0

I have not been able to view scan reports after running offline scans since I started actively running them (about 6 months ago). I always assumed no news was good news and left it at that. Today I was interested in seeing the logs and checked event viewer. It shows that offline scans are never completed, and routine quick scans often stopped before completion.

Some routine quick scans are performed by NT AUTHORTIY/SYSTEM, and then stopped before completion (Event ID 1002) by NT AUTHORITY/SYSTEM:

Microsoft Defender Antivirus scan has been stopped before completion.
    Scan ID: {some stuff}
    Scan Type: Antimalware
    Scan Parameters: Quick Scan
    User: NT AUTHORITY\SYSTEM

Other routine quick scans performed by NT AUTHORITY\SYSTEM complete (event ID 1002). They occur successfully about once a week, but are aborted about once a day.

When I run an offline scan, I see only Event 2030, "Microsoft Defender Antivirus downloaded and configured Microsoft Defender Antivirus (offline scan) to run on the next reboot." And then a series of Event IDs 5007 saying a config change has occurred, that as far as I can tell is just Defender keeping track of the restart. One such log is shown.

Microsoft Defender Antivirus Configuration has changed. If this is an unexpected event you should review the settings as this may be the result of malware.
    Old value: Default\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender
    New value: HKLM\SOFTWARE\Microsoft\Windows Defender\ProductAppDataPath = C:\ProgramData\Microsoft\Windows Defender

The scan itself is never run as far as I can tell.

Questions:

  1. Is this malware and something to be concerned about, or is defender malfunctioning?
  2. How do I restore normal function?

Thank you for your help.

Peregrino69
  • 4,664
user3709
  • 119
  • 1
  • 5

1 Answers1

1

I suggest doing the following :

  • Take backups of all your data, since eradicating a virus can harm Windows

  • Download, install and run Malwarebytes to full-scan the computer. If viruses are found, let it fix them.

  • Test Windows integrity by running the commands :

  • Run the Command Prompt (CMD) as Administrator and enter the following commands to run Defender:

    "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate
"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2

  • If the problem is not fixed, Do a Repair Install of Windows 10 with an In-place Upgrade

  • If nothing works, format the disk and reinstall Windows and apps and restore your data. In the general case, this is the most recommended action to eradicate bad viruses.

harrymc
  • 480,290
  • Thanks! I ran malwarebytes, DISM, sfc, and ran defender again. No threats found, no integrity issues found. Issue seemingly not resolved .. until! I Found out that event viewer cannot show 1000 and 1001 logs for an offline scan, onto for scans when the computer is active. Log files for offline scans are found at C:/Windows/Microsoft Antimalware/Support. So it turns out the scans have, I think, been running, and the quirk is indeed in the “last scan performed yesterday” display section of Defender. I am not certain of this yet because of a view quirks in the log files, but will update! – user3709 Mar 30 '23 at 22:03