You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-endpoint/troubleshoot-mdav-scan-issues.md
+10-12Lines changed: 10 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.collection:
13
13
ms.topic: troubleshooting
14
14
ms.subservice: ngp
15
15
search.appverid: met150
16
-
ms.date: 03/06/2025
16
+
ms.date: 03/11/2025
17
17
---
18
18
19
19
# Troubleshoot Microsoft Defender Antivirus scan issues
@@ -55,9 +55,9 @@ The following table summarizes antivirus settings in Microsoft Intune for Window
55
55
| General | Excluded Extensions ||
56
56
| General | Excluded Paths ||
57
57
| General | Excluded Processes ||
58
-
| Scan Schedule | Scan Parameter | This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: <br/>- `1` = Quick Scan (default) <br/>- `2` = Full Scan <br/><br/>If you enable this setting, the scan type is set to the specified value. <br/><br/>If you disable or don't configure this setting, the default scan type is used. |
59
-
| Scan Schedule | Schedule Quick Scan Time | This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (`00:00`). For example, `120 (0x78)` is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing. <br/><br/>If you enable this setting, a daily quick scan runs at the time of day specified. <br/><br/>If you disable or don't configure this setting, daily quick scan controlled by this configuration doesn't run. |
60
-
| Scan Schedule | Schedule Scan Day | This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. <br/><br/>This setting can be configured with the following ordinal number values: <br/>- (`0x0`) Every Day <br/>- (`0x1`) Sunday <br/>- (`0x2`) Monday <br/>- (`0x3`) Tuesday <br/>- (`0x4`) Wednesday <br/>- (`0x5`) Thursday <br/>- (`0x6`) Friday <br/>- (`0x7`) Saturday <br/>- (`0x8`) <br/>- Never (*default*) <br/><br/>If you enable this setting, a scheduled scan runs at the frequency specified. <br/><br/>If you disable or don't configure this setting, a scheduled scan runs at a default frequency. |
58
+
| Scan Schedule | Scan Parameter | This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: <br/>- 1 = Quick Scan (default) <br/>- 2 = Full Scan <br/><br/>If you enable this setting, the scan type is set to the specified value. <br/><br/>If you disable or don't configure this setting, the default scan type is used. |
59
+
| Scan Schedule | Schedule Quick Scan Time | This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to disabled. The schedule is based on local time on the computer where the scan is executing. <br/><br/>If you enable this setting, a daily quick scan runs at the time of day specified. <br/><br/>If you disable or don't configure this setting, daily quick scan controlled by this configuration doesn't run. |
60
+
| Scan Schedule | Schedule Scan Day | This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. <br/><br/>This setting can be configured with the following ordinal number values: <br/>- (0x0) Every Day <br/>- (0x1) Sunday <br/>- (0x2) Monday <br/>- (0x3) Tuesday <br/>- (0x4) Wednesday <br/>- (0x5) Thursday <br/>- (0x6) Friday <br/>- (0x7) Saturday <br/>- (0x8) Never (*default*) <br/><br/>If you enable this setting, a scheduled scan runs at the frequency specified. <br/><br/>If you disable or don't configure this setting, a scheduled scan runs at a default frequency. |
61
61
| Scan Schedule | Schedule Scan Time | This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is executing. <br/><br/>If you enable this setting, a scheduled scan runs at the time of day specified. <br/><br/>If you disable or don't configure this setting, a scheduled scan runs at a default time. |
62
62
| Scan Schedule | Randomize Schedule Task Times | Widen or narrow the randomization period for scheduled scans. Specify a randomization window of between 1 and 23 hours by using the setting `SchedulerRandomizationTime`. |
63
63
| Scan Schedule | Scheduler Randomization Time ||
@@ -105,9 +105,9 @@ Confirming if a scan has been canceled or finished successfully allows you to ta
105
105
106
106
The following Event IDs are related to scan operations on a device.
107
107
108
-
- Event ID `1000` - An anti-malware scan started.
109
-
- Event ID `1001` - An anti-malware scan finished.
110
-
- Event ID `1002` - An anti-malware scan was stopped before it finished.
108
+
- Event ID 1000 - An anti-malware scan started.
109
+
- Event ID 1001 - An anti-malware scan finished.
110
+
- Event ID 1002 - An anti-malware scan was stopped before it finished.
111
111
112
112
For more information, see [Microsoft Defender Antivirus event IDs and error codes](/defender-endpoint/troubleshoot-microsoft-defender-antivirus).
113
113
@@ -155,10 +155,10 @@ Identifying why a scan was canceled enables you to identify what needs to be rev
155
155
156
156
| Reason | Details |
157
157
|--|--|
158
-
| The device restarts | Details of device restarts can be reviewed using Event Viewer on the device. <br/>- Event Log: System <br/>- Event IDs: `6005`, `6006`, `6007`, and `6008`|
158
+
| The device restarts | Details of device restarts can be reviewed using Event Viewer on the device. <br/>- Event Log: System <br/>- Event IDs: 6005, 6006, 6007, and 6008 |
159
159
| The scan times out | Scheduled scans use `mpcmdrun`, but if someone uses `mpcmdrun` to run an on-demand scan, the timer still applies. Antivirus scans launched by the Windows Security app (Local) and the Microsoft Defender portal don't use `mpcmdrun`, and each method starts a scan directly by using `mpclient`. <br/>- Scans initiated in the Microsoft Defender portal or the Windows Security app (Quick or Full): No time limit<br/>- Scheduled Full Scans or `MpCmdRun -scan`: Seven day limit<br/>- Scheduled Quick Scans or `MpCmdRun -scan`: One day limit |
160
-
| The device is running on battery | If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan stops with event `1002`, which states that the scan stopped before completion. Microsoft Defender Antivirus runs a full scan at the next scheduled time. For more information, see [Schedule antivirus scans: Important points to keep in mind](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans?#important-points-to-keep-in-mind).
161
-
| Other power-related events | The following event IDs (from Kernel-Power) indicate changing of the power state of the device which could impact the scanning finishing in a timely manner: <br/>- `107`: The system has resumed from sleep.<br/>- `42`: The system is entering sleep. Sleep Reason: Hibernate from Sleep - Standby Battery Budget Exceeded<br/>- `507`: The system is exiting Modern Standby. Reason: Sleep, Hibernate, or Shutdown.<br/>- `506`: The system is entering Modern Standby. Reason: Lid.<br/>- `105`: Power source change. |
160
+
| The device is running on battery | If a device is unplugged and running on battery during a scheduled full scan, the scheduled scan stops with event 1002, which states that the scan stopped before completion. Microsoft Defender Antivirus runs a full scan at the next scheduled time. For more information, see [Schedule antivirus scans: Important points to keep in mind](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans?#important-points-to-keep-in-mind).
161
+
| Other power-related events | The following event IDs (from Kernel-Power) indicate changing of the power state of the device which could impact the scanning finishing in a timely manner: <br/>- 107: The system has resumed from sleep.<br/>- 42: The system is entering sleep. Sleep Reason: Hibernate from Sleep - Standby Battery Budget Exceeded<br/>- 507: The system is exiting Modern Standby. Reason: Sleep, Hibernate, or Shutdown.<br/>- 506: The system is entering Modern Standby. Reason: Lid.<br/>- 105: Power source change. |
162
162
163
163
## Use performance analyzer on the device
164
164
@@ -218,5 +218,3 @@ Get-WinEvent -LogName 'Microsoft-Windows-Windows Defender/Operational' | where i
218
218
219
219
-[Configure scheduled quick or full Microsoft Defender Antivirus scans](schedule-antivirus-scans.md)
- ✅ <a href="https://learn.microsoft.com/defender-office-365/mdo-about#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 Plan 1 and Plan 2</a>
@@ -71,7 +71,7 @@ You can configure outbound spam policies in the Microsoft Defender portal or in
71
71
72
72
When you're finished on the **Name your policy page**, select **Next**.
73
73
74
-
4. On the **Users, groups, and domains** page, identify the internal senders that the policy applies to (recipient conditions):
74
+
4. On the **Users, groups, and domains** page, identify the internal senders that the policy applies to (sender conditions):
75
75
-**Users**: The specified mailboxes, mail users, or mail contacts.
76
76
-**Groups**:
77
77
- Members of the specified distribution groups or mail-enabled security groups (dynamic distribution groups aren't supported).
@@ -94,7 +94,7 @@ You can configure outbound spam policies in the Microsoft Defender portal or in
94
94
95
95
The policy is applied to `[email protected]`_only_ if he's also a member of the Executives group. Otherwise, the policy isn't applied to him.
96
96
97
-
-**Exclude these users, groups, and domains**: To add exceptions for the internal senders that the policy applies to, select this option and configure the exceptions.
97
+
-**Exclude these users, groups, and domains**: To add exceptions for the internal senders that the policy applies to, select this option and configure the exceptions (sender exceptions).
98
98
99
99
You can use an exception only once, but the exception can contain multiple values:
0 commit comments