Dec 21 2023
I am reviewing scan related Adv Hunting data for one of my clients and can see large numbers of events with an ActionType of "AntivirusScanCancelled" in the DeviceEvents table.
These events coincide with their weekly scheduled full scan (Tuesdays at 1pm, and yes they are aware quick scans are recommended over fulls but they insisted on running weekly fulls).
The operational event log for Windows Defender gives no info other than Event ID 1002 - An antimalware scan was stopped before it finished.
I am keen to understand why and how the scans are being cancelled?
Users are not admins on their devices and we have confirmed the scan cancellations are not being caused by users rebooting either.
Anyone else experienced anything similar or had to ascertain reasons/causes for cancelled scans?