News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Windows Defender Scans

    Posted on bsfinkel Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 10 Windows Defender Scans

    Viewing 30 reply threads
    • Author
      Posts
      • #2281710 Reply
        bsfinkel
        AskWoody Lounger

        In Windows 7, I had set up Microsoft Security Essentials (MSE) to run a full scan at 7PM each Friday. I have a number of hard drives in my machine, and I told MSE what disks and directories not to scan. (It sometimes did not honor my request.) When a scan was running, the MSE icon was sitting in the system tray, with a spinning circle. I could open the MSE window and see what was happening. Everything with MSE was controlled from this window.

        In Windows 10, it appears that Defender is either one multi-headed application or a number of separate applications. I have been using Windows 10 in production for about three weeks. I told Defender to run a scan every Friday at 7PM, but I had no idea if it ever ran.  Somewhere in Settings I found a switch that had “Periodic scans” set to OFF. It seems to me that if I set an MSE full scan, then the “Periodic scans” switch should be changed automatically to ON. I set that switch to ON, but it appears that when 2004 was “auto-installed” a week ago, it changed my settings back to “factory” – disabled Periodic scans, and lost my Friday full-scan setting.  I re-scheduled my weekly scan, but I cannot find in that window where to tell Defender what directories and files NOT to scan. And a Google search to locate scan results showed me three or four different ways to get the results, and I am not sure that each method will give me the same results.  Is there a rationale for changing the “one-stop shop” MSE Windows 7 user interface into the Windows 10 Defender multiple interfaces? (Other than the fact that someone thought that a new operating system needed changed interfaces.)

      • #2281900 Reply
        bsfinkel
        AskWoody Lounger

        I had scheduled a full scan for 9 PM Sunday (yesterday), and there is NO EVIDENCE that the scan ran.  I did check, and the file/directory exclusion list I had set in 1909 was still intact in 2004.

      • #2282317 Reply
        bsfinkel
        AskWoody Lounger

        I scheduled a full scan for 9 PM Mondays; it should have run last night (07/20). There was no record that the full scan I had scheduled for 9PM Sundays ran on 07/19.

        The Windows Defender event log says:

        Windows Defender Event Log ID 1151
        02/21/2020 02:41:58 PM says last full scan 07/12/2020 03:58:11 – 07:14:53

        EventID 1000 Scan Started 07/11/2020 10:38:39 PM
        EventID 1001 Scan Ended 07/12/2020 02:14:54 AM

        EventID 1000 Scan Started 07/18/2020 11:52:57 PM
        EventID 1001 Scan Ended 07/18/2020 11:59:38 AM

        EventID 1000 Scan Started 07/20/2020 05:36:02 AM
        EventID 1001 Scan Ended [no 1001 record]

        There was a quick scan on 7/18; I may have run that manually.
        There was a full scan started Monday morning 7/20. There is no evidence that it completed, and no evidence that it is still running.

        There was a full scan on Sunday, 7/12. I have no idea what Defender is doing with respect to my scheduled full scans.

      • #2283196 Reply
        bsfinkel
        AskWoody Lounger

        I reset Defender scans to occur every Friday at 9PM.  Here is what is in the Defender Operational Log:

        What I see in the Defender Operation log:

        Fr 07/24 12:41 AM 1151 status: last full scan 07/12 03:58 AM – 7/12 07:14 AM
        01:41 AM 1151 status (every hour)

        06:41 AM 1151 status
        06:52 AM 2000 pattern update
        06:52 AM 2000 pattern update
        07:41 AM 1151 status

        Sa 07/25 06:41 AM 1151 status
        06:52 AM 2000 pattern update
        06:52 AM 2000 pattern update
        07:41 AM 1151 status

        03:41 PM 1151 status
        04:30 PM 2000 pattern update
        04:30 PM 2000 pattern update
        04:41 PM 1151 status
        05:10 PM 1000 scan started
        05:10 PM 1013 Removed history 0710 05:10 PM
        05:42 PM 1151 status

        Su 07/26 06:41 AM 1151 status
        06:53 AM 2000 pattern update
        06:53 AM 2000 pattern update
        07:42 AM 1151 status: last full scan 07/12 03:58 AM – 7/12 07:14 AM

        There is NO evidence that Defender (MsMpEng.exe) is currently running a scan.  And, if I set the scan to run Friday at 9 PM, why did the scan start Saturday at 5:10 PM?

        Does anyone else who runs a weekly scan see what I am seeing?

      • #2283204 Reply
        Microfix
        AskWoody MVP

        Haven’t used MS scheduled scans in Defender, I do it manually every 2nd day on Win8.1.
        That way, I KNOW it has been done whilst enjoying a liquid refreshment break.
        Perhaps W10 v2004 itself is responsible..along with the vast amount of ‘other’ mysteries concerning this release.

        Win8.1 Pro x64 + Linux Hybrids x86/x64 + Win7 Pro x86/64 O/L
      • #2283208 Reply
        bsfinkel
        AskWoody Lounger

        When I was running an MSE weekly scan in Windows 7 Professional, the scan would start at 7 PM Friday and sometimes run until Sunday evening.  It was mostly scanning my C-drive, but I also scan a small FAT32 data disk.  There were some huge files on my C-drive that I did not want to be scanned, but there were times that I would be at my computer when MSE was scanning those files, even though I had them in the exclude list.  Since a full scan wood take a while, I scheduled the scan to run at a time when I would not be at the computer.  Obviously, my C-drive in Windows 10 is not as full as the C-drive on my Windows 7 system.  I have no idea if my current Defender scan problems are due to 2004, which was auto-installe3d 07/08.

      • #2283212 Reply
        bbearren
        AskWoody MVP

        I do believe that Windows Defender scans are handled by Task Scheduler.

        (Run as administrator) Task Scheduler > Task Scheduler Library > Microsoft > Windows > click Windows Defender in the left pane, and see what you have for “Last Run Time” and “Next Run Time” for the various scans.

        Mine are working properly.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      • #2283218 Reply
        bsfinkel
        AskWoody Lounger

        Last scan 07/20; next run time  07/24 (in the past).   See the screenshot taken a few minutes ago at 10:30 AM 07/26.

        defender.200726

        Attachments:
      • #2288435 Reply
        bsfinkel
        AskWoody Lounger

        It appears to me that the Windows 10 “Feedback Hub” is (maybe intentionally) a black hole.  I have posted about my lack of a full scan, and two weeks later I have not gotten any responses.  I would consider the lack of a full scan to be a security problem that would need fixing.

      • #2288995 Reply
        bsfinkel
        AskWoody Lounger

        Here is an update.  Last night (08/15) I looked at the Defender Event Log, and the last full scan was 07/12.  So I decided to start a full scan.  In doing research on how to run a full scan manually, I saw that in Windows Security –> Virus and Threat Protection, the setting for “periodic scans” was set to No.  I set it to Yes.  I have no idea how that setting got changed ; I had set it on 07/11 at 22:38.  Maybe the change was made when my machine was auto-updated to 2004; I do not know.  When I made the change, there was a gray “window” that appeared from the right side that I was not expecting.  I was unable to read the contents before that “window” vanished back into the right margin.

        I then decided to start a full scan manually at 23:14.  When I did, I looked at the Task Manager, and I saw that a scan was running.  Then I went to bed.  I checked this morning, and the full scan was no longer running.  The Defender Event Log hourly summary says that the last full scan was  on 07/12.  There was no Log entry about a scan started and abnormally terminating.

         

        I had noticed that my Defender patterns had not been updating; the last update was 08/04 at 06:54 (pattern 557).  The Event Log this morning shows that pattern 1508 was installed at 23:19 AND at 23:30 last night.  Was Defender not being updated because I had the “periodic updates” setting to NO?  It seems to me that if I have Defender installed, then I would want the patterns to be updated automatically.  I never had this problem with Windows 7.

        In Windows 7 Defender (MSE)  was a “stand-alone” product.  I could see from the icon in the System Tray what the MSE status was.  And everything I needed to do with MSE (pattern update, schedule a scan, run a scan) was done through that application.   Now, in Windows 19, I schedule a scan via the Task Scheduler, and run a scan from another application.  If I schedule a full Defender scan via the Task Scheduler, I would hope that the Task Scheduler would alert me if a Defender setting does not match, and a scan will not be run.

        In summary, I have NO IDEA what is happening with Defender – pattern updates and full scans.  And, after three weeks, I still have NO responses to my Feedback.

      • #2289000 Reply
        Microfix
        AskWoody MVP

        Bit of a shot in the dark, as I don’t use W10..
        Have you made any modifications to your host file?
        or made any exclusions within defender itself pointing to the edited host file if edited?
        reason I ask is this post by @Speccy #2288749

        Win8.1 Pro x64 + Linux Hybrids x86/x64 + Win7 Pro x86/64 O/L
      • #2289013 Reply
        bsfinkel
        AskWoody Lounger

        That post does not apply.  It talks about excluding \etc\hosts from a scan, which is a bad thing to do.  I have not manually edited that file.  I have multiple disks in my machine, and I have told Defender to omit scans on disks that I do not modify and rarely access.

      • #2289020 Reply
        Microfix
        AskWoody MVP

        I have multiple disks in my machine, and I have told Defender to omit scans on disks that I do not modify and rarely access.

        I would not class this as a ‘full system scan’ then if you are excluding drives, that’s probably where the issue arises from.
        You only referred to Win7 and MSE having multiple drives, nowhere else in your posts was this mentioned until now. Disclosed information is only as good as the help provided 🙂

        Win8.1 Pro x64 + Linux Hybrids x86/x64 + Win7 Pro x86/64 O/L
        • #2289042 Reply
          bsfinkel
          AskWoody Lounger

          I want Defender to scan everything on my C-drive and my smaller FAT32 D-drive, where I have mostly data and scripts that I have written.  I see no need for Defender to scan the other disk, as for many years I had MSE on Windows 7 scan those disk every week.  My Windows 7 MSE scans were starting at 7 PM Friday and sometimes did not complete until Monday morning.  That is why I eventually told MSE to omit those disks during its Win 7 scans.  And I told Defender in Win 10 to do the same.

          I cannot believe that putting anything in an exclusion list would tell Defender that this is no longer a “full” scan, so my scheduling of a weekly full scan should be bypassed.  That does not seem logical to me, but some of the things that MS does in Windows also do not seem logical to me.  If that were the case, then what is the purpose of the exclusion list?  I have no idea what is scanned during a quick scan; that does not run long enough to warrant an exclusion list.  So, the exclusion list must pertain to a full scan.

           

      • #2289022 Reply
        RetiredGeek
        AskWoody MVP

        Here’s a little PowerShell script to retrieve Today’s log entries for Defender.

        2289023: Get-WindowsDefender-EventLog
        .zip MD5 Hash: 0CE2B69C27D1888BBB1DB29022BE0FFC
        .ps1 MD5 Hash: FB1D4BFB2F299BA9A6A08EE2B1DFBB55

        I’ll probably work on this some more to interpret the ID codes using the information in the link in the script.

        You can get more information on Defender using the Get-MpPreference & Get-MpComputerStatus PS commands.

        HTH 😎

         

        May the Forces of good computing be with you!

        RG

        PowerShell & VBA Rule!
        Computer Specs

        Attachments:
      • #2289081 Reply
        bsfinkel
        AskWoody Lounger

        Thanks for the Power Shell code.  I am new to Power Shell, so I do not know where to store the file to make it accessible to Power Shell.

        • #2289125 Reply
          Paul T
          AskWoody MVP

          Put the script (ps1 file) anywhere that suits.
          Right click on the file, select Properties, Unblock, OK.
          Open PowerShell.
          Change to the directory you used above.
          Type: .\Get-WindowsDefender-EventLog.ps1

          You can also drag n drop the PS1 file to the PowerShell window.

          You probably need to allow scripting first. (Set-ExecutionPolicy RemoteSigned)

          cheers, Paul

          • This reply was modified 1 month ago by Paul T.
      • #2289388 Reply
        bsfinkel
        AskWoody Lounger

        I manually ran a full scan.  It took about 4 hours to complete.  I wanted to see how many files/objects had been scanned, but I was not at the computer when the scan ended, and the scan window vanished.  The EventLog did show the scan’s completion.  I did see a gray window from the right margin that said something about items being skipped, but that informational window disappeared before I could read or capture its content.  If there is information that MS deems important to tell me, then that informational window should remain on the screen until I have read the contents and closed the window.  I was dismayed that during the scan, the increasing count of objects/files scanned was displayed, but the names of the files being scanned was missing.  I would have liked to have seen what was being scanned as the scan was progressing.

      • #2289465 Reply
        geekdom
        AskWoody Plus

        Microsoft Security Essentials was a stand-alone program that operated under a Windows 7 operating environment. Windows Defender is integrated into the Windows 10 operating system. Although both programs use the same virus definitions, they operate differently.

        Windows 10 Windows Defender does not show the list of files as they are scanned.

        The two operating systems are different; the two anti-virus packages have different user interfaces.

        G{ot backup} TestBeta
        offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 WindowsDefender
        online▸ Win10Pro 1909.18363.1082 x64 i5-9400 RAM16GB HDD Firefox81.0 WindowsDefender
        TargetReleaseVersion=1909
        WUMgr
      • #2290842 Reply
        bsfinkel
        AskWoody Lounger

        I checked the Defender EventLog yesterday (Sunday), and my Friday evening full Defender scan did NOT run.  There was  nothing in the EventLog that had any information about the scan starting or not running.

      • #2292182 Reply
        bsfinkel
        AskWoody Lounger

        I just checked the EventLog, and my last Defender pattern update was 1.321.1718.0 installed 08/18/2020 at 23:37.  When I was running Windows 7 I got a pattern update auto-installed about once or twice a day.  I would hope that my pausing Windows 10 updates until the end of August did not stop Defender pattern updates from being installed.

         

        In the hidden icons, I see “Windows Security – Actions  recommended.”  But when I click on that icon, I see nothing abnormal (per the screenshot attached).

        Attachments:
      • #2292201 Reply
        geekdom
        AskWoody Plus

        Information on my machine:

        Antimalware Client Version: 4.18.2007.8
        Engine Version: 1.1.17400.5
        Antivirus Version: 1.323.46.0
        Antispyware Version: 1.323.46.0

        Try manually updating your virus definition.

        G{ot backup} TestBeta
        offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 WindowsDefender
        online▸ Win10Pro 1909.18363.1082 x64 i5-9400 RAM16GB HDD Firefox81.0 WindowsDefender
        TargetReleaseVersion=1909
        WUMgr
      • #2292331 Reply
        Alex5723
        AskWoody Plus

        Just install a normal good A/V like Kaspersky, BitDefender… and dump that Defender.
        You won’t have any problems with deferred blocked updates, scanning….

        • #2292335 Reply
          Paul T
          AskWoody MVP

          Not all of us have spare cash – which of those products is free?

          cheers, Paul

      • #2292336 Reply
        geekdom
        AskWoody Plus

        Windows Defender is a competent anti-virus mechanism with a small footprint and it is baked into the Windows 10 operating system

        G{ot backup} TestBeta
        offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 WindowsDefender
        online▸ Win10Pro 1909.18363.1082 x64 i5-9400 RAM16GB HDD Firefox81.0 WindowsDefender
        TargetReleaseVersion=1909
        WUMgr
      • #2292387 Reply
        Alex5723
        AskWoody Plus

        Not all of us have spare cash – which of those products is free?

        cheers, Paul

        That like saying “I bought a new car but don’t have the cash for petrol”.
        I you want or need to guard your investment in your pc (software and data) you need the best A/V software can buy and not a mediocre at best, Defender (good enough isn’t enough).
        Kaspersky, BitDefender,, are at the top of bests A/Vs for years.
        Both have free versions which have naturally less features then the paid versions.

      • #2292455 Reply
        bsfinkel
        AskWoody Lounger

        I looked closely at the Defender EventLog, and I saw some EventID 5007 entries.  One told me that Defender had been disabled; the reason is not given in that EventLog entry.  And when I went to check on my scheduled Defender scan, it was not there, and there was no option to enable one.  I re-enabled periodic scanning.  I had to exit the Task Scheduler and re-enter it to see the scan option.  I set a full scan for Sundays at 00:01, and I will check in the morning if it ran.  I did notice that when I re-enabled Defender, it automatically updated the pattern definition.  And I will monit0r the Defender EventLog daily for further 5007 entries.

      • #2292832 Reply
        bsfinkel
        AskWoody Lounger

        Mu full scan did not run Sunday morning, so I changed it to Monday morning.  Steill no full scan.  I just checked, and “Periodic scans” is still set to “On”.

        • #2292878 Reply
          geekdom
          AskWoody Plus

          Are you able to run a manual full scan?

          From your reply above, I see you have run a manual full scan.

          G{ot backup} TestBeta
          offline▸ Win10Pro 1909.18363.959 x64 i3-3220 RAM8GB HDD Firefox79.0 WindowsDefender
          online▸ Win10Pro 1909.18363.1082 x64 i5-9400 RAM16GB HDD Firefox81.0 WindowsDefender
          TargetReleaseVersion=1909
          WUMgr
          • This reply was modified 2 weeks, 4 days ago by geekdom.
      • #2292934 Reply
        anonymous
        Guest

        Periodic scanning is only an available option if Microsoft Defender has automatically disabled all other functions because a third-party antivirus program is installed as the primary defense:

        If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself. The Windows Security app will change the Virus & threat protection section to show status about the AV product, and provide a link to the product’s configuration options.

        Underneath any third party AV products, a new link will appear as Microsoft Defender Antivirus options. Clicking this link will expand to show the toggle that enables limited periodic scanning. Note that the limited periodic option is a toggle to enable or disable periodic scanning.

        Sliding the switch to On will show the standard Microsoft Defender AV options underneath the third party AV product. The limited periodic scanning option will appear at the bottom of the page.

        Use limited periodic scanning in Microsoft Defender Antivirus

        When Microsoft Defender Antivirus is automatic disabled, it can automatically re-enable if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats. This is to ensure antivirus protection is maintained on the endpoint. It also allows you to enable limited periodic scanning, which uses the Microsoft Defender Antivirus engine to periodically check for threats in addition to your main antivirus app.

        Microsoft Defender Antivirus compatibility

        If you want to rely on Microsoft Defender for real-time protection and all types of scan (which I strongly recommend), then I think you may have something else which needs to be uninstalled.

      • #2293390 Reply
        bsfinkel
        AskWoody Lounger

        I ran a manual scan yesterday, and after around 3 hours there were two gray windows that appeared from the right side of the screen.  The windows vanished before I had a chance to read them (what is the purpose of that – a windows I am not expecting that I cannot read quickly).  Then I looked at the Defender EventLog, and EventID 1002 said that the scan had “been stopped before completion”.  I did not stop the scan., and I have no idea what cancelled the scan.  I tried another scan this afternoon, and my machine hung; all processes were “not responding” (whatever that term means).  I had to hit the “reset” button to reboot.

        Per the posting above – if Defender will not honor a scheduled periodic full scan because I have another program that “MAY” compete, then I would expect Defender to tell me that my scheduled scan will not run.  Maybe MS never thought of this “user-friendly” warning, or maybe the Task Scheduler is a completely separate application that has no idea that the task it is scheduling will not run.

        • #2293434 Reply
          anonymous
          Guest

          I ran a manual scan yesterday, and after around 3 hours there were two gray windows that appeared from the right side of the screen. The windows vanished before I had a chance to read them (what is the purpose of that – a windows I am not expecting that I cannot read quickly).

          Those sound like standard notifications which you should be able to review in the Action Center.
          (Win+A if you’ve hidden the icon to the right of the date/time.) Or you can get them to linger longer at Start, Settings, Ease of Access, Simplify and personalize Windows, Show notifications for 5/7/15/30 seconds or 1/5 minute(s).

          Per the posting above – if Defender will not honor a scheduled periodic full scan because I have another program that “MAY” compete, then I would expect Defender to tell me that my scheduled scan will not run. Maybe MS never thought of this “user-friendly” warning, or maybe the Task Scheduler is a completely separate application that has no idea that the task it is scheduling will not run.

          Do you have another antivirus program installed? You shouldn’t see Periodic Scans otherwise.

          But I don’t think Microsoft expects you to be scheduling specific Defender scans in that case.

      • #2293399 Reply
        PFC
        AskWoody Plus

        If another antivirus product is installed and working correctly, Microsoft Defender Antivirus will disable itself

        Does this include stopping updates?

        and

        If I have periodic scan ON should it be smart enough to allow updates? (it doesn’t).

        We have more questions than answers, but we all have different stuff ON or OFF

      • #2293480 Reply
        Alex5723
        AskWoody Plus

        Does this include stopping updates?

        With Defender disabled there are no updates.

      • #2293529 Reply
        bsfinkel
        AskWoody Lounger

        I ran a full scan last night, and it took about three hours.  There were no problems.  I have reported the executable that was using 81% CPU during my afternoon scan to the vendor or that executable.  Thanks for the WIN+A help.  I will be monitoring my machine to see if Defender updates stop again.

      • #2296268 Reply
        bsfinkel
        AskWoody Lounger

        I noticed last Thursday that Defender was not being updated; I checked and found that periodic updates had been turned off.  I have no idea who did this and why.  Maybe the Defender EventLog will have information as to when, but it probably will not tell me who or why.  I re-enabled periodic scans.  Last night at 20:37.  It terminated at  21:00 – abnormally.  There was no information as to why.  At 21:02 I started another full scan, and it ran to completion, finishing at 00:22.  Even though I have two other products (WRSA and Spybot Search-and-Destroy), both of which have told me that they can co-exist with Defender, this behavior of Defender, which is supposed to be monitoring my machine, is not very useful.

    Viewing 30 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Windows Defender Scans

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.