanning tool that works outside of Windows, allowing it to catch and clean infections that hide themselves when Windows is running.

NOTE: Before initiating a Windows Defender Offline scan, ensure that you have saved your work. Your PC will restart before starting the scan.

Windows Defender Offline is incorporated in Windows 10. To start an offline scan on Windows 10 version 1703 (Creators Update) or later:

  1. Search for Windows Defender Security Center to open the app.
  2. Go to Virus & threat protection, then Advanced scan.
  3. Select Windows Defender Offline scan and then select Scan now.

On Windows 8.1 or Windows 7, you will need to download Windows Defender Offline as a separate tool. For more information, see Help protect my PC with Windows Defender Offline.

Windows Defender Offline scan on Windows 10
Starting Windows Defender Offline scan on Windows 10

Perform manual cleanup

Some threats can be very persistent, especially if they have elevated privileges. If a Windows Defender Offline scan has been unsuccessful, try a manual cleanup.

NOTE: This process should be performed by experienced users only. You should have backups of critical files before proceeding. If you have limited technical experience, you can choose to reset, restore, or reinstall your PC.

Here are some general steps you can take to manually remove malware:

  1. Close all open applications and stop unnecessary processes. You can use tools like Process Explorer to find and stop running processes.
  2. Remove malware autostart triggers. Autoruns for Windows can list all applications, drivers, and services that autostart, including ones triggered in the registry and by the Task Scheduler.
  3. Check the HOSTS files and ensure that there are no malicious entries that redirect normal network traffic. Reset the HOSTS file if necessary.
  4. Uninstall or delete the malicious application. Most malware do not have uninstallers, so removing them will often involve manually looking for malicious files and deleting these files. Some of these files will be hidden inside unusual locations, like the Recycle Bin.

To understand how to clean specific threats, read about the threat in the threat encyclopedia. Use the name of the threat as detected by Windows Defender Antivirus to search the threat encyclopedia. The threat encyclopedia describes the behavior of major threat families and provides special cleanup instructions for specific situations.

Malware has caused irreversible changes

If malware has caused irreversible changes to your PC, you can try to reset your PC. This might involve restoring data from backup.

Reset, restore, or reinstall your PC

Back up any files and settings you want to keep so that you can restore them later. Windows provides several options on how you can reset or refresh your PC. If you choose to manually reinstall, you will need to prepare installation discs, product keys, and setup files.

NOTE: Whenever possible, restore your files from backups generated before the infection and stored in an external location, such as OneDrive, which provides regular cloud-based backups with version histories. Backups that are on your PC during an infection might have already been modified by the malware.

See the following articles for more information about reinstalling or recovering Windows:

Update software

As soon as you restore your PC, make sure you have the latest software running. The latest versions of software include available fixes of known security issues. This will help ensure your PC is not infected by malware that exploit security vulnerabilities.

See the following articles for more information about updating Microsoft software and third-party applications:

Provide feedback to Microsoft

Microsoft continually works on enhancing the user experience on all current products, including Windows Defender Antivirus. We encourage all customers to make use of the following feedback channels included in Windows 10:

  • Set Windows to automatically prompt for your feedback. Windows is already configured to automatically prompt for feedback by default. To ensure this feature is turned on, go to Start, then select Settings > Privacy > Feedback & diagnostics. Make sure that Windows is set to ask for your feedback automatically.
  • Feedback and diagnostics settings
    Feedback frequency settings
  • Manually send feedback at any time through the Feedback Hub app. To send feedback, type Feedback Hub in the search bar to open the app. In the app, select Feedback > Add new feedback. Select Security, Privacy, and Accounts > Windows Defender Antivirus as the category.

Read Diagnostics, feedback, and privacy in Windows 10 for questions about privacy and feedback settings.

Submit undetected malware

If you believe Windows Defender Antivirus is not detecting a malicious file, obtain a copy of that file and submit it to us for analysis. We will try our best to quickly review that file and update our solutions as appropriate.

Latest news
VIEW ALL