SCAN starting not on settings?

Question

SCAN starting not on settings?

Duchemin, Dominique 2,011

Hello, I have the following settings given by the policy:

2023-04-05_15-18-12 ISS - Servers - SCEP - Parata.png

but why does the scan starts at 11:54:09 AM in the middle of the day!!! Log Name: Microsoft-Windows-Windows Defender/Operational Source: Microsoft-Windows-Windows Defender Date: 4/5/2023 11:54:09 AM Event ID: 1000 Task Category: None Level: Information Keywords: User: SYSTEM Computer: VIPPARATA1.ad Description: Microsoft Defender Antivirus scan has started. Scan ID: {CDB87FA3-D296-4EB8-8F6F-8BBE363463F9} Scan Type: Antimalware Scan Parameters: Full Scan Scan Resources: User: NT AUTHORITY\SYSTEM I noticed this is happening time to time... not sure why?

VIPPARA1 Event Logc.png Thanks, Dom

Duchemin, Dominique 2,011

Hello, I found another machine Windows Server where the SCAN started at 4::05:12 AM with the same settings: What is starting this??? Thanks, Dom

Log Name:      Microsoft-Windows-Windows Defender/Operational
Source:        Microsoft-Windows-Windows Defender
Date:          4/1/2023 4:05:12 AM
Event ID:      1000
Task Category: None
Level:         Information
Keywords:      
User:          SYSTEM
Computer:      czohvctsiwsp01.ad
Description:
Microsoft Defender Antivirus scan has started.
 	Scan ID: {6798A114-BFD4-47E1-B219-CA07FDA4E2A9}
 	Scan Type: Antimalware
 	Scan Parameters: Full Scan
 	Scan Resources: 
 	User: NT AUTHORITY\SYSTEM

2 answers

Your answer

Duchemin, Dominique 2,011 Reputation points

2023-04-06T15:23:59.0566667+00:00

Hello, I found another machine Windows Server where the SCAN started at 4::05:12 AM with the same settings: What is starting this??? Thanks, Dom

Log Name: Microsoft-Windows-Windows Defender/Operational Source: Microsoft-Windows-Windows Defender Date: 4/1/2023 4:05:12 AM Event ID: 1000 Task Category: None Level: Information Keywords: User: SYSTEM Computer: czohvctsiwsp01.ad Description: Microsoft Defender Antivirus scan has started. Scan ID: {6798A114-BFD4-47E1-B219-CA07FDA4E2A9} Scan Type: Antimalware Scan Parameters: Full Scan Scan Resources: User: NT AUTHORITY\SYSTEM

Answer 1

Hi @Duchemin, Dominique, 1, According to the screenshot your provided, the option Start a scheduled scan only when the computer is idle is set to Yes, this will impact the expected scheduled time by requiring the machine to be idle first.

2, Besides, please help check if the policy is set on your client. for example:

Looking forward to your feedback. Best regards Cherry

If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Duchemin, Dominique 2,011

Hello,

Point 1: Does this mean that the machine is waiting an idled time ANYTIME after 2:00 AM before running? so it could start anytime without notice!!! this could be the culprit but how to manage the date & time the Full Scan starts? should I change all policies to No for this particular setting?

Point 2: Two different machines with two different settings: 2023-04-07_9-35-28 SCEP Client Policy.png 2023-04-07_9-42-29 SCEP Client Policy.png 2023-04-07_9-49-50 SCEP Client Policy Parata.png 2023-04-07_9-56-56 Client Policy CZOHVCTSIWSP01.png

If I believe the Operational Logs there is never a Full Scan running on most of the machines... no event 1000 & 1001 for a lot of machines Thank you Dom

CherryZhang-MSFT 6,506 Reputation points

2023-04-10T07:13:27.0933333+00:00

Hi @Duchemin, Dominique,

Yes, this will affect our expected scanning time. We may disable it if you wish.

Best regards,
Cherry
Duchemin, Dominique 2,011 Reputation points

2023-04-12T05:09:28.2833333+00:00

Hello @CherryZhang-MSFT I have mutiple cases opened with Microsoft Premier Support I will inform you of what is found as apparently nobody understand our setup ??? Thanks Dom
CherryZhang-MSFT 6,506 Reputation points

2023-04-12T08:53:30.4466667+00:00

Hi,

Thanks for you inform, i will still follow your threader. I will be sharing for you if i have any update. Looking forward to your feedback too.

Thanks for your time and patience.

Best regards,
Cherry
CherryZhang-MSFT 6,506 Reputation points

2023-04-28T04:11:10.46+00:00

Hi,

Hope everything goes well. Do you need any further assistance about this issue? If yes, please feel free to let us know, we will do our best to help you.

If the response is helpful, it's appreciated that you could click "Accept Answer" and upvote it, this will help other users to search for useful information more quickly.

Thanks for your time.

Best regards,
Cherry
Duchemin, Dominique 2,011 Reputation points

2023-04-28T15:27:38.4733333+00:00

Hi @CherryZhang-MSFT

I have a case opened with Microsoft and after already 3 engineers it seems looping between the Support Engineer | Data and Enterprise Cloud | Azure Site Recovery Services & Support Engineer | Microsoft Endpoint Configuration Manager & WSUS as nobody is finding the root cause of the issue !!! Pending a complete meeting with the two groups and myself!!

Sorry for the delay,

Thanks,

Dom

Share via

SCAN starting not on settings?

2 answers

Your answer