![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hello, this is Emily.
This behavior is actually completely normal as long a internet remained connected the whole time.
All of the findings during the scan are potential/suspicious ones. Think of it as the scanner are marking those so that at the final phase (which requires internet), it can check them against virus definition. This is where the scanner will perform a MAPS (Microsoft Active Protection Service" request to connect to the cloud server, and to upload these initial findings for confirmation. This is why you received a different total number at the end. If it came back with nothing, it means the scan went through finding no threats.