Dec 21 2023 06:48 AM
I am reviewing scan related Adv Hunting data for one of my clients and can see large numbers of events with an ActionType of "AntivirusScanCancelled" in the DeviceEvents table.
These events coincide with their weekly scheduled full scan (Tuesdays at 1pm, and yes they are aware quick scans are recommended over fulls but they insisted on running weekly fulls).
The operational event log for Windows Defender gives no info other than Event ID 1002 - An antimalware scan was stopped before it finished.
I am keen to understand why and how the scans are being cancelled?
Users are not admins on their devices and we have confirmed the scan cancellations are not being caused by users rebooting either.
Anyone else experienced anything similar or had to ascertain reasons/causes for cancelled scans?
Mar 04 2024 03:07 AM
@PJR_CDF I am also facing same issue with Defender full scan. I have it scheduled to run once per week. And scheduled task is failing with status 0x1 and Warning message on Event Viewer has the same message - Microsoft Defender antivirus has been stopped before completion.
Mar 04 2024 04:22 AM
We found our issue was mainly caused by the behaviour outlined here:
If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan stops with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus runs a full scan at the next scheduled time.
Mar 04 2024 05:40 AM
@PJR_CDF That's not the case in my scenario. I am talking about servers, i have checked
1. no user intervention
2. no reboots
3. no battery un-plug case
Mar 04 2024 06:32 AM
Mar 05 2024 02:54 AM
Mar 05 2024 02:57 AM