Scheduled Scan

[Guest]

I have set up Defender to scan my computer on Sunday mornings at 10:30 am.
Last Sunday evening I noticed my CPU was churning away and my computer was
slow. I found that Defender had started a full system scan at 8 pm. I
re-checked my scheduled scans, and it was definitely set for 10:30 am, and it
said it had run at that time. Why did Defender decide to scan my computer at
an arbitrary time of its own? Is this a glitch?

 

[Bill Sanderson MVP]

The scans should be recorded in the system event log. The most recent scan
time should also show in the program UI on the home page. Is the
information there correct? i.e. does the UI there show the most recent
scan? Some users have reported that this information isn't being recorded
correctly. I'm not sure whether this is a flawed install (repair install
recommended--but since Defender is now released--download the final code and
upgrade.)--or whether this might be an interaction with some other
product--registry cleaner, for example..

 

[Guest]

I'm assuming by "UI" you mean where it says "Last scan." When it was doing
the surprise scan I looked at that and it said the last scan was at 10 am
that day - that was correct. Right now it says the last scan was at 6:12 pm
on Oct 22, and that's correct though I didn't let it complete (that's the one
I said ran at 8 pm, but I was out by a couple of hours). It is misleading,
though, because it says "(full system scan)" next to 6:12 pm when in fact the
scan was aborted by me.

Where is the "system event log?" I can't find anything called that in
Windows Defender.

 

[Guest]

Hello Benzmum,

Where is the "system event log?" I can't find anything called that in
Windows Defender.

Windows Defender records, in the System event log, at the time of the scan,
the precise path and filename of each detectiºn.

So--right click My Computer, choose Manage.
Click on the plus sign in front of Event Viewer.
Click on the System events log, in the left column.
Click on View (top menu), filter.
Click the down-arrow at the right of Event Source, and choose "WinDefend."
Click apply, click OK.

Now--in the right window, scroll back to the time of the original detection,
and look for yellow-triangle marked records for those original detectiºns.
Double-click a record in the right window to open it and see the full
detail. You can cut and paste, via a button--back to this threªd.

For the benefit of the community reading this post, please rate the pºst.

I hope this post is helpful.

Let us know how it works ºut.

Еиçеl
--

 

[Bill Sanderson MVP]

I'm not clear what is happening-one possibility was that Defender is not
seeing the scheduled scan as having occurred, and is triggering one after
user login to make up for it. However, if you are seeing the scan times
properly recorded on the home page, that would seem to argue against that
scenario.

Is it clear that what was happening was a scan, and not, perhaps--a
definition update?

--

 

[robin]

see? normal user has no idea where event log is
that is why there should be an additional feature in WD that shows what
exactly it is doing- not just in its History tab.
robin

 

[Guest]

Got it, Engel! Thanks for that detailed explanation. Here are the results:

"Windows Defender scan has been stopped before completion.
Scan ID: {FED92FB9-8501-4140-83DE-F39A67379E69}
Scan Type: AntiSpyware
Scan Parameters: Full Scan
User: NT AUTHORITY\NETWORK SERVICE"
Date was Oct 22, time: 8:16; Type: Warning; Event ID: 1002

(so I was right in the first place; it did occur at 8 pm - and it was
definitely a scan, Bill. )

Thank you, Robin, for considering me to be "normal!"