Large numbers of scheduled full scans being cancelled - what's the cause?

Question

I am reviewing scan related Adv Hunting data for one of my clients and can see large numbers of events with an ActionType of "AntivirusScanCancelled" in the DeviceEvents table.

These events coincide with their weekly scheduled full scan (Tuesdays at 1pm, and yes they are aware quick scans are recommended over fulls but they insisted on running weekly fulls).

The operational event log for Windows Defender gives no info other than Event ID 1002 - An antimalware scan was stopped before it finished.

I am keen to understand why and how the scans are being cancelled?

Users are not admins on their devices and we have confirmed the scan cancellations are not being caused by users rebooting either.

Anyone else experienced anything similar or had to ascertain reasons/causes for cancelled scans?

rahul_it · Answer

PJR_CDF&nbsp;I am also facing same issue with Defender full scan. I have it scheduled to run once per week. And scheduled task is failing with status 0x1 and Warning message on Event Viewer has the same message -&nbsp;Microsoft Defender antivirus has been stopped before completion.

pjr_cdf · Answer

Rahul_IT&nbsp;&nbsp;We found our issue was mainly caused by the behaviour outlined here:&nbsp;https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/schedule-antivirus-scans?view=o365-worldwide#important-points-to-keep-in-mind&nbsp;If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan stops with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus runs a full scan at the next scheduled time.

rahul_it · Answer

PJR_CDF&nbsp;That's not the case in my scenario. I am talking about servers, i have checked1. no user intervention2. no reboots3. no battery un-plug case&nbsp;

pjr_cdf · Answer

How long are the scans running for before they get cancelled?Are they full scans or quick scans?Do you have both quick and full scans configured?

rahul_it · Answer

How long are the scans running for before they get cancelled? - depends on the server.. but as per previous successfull completion.. it is finishing just minute before it's normal completion time..Are they full scans or quick scans? - Full scan only.. quick scans are successfullyDo you have both quick and full scans configured? - YesWell, i found one solution to this. If i am running scheduled task with mpcmdrun.exe -Scan -Scantype2 commandlet then full scan finishes successfully. But , if i use powershell commands "Start-mpscan -scantype Fullscan" then i get this error on scheduled task "0x1"..

Forum Discussion

Large numbers of scheduled full scans being cancelled - what's the cause?

6 Replies

Resources