Scan Schedule

[Anwar mAHMOOD]

Hi All,

I have Windows Defender installed on a large fleet of Windows XP SP2 PCs.
Windows Defender is using default settings for scanning, so it is performing
a quick scan at 2:00am every day. These computers are switched off at night,
so the scan actually takes place in the morning when PCs are switched on.

This can make computers appear to be very slow starting up, when in fact all
that's happening is that
- group policy settings are being fetched and applied
- anti virus definition updates are being fetched
- WSUS checks are taking place.
We don't really have a problem with spyware (a heavily locked down
environment). I'd like to reschedule the scan to around 1pm. This will make
it lunchtime, when many users will be away from their desks so it is less
intrusive. It also makes computer startup "faster".

I've had a look, and can't find any registry settings or configuration files
that hold the details of the scan (ie what type of scan, when to perform it,
etc). It would appear that the Windows Defender interface creates a
scheduled task, with the scheduled task actually doing the scan.

I've tried modifying the scheduled task but it seemed to mess up. Also, my
changes WERE NOT reflected in the Windows Defender interface. Hence I'm
guessing that Windows Defender records somewhere when it should do the scan,
then creates a scheduled task to actually run it; merely modifying the
scheduled task itself isn't enough. Looking at the group policy .ADM file
for Windows Defender, there are no settings to configure the scan details
there either - only an enable/disable setting.

Anyone have any ideas how I might reconfigure Window Defender to perform at
quick scan at 1pm? My best approach so far is to
- use group policy to configure Windows Defender to disable the scan
- create my *own* scheduled task to perform the scan.
Clumsy, but it should work.

Anyone have any better approaches?

Thanks in advance.

Kind regards,

Anwar

 

[Tom Emmelot]

Hi Anwar,

It is a hidden task in the Task Scheduler
c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges
Is the command line
So, yes you have to change that in all the Task schedulers.

Regards >*< TOM >*<

Anwar mAHMOOD schreef:

 

[Bill Sanderson]

I had thought that the scan time was in the registry somewhere, encoded.
And that I'd experimented, and that you could change/set the time there, and
it would be reflected in the UI and in subsequently scheduled scan jobs.

However, your approach may be easier, and should work.

If you have machines which are designed to allow for a timed power-up, maybe
just turn them on at 7 AM?

 

[Anwar mAHMOOD]

A further Google search yielded these possible registry settings;

HKLM\vSOFTWARE\Microsoft\Windows Defender\Scan
ScanParameters=Full or quick scan. 2 is Full. Assume 1 is quick [Unverified].
ScheduleDay=what day to run. 5 is Thursday. Monday is 2. Sunday 1.
ScheduleTime=540 (decimal) equals "approx 09.00" hours. 0400hrs equals
decimal setting 240, so my guess is that it's 1 per minute. 0401hrs would be
"241".
AllowNonAdminFunctionality= Allow non-admins to screw around with the
settings. 0 equals don't allow, 1 allow them.

I'll give them a try later. Unfortunately we can't go with your suggestion
of switching them on earlier. Environmental impact is becoming an
increasingly important issue for us :-( Last year I had to implement a
NightWatchMan-type process to switch off idle PCs.

Kind regards,

Anwar

 

[Bill Sanderson]

I'm glad to hear about the power use/environmental impact sensitivity. This
is good news to me--I'm glad to hear about customers moving in that
direction, although my advice may not reflect it! (and it is hard work,
with a collection of older hardware to manage)

Yes - those settings sound familiar--I think you are on the right track.

I wonder whether it would be possible to create a job which runs "on
shutdown" which did a definition update and scan?

This would probably irritate laptop owners no end, however--you'd have to be
careful what set of machines it was applied to.

And, even normal desktop users are probably used to staying around for a
moment or two to see things go black and quiet, and would not easily trust
walking away with things still humming...

A further Google search yielded these possible registry settings;

HKLM\vSOFTWARE\Microsoft\Windows Defender\Scan
ScanParameters=Full or quick scan. 2 is Full. Assume 1 is quick
[Unverified].
ScheduleDay=what day to run. 5 is Thursday. Monday is 2. Sunday 1.
ScheduleTime=540 (decimal) equals "approx 09.00" hours. 0400hrs equals
decimal setting 240, so my guess is that it's 1 per minute. 0401hrs would
be
"241".
AllowNonAdminFunctionality= Allow non-admins to screw around with the
settings. 0 equals don't allow, 1 allow them.

I'll give them a try later. Unfortunately we can't go with your
suggestion
of switching them on earlier. Environmental impact is becoming an
increasingly important issue for us :-( Last year I had to implement a
NightWatchMan-type process to switch off idle PCs.

Kind regards,

Anwar

I had thought that the scan time was in the registry somewhere, encoded.
And that I'd experimented, and that you could change/set the time there,
and
it would be reflected in the UI and in subsequently scheduled scan jobs.

However, your approach may be easier, and should work.

If you have machines which are designed to allow for a timed power-up,
maybe
just turn them on at 7 AM?

 

[mae]

I have mine set for quick scan at around 1400 daily.
If any help, this is what my registry (XPsp2) shows for that:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Scan]
"AutomaticallyCleanAfterScan"=dword:00000001
"CheckForSignaturesBeforeRunningScan"=dword:00000001
"LastScanType"=dword:00000001
"LastScanRun"=hex:3a,e5,bb,e8,e1,a3,c8,01
"ScheduleTime"=dword:00000348

mae

|A further Google search yielded these possible registry settings;
|
| HKLM\vSOFTWARE\Microsoft\Windows Defender\Scan
| ScanParameters=Full or quick scan. 2 is Full. Assume 1 is quick [Unverified].
| ScheduleDay=what day to run. 5 is Thursday. Monday is 2. Sunday 1.
| ScheduleTime=540 (decimal) equals "approx 09.00" hours. 0400hrs equals
| decimal setting 240, so my guess is that it's 1 per minute. 0401hrs would be
| "241".
| AllowNonAdminFunctionality= Allow non-admins to screw around with the
| settings. 0 equals don't allow, 1 allow them.
|
| I'll give them a try later. Unfortunately we can't go with your suggestion
| of switching them on earlier. Environmental impact is becoming an
| increasingly important issue for us :-( Last year I had to implement a
| NightWatchMan-type process to switch off idle PCs.
|
| Kind regards,
|
| Anwar
|
| "Bill Sanderson" wrote:
|
| > I had thought that the scan time was in the registry somewhere, encoded.
| > And that I'd experimented, and that you could change/set the time there, and
| > it would be reflected in the UI and in subsequently scheduled scan jobs.
| >
| > However, your approach may be easier, and should work.
| >
| > If you have machines which are designed to allow for a timed power-up, maybe
| > just turn them on at 7 AM?
| >
| > | > > Hi All,
| > >
| > > I have Windows Defender installed on a large fleet of Windows XP SP2 PCs.
| > > Windows Defender is using default settings for scanning, so it is
| > > performing
| > > a quick scan at 2:00am every day. These computers are switched off at
| > > night,
| > > so the scan actually takes place in the morning when PCs are switched on.
| > >
| > > This can make computers appear to be very slow starting up, when in fact
| > > all
| > > that's happening is that
| > > - group policy settings are being fetched and applied
| > > - anti virus definition updates are being fetched
| > > - WSUS checks are taking place.
| > > We don't really have a problem with spyware (a heavily locked down
| > > environment). I'd like to reschedule the scan to around 1pm. This will
| > > make
| > > it lunchtime, when many users will be away from their desks so it is less
| > > intrusive. It also makes computer startup "faster".
| > >
| > > I've had a look, and can't find any registry settings or configuration
| > > files
| > > that hold the details of the scan (ie what type of scan, when to perform
| > > it,
| > > etc). It would appear that the Windows Defender interface creates a
| > > scheduled task, with the scheduled task actually doing the scan.
| > >
| > > I've tried modifying the scheduled task but it seemed to mess up. Also,
| > > my
| > > changes WERE NOT reflected in the Windows Defender interface. Hence I'm
| > > guessing that Windows Defender records somewhere when it should do the
| > > scan,
| > > then creates a scheduled task to actually run it; merely modifying the
| > > scheduled task itself isn't enough. Looking at the group policy .ADM file
| > > for Windows Defender, there are no settings to configure the scan details
| > > there either - only an enable/disable setting.
| > >
| > > Anyone have any ideas how I might reconfigure Window Defender to perform
| > > at
| > > quick scan at 1pm? My best approach so far is to
| > > - use group policy to configure Windows Defender to disable the scan
| > > - create my *own* scheduled task to perform the scan.
| > > Clumsy, but it should work.
| > >
| > > Anyone have any better approaches?
| > >
| > > Thanks in advance.
| > >
| > > Kind regards,
| > >
| > > Anwar
| >
| >