Windows Defender scheduled scan

[v_v]

Panos,

I am going to throw a wild guess out there about the "1549950 files scanned!" and the long time that it took to do those scans and why "after 3 hours the computer was working so hard" that you ended up turning the computer off.

I noticed that in the graphic that you posted on "July 10, 2021, 11:24:52 AM", the date in that graphic said "30/11/1999" for the "Last Run Time".  I thought that it looked weird at that time but since nobody else said anything about it I thought that it may not be relevant.  But now after all of the subsequent events it seems that it probably was really relevant.

Because neither Windows Defender nor Windows 10 were in existence in 1999 I am guessing that that date caused Windows Defender to do some sort of extraordinary scanning that it would not have otherwise done.  By that I mean that it probably searched every little item in the computer (or perhaps everything dated since 30/11/1999!).  That is probably how it came up with that huge number of "1549950 files scanned" in your post of "July 10, 2021, 12:33:46 PM".

Once Windows Defender had done this major scan my guess is that it did not need to scan every little thing anymore because it brought itself up to date so to speak.  Now, as your last post indicated, it can do the normal usual scan that all of us have usually experienced --- as your post said, "14670 files scanned" taking only "1 minute 58 seconds".  Based on most of the feedback in this thread this number of files and the time it took seem far more normal, and hopefully it will turn out to be that way for you going forward.

As to how that "Last Run Time" got to be "30/11/1999" I have no idea, although it might have had something to do with you deleting your previously scheduled scan.  Possibly the deletion did some sort of date re-setting back to that old date.  (Maybe some of the data in your Task Scheduler "History" tab might offer a clue.)

At any rate my conclusion is that Windows Defender should work much more normally for you now and everything should happen relatively automatically without your intervention, just like it does for the rest of us.

v_v

[DR M]

It is important to remember that these scan really are not necessary, except for peace of mind. This because Defender is constantly monitoring our systems 24/7/365, not just looking for malicious code being saved on our drives, but everything coming in and going out of our systems (emails, webpages, etc., and malicious behavior that might be going on in the computer's memory.

I really hope this is true. It is what we know, what we say, what we believe.

My Task Scheduler today is different. It shows the code 0x2, meaning that the scan log is not found. Although in the History below there is an indication that the task was completed, the Virus & Threat Protection board shows as last scan the one completed yesterday (https://www.landzdown.com/anti-spyware-software/windows-defender-scheduled-scan/msg204653/#msg204653).

Those screenshots in the link above are the ideal ones. They show that the scan is done/completed indeed. The point is that we don't get them, or at least we don't know when they appear. There are many people in the web asking about that 0x2 and it seems there is no clear answer on that.

I notice that v_v's screenshot has also the 0x2 code, so there is also a problem, in my opinion.

I am still watching the task. At least, it would be good to learn something more about it.

[Digerati]

I am guessing that that date caused Windows Defender to do some sort of extraordinary scanning that it would not have otherwise done.  By that I mean that it probably searched every little item in the computer

I think that is a decent guess, but I don't think that is it - but admittedly, I am working on a couple "guesses" too. I note 1999 is commonly used by BIOS makers as the default date (until the correct date and time is set in the BIOS Setup Menu). Note a totally inaccurate date and time is a common symptom of a weak/failing CMOS battery. The two primary functions of the CMOS battery is to (1) keep the "user changes" to the BIOS firmware default settings "alive" in the CMOS memory and (2) keep the motherboard's RTC (real time clock) "ticking" ("counting" to be more accurate) when the computer is turned off.

If the motherboard's CMOS battery has never been replaced on this older system, I would probably replace it. Typically they are CR2032 wafer or "coin" batteries, found at nearly every battery counter.

While I agree it "appears" Microsoft Defender (Windows Defender is its old name) did a deep scan, the screen shot says "Quick".

Also I just counted every file on my computer by opening an elevated cmd prompt, moving back to the root on the disk (cd .. until I got C:\> on the command line) on this system, and entering dir *.* /s. That lists every file and folder in that root directory and then the /s forces it to list every file in every subfolder on that drive too. In other words, every file on the disk. Even with a fast SSD, it took several minutes to list all the files on my boot drive.

And still I only(?) had 589,368 files on C drive. I did the same on my secondary drive and it only showed 13,485 files. That's 1/3 of the 1.5 million files you first displayed. Checking the other computers here, and all had fewer files than this, my primary computer.

Now why do I show ~600,000 on the disks but Defender only scanned 46,000? That's easy. Security programs, including Microsoft Defender know that only certain type of files are used by the bad guys. These typically are files that can be "run", otherwise known as "executables". This list is not all inclusive but gives you a pretty good idea of the most common file types used by bad guys to insert their malicious code.

By not scanning every single file on your disk, scans not only take up much less time, they also bog down our systems much less, and (especially for mechanical drives) result in much less wear and tear on the drives. Note since scans are "read" actions (not "write") the wear on SSDs is negligible.

I really hope this is true.

It is. EACH and EVERY file downloaded and saved on our systems ARE scanned on the way in by the real-time scanner. Every time a file is modified and saved to disk, it is scanned. Plus, when you call up any file, including one of those obscure file types, the real-time scanner looks for "suspicious" activity and will halt that activity if something fishy is detected.

Last but not least, regardless your primary scanner of choice, everyone should have a secondary scanner on hand for "on-demand" or supplemental scanning just to make sure we (users and ALWAYS weakest link in security) or our primary scanner didn't let something slip by. In other words, "for peace of mind" and I use and recommend Malwarebytes for that.

FTR, Malwarebytes has never, not once found anything malicious on any of my systems here going back to Windows 7 in 2009 with Microsoft Security Essentials (the W7 version of Windows Defender), through W8 and now with W10 and Microsoft Defender. That's a pretty good track record, if you ask me considering 2 of my computers are regularly used by guests, including several ("it can never happen to me") teenaged grandkids.

The only thing Malwarebytes has ever found on any of my systems are a couple "wanted" PUPs (potentially unwanted programs).

So keep your OS and your security programs current and don't be "click-happy" on unsolicited links, then chill. Odds of getting infected are very very slim.

Is it possible you can still be infected? Of course! It is possible Fort Knox might be robbed too. How? One of the guards opens the front door and invites the bad guys in. Or, a super-duper professional targets it specifically and manages to exploit some "unknown to everyone else" vulnerability.

The difference here is Fort Knox doesn't have backup copies of all the gold. But you, of course, have multiple current backup copies of all your data, including at least one copy maintained "off-site"! Right?

[v_v]

Panos,

Here is another wild guess:  personally I would not get too concerned about a momentary instance of finding a "code 0x2" error in the task scheduler.  When I say momentary I mean that I can imagine that you might find a different value there at different times of the day.  When I saw that error in my own image that I posted previously I tried to do some research on it and found confusing and unclear results just like you did.  However my overall view and conclusion on the situation was simply that Windows Defender is doing its job, I occasionally get notifications from Windows Defender indicating that 'the scan were completed successfully and no problems were found', and thus I had nothing to be concerned about regardless of the "code 0x2" error.  To me it just seems to be one of the ways that Windows Defender goes about doing its tasks and recording the results, especially since it is constantly doing these tasks in the background.  Because Windows Defender will delay or postpone its tasks due to the lack of resources or intense user activity at any given moment it is possible that it will post such error codes or other messages.  Yet I do not think that these are indicative of problems.  They just seem to be indicative of temporary situations that occurred due to complications at that particular moment.

For example my task scheduler screen right this moment has the messages "The process terminated unexpectedly. (0x8007042B)" and also the code "(0x2)" error.  I will attribute these to the fact that I started using the computer in an intensive fashion around about that time and therefore interfered with Windows Defender's background operation.  To me this does not mean that there is a problem; it simply means that the background task is being delayed or postponed and that Windows Defender will come back to it later, when resources are available.

I am not a programmer and do not know how Windows Defender is designed to work in every instance, but in these cases I am willing to just "let go" and allow Windows Defender to do its work.  I guess as long as I see the "Status" as "Ready" and as long as I occasionally get the task completed successfully notifications with no problems found, then for me all is well.


[I just noted that Digerati/Bill posted an extensive comment while I was preparing mine.  What I have written above he reduced down to two words and a short sentence:  ". . . then chill. Odds of getting infected are very very slim."  Essentially that is the point of my post!]


v_v

[DR M]

Let me add my thoughts on the above.

1. The Virus & Threat Protection board shows two things:

• When the last WD scan took place.
• When the last WD updates took place

2. From what I saw until now, the updates are daily, but the scan is probably set by default once a week.

3. The Task Scheduler may show the mentioned errors every day. When those errors are present in the Task Scheduler, there is no change in the Virus & Threat Protection board for the latest WD scan. So the errors regarding the scan are real errors.

4. When a week passes from the last WD update, it's time for the new scan to take place. So, no errors in the Task Scheduler anymore and the latest scan in the Virus & Protection board changes and gets updated.

I will watch WD's behaviour for a week more to see if the above apply to it. I don't doubt that everything is OK, but I want to know how my antivirus behaves. Not just say that it works. How it works? When the scan is taking place? Why those errors are present and when?

That's all for now.  :)

[Digerati]

From what I saw until now, the updates are daily, but the scan is probably set by default once a week.

The default scan is weekly but updates will occur at just about any time. I have seen multiple in a single day, and I have seen where nothing comes in a day. It just depends on what is happening out there in the wild. If a new vulnerability or exploit is discovered, MS will push out the update as soon as it is ready, even if another update came out just hours earlier. This is all good, IMO.

[DR M]

It seems that the default scan is not weekly!

This is my today's screenshots where everything continues to be fine:

[Digerati]

There are other things that can trigger a scan (line some Defender engine updates) that may reset the schedule. In any case, I still would not worry about it - especially when no threats are found.

[v_v]

Panos,

In my last post I wrote

However my overall view and conclusion on the situation was simply that Windows Defender is doing its job, I occasionally get notifications from Windows Defender indicating that 'the scan were completed successfully and no problems were found', and thus I had nothing to be concerned about regardless of the "code 0x2" error.  To me it just seems to be one of the ways that Windows Defender goes about doing its tasks and recording the results, especially since it is constantly doing these tasks in the background.

If as you wrote,

I don't doubt that everything is OK, but I want to know how my antivirus behaves. Not just say that it works. How it works? When the scan is taking place? Why those errors are present and when?

perhaps you might want to write to Microsoft for more details!  (Smile)

Digerati/Bill indicated that "The default scan is weekly" and despite what you experienced that may still be the case.  My understanding is that Windows Defender (WD) is constantly 'watching' things but 'watching' is not the same thing as 'scanning'.  It is quite possible that any behavior or experience that any of us may have could trigger off a 'scan' because WD was watching and decided that the circumstances presented a situation where a scan would be advisable.  There are probably a bunch of rules that would say something like "if this, then do that."  So again the best source for that would be the Microsoft programmers---and good luck with that!


[I see that Digerati/Bill has beat me to the punch again.  So I will repeat the two words and short sentence from his earlier post:  ". . . then chill. Odds of getting infected are very very slim."  To repeat from his most recent post this time, "In any case, I still would not worry about it - especially when no threats are found."]

So to me the point would be that the pursuit of knowledge about how WD works is laudable, but perhaps it is not worth the effort because only the programmers at Microsoft will know all the rules that they have set up.  Such a pursuit would then be more of a distraction from other more significant matters in life!

v_v

[DR M]

The next successful scan was done yesterday, 18th July, 4 days after the previous one.

So it seems that everything is fine now, after a long time.

Regular scans, no yellow triangles/warnings, less files to scan, scan duration less than a minute up to 3 minutes.

So, no worries.  :)