This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 11%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHJ%3C/text%3E%3C/svg%3E)
We were running the March 17/21 MSERT 1.333.999.0 on a few servers and could see the detection count climbing and got as high as 25-30 items in some cases. However, when it completed the full scan, the gui and the logs show nothing found. This occurred on all 8 servers at one site we tried it on last night ![80290-2021-03-22-03-10-39.png][1] [1]: /api/attachments/80290-2021-03-22-03-10-39.png?platform=QnA Wondering what cause of this behaviour is. Sentinel One didn't detect anything and we are also running an Acronis CyberProtect on-demand A/V which is so far nothing finding anything either. This is the log from same machine in the photo --------------------------------------------------------------------------------------- Microsoft Safety Scanner v1.333, (build 1.333.999.0) Started On Mon Mar 22 00:56:11 2021 Engine: 1.1.17900.7 Signatures: 1.333.999.0 MpGear: 1.1.16330.1 Run Mode: Interactive Graphical Mode Results Summary: ---------------- No infection found. Successfully Submitted MAPS Report Successfully Submitted Heartbeat Report Microsoft Safety Scanner Finished On Mon Mar 22 07:23:17 2021 Return code: 0 (0x0)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 48%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
This is a very major and very serious problem. MSERT is unreliable. It has false positives and false negatives. Microsoft must fix this. It occurs with a special kind of nasty malware. MSERT deletes system files and they must be restored with sfc/ scannow and DISM and the malware comes back. This means that the entire system must be reset. Microsoft must pay very close attention to this.
Thats actually ok:
To truly answer your question, you need to understand how the Microsoft security apps actually operate, since that's part of why this sort of situation can be confusing to those who don't.
The "Files Infected" count displayed on the Microsoft Safety Scanner, scan in progress screen or any of their other security products for that matter, is actually just a preliminary status indication that there are items which may contain malware. In many cases these specific items have been found in the past to be related to malware, but they are all really just small fragments that have matched signatures, but aren't yet truly confirmed as the specific malware that might include them.
Near the end of the scanning process around 95% complete, the Microsoft scanners all perform a MAPS (Microsoft Active Protection Service) request via internet to the the Microsoft cloud servers in order to upload their initial findings and request confirmation that these findings are either truly malware or instead possible false positive detections or incomplete fragments of inactive malware.
Though the entire process isn't displayed, the clues to this are the following 2 lines in your first log above.
"No infection found.
Successfully Submitted MAPS Report"
So what actually happened is that the scanner found possible malware fragments, communicated with the MAPS servers and confirmed there weren't any active malware that it can identify running and completed its operation by reporting these final results as well as uploading its reporting to MAPS as a record.
This final step is important, since as I stated above "there weren't any active malware that it can identify running" on your device, but that doesn't necessarily mean there might not be something that Microsoft's Security Intelligence has yet to determine is a new form of malware. What this report does is allows Microsoft to collate this information within the automated MAPS cloud system and look for such possible new malware patterns, along with those from the millions of other Windows Defender and other scanners operating in real time on many systems.
So there's nothing truly wrong with what the Safety Scanner found and likely no true malware, since this activity is fairly common, but the operation of all of these Microsoft scanners is really far more complex and deep than most people understand.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 1%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
What if, just wondering, instead of "infected files" you guys change the message to "possible infected files", or maybe "files to be checked with MS servers" ... or maybe an explanation link next to it explaining how the tool works ..
I too got the same confusion
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENA%3C/text%3E%3C/svg%3E)
yeah a change in language would be best...
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 12%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Is it possible that someone intercepts the communication between the computer and the cloud servers?
Also IOBIT software often seems to be flagged by Defender as infected, why?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 61%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
I'm running MSERT offline but have the same behavior. If those 30+ files listed as infected during runtime need to be checked with an internet source, then how can the program declare the computer clean without getting an answer? (I bought a used computer and want to ensure that it is clean before connecting it to my WiFi. I plan to wipe it but it came with Win11 and so I want to test/play with that a little first. So far, Win11 buries my commonly used commands deep in menus. Bring back the ribbon! No more button to toggle the preview pane in explorer. Crazy. )
People have been confused by MSERT's behavior since at least 2014 (there's the same Q on TechNet.) Why maintain and publish a tool if you're not going to make such a simple change to make it understandable?!
As the original questioner did, I ran several other anti-virus and anti-malware programs to try to sort it out.
Instead of "infected items", it should be "Suspicious fragments".
At the end of the scan, it should state that in order to verify those found fragments, the user should connect the machine to the internet to submit the findings and verify whether those files/fragments are malicious and should be removed, or just false positives (ie. nothing to worry about).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 40%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECG%3C/text%3E%3C/svg%3E)
Exactly. Perfect response.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 82%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEY%3C/text%3E%3C/svg%3E)
As Andy says, if nothing reported in %SYSTEMROOT%\debug\msert.log, that means no infections.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 16%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
j'ai 19 fichiers malveillants annoncés lors de l'analyse en cours du disque système C: et aucun dans le log comme vous l'expliquer dans cette page, d'ailleurs merci pour votre explication.
Le problème c'est qu'ils sont sur mon disque système, le C: et que je n'y ai AUCUN programmes, ou code d'exemple malveillants, car tout est sur d'autres disques.
Auriez-vous une explication pour cela ?
Cordialement, Sylvain A
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 28.000000000000004%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Is there a log file somewhere that explains what file fragments or infections were found on the machine such that we can investigate on our own? Honestly, if all this tool represents is a way to let Microsoft map our malware, that's okay but it doesn't do anything on this side. More to the point, what is the file that is marks as "infected"?