Does a windows defender message 1118 imply the end of the scan?

In our software, we listen to windows defender events and shoot off software specific alerts based on them.
We expected to always see 1000-1001 pairings 1000: scan started 1001: scan completed
What they've done for one test is they have a virus on a cd to trigger the scan to see if we get the detected alert. That all works, but instead of seeing the expected 1000 then 1001, we see 1000 then eventually a 1118, which we know means MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED
the error code for the 1118 was
<Data Name="Error Code">0x80070005</Data>
https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-error-code-0x80070005/dded975a-4903-43ff-a426-2e8991abd71e https://social.technet.microsoft.com/Forums/en-US/ef3b11f2-6f6c-4903-8986-4f3688c8d32d/windows-update-and-windows-defender-error-0x80070005?forum=smallbusinessserver
basically "access denied". Makes sense to me being a virus on a CD.
My question is, should we still get the 1001 in this case or is the 1118 event an alternative "I'm done" and we should not expect the 1001 at this point?
Have not found any documentation on this.
Also, if not just 1001 and 1118 what other Window Defender codes mean the scan has finished?