No full scan by Defender?

Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)

Terry Pinnell wrote:

"Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Not much help to you (other than to confirm it should work) but it does
allow me to do a full scan.

Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)

Using this in an Administrator command prompt, will
give an up-to-date list for scantype.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype /?

You might need to modify that path a bit if running 32-bit Windows.

*******

https://technet.microsoft.com/en-us/.../gg131918.aspx

Here, I'm doing a custom scan with scantype 3.
I typed this into an Administrator Command Prompt.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "C:\users\user name\Downloads"

Windows Defender adds entries to the Event Viewer in the following location:

Event Viewer Applications and Services Logs Microsoft Windows Windows Defender Operational

Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)

*******

To prove it works, you may need to inject the EICAR test
virus into a folder on your C: drive while the drive is offline.
Then when you boot C: and run a command line the above,
you would expect EventViewer or even the Command Prompt
window, to show that EICAR was detected and quarantined.
AV applications are supposed to recognize EICAR.

http://www.eicar.org/86-0-Intended-use.html

In theory, clicking the link should be stopped, but
we'll see when you get there :-)

I keep an EICAR here for fun.

*******

I'm not going to try to guess why the menu item is
missing on your machine.

Paul

On 8/1/2018 6:07 AM, Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)

In the set up on my tablet this is the procedure I use for a full scan:

From the Shield icon on the main Home screen, I select "Advance Scan"

This gives me three options Full Scan, Custom Scan, Windows Defender
Offline Scan.

I select Full Scan.




--
2018: The year we learn to play the great game of Euchre

Paul wrote:

Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)

Using this in an Administrator command prompt, will
give an up-to-date list for scantype.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype /?

You might need to modify that path a bit if running 32-bit Windows.

*******

https://technet.microsoft.com/en-us/.../gg131918.aspx

Here, I'm doing a custom scan with scantype 3.
I typed this into an Administrator Command Prompt.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "C:\users\user name\Downloads"

Windows Defender adds entries to the Event Viewer in the following location:

Event Viewer Applications and Services Logs Microsoft Windows Windows Defender Operational

Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)

*******

To prove it works, you may need to inject the EICAR test
virus into a folder on your C: drive while the drive is offline.
Then when you boot C: and run a command line the above,
you would expect EventViewer or even the Command Prompt
window, to show that EICAR was detected and quarantined.
AV applications are supposed to recognize EICAR.

http://www.eicar.org/86-0-Intended-use.html

In theory, clicking the link should be stopped, but
we'll see when you get there :-)

I keep an EICAR here for fun.

*******

I'm not going to try to guess why the menu item is
missing on your machine.

Paul

Thanks, very helpful. Reassuring to know I *can* run it, albeit by that
unfriendly route.

My searching revealed that others have the identical problem. I've used
it rarely so cannot be sure when it started.

During the course of that research I saw several threads about the long
duration times of a Defender full scan. So to try your method I chose
type 3, a custom scan, like you. And opted for \Downloads, which is 18
GB, 190 folders, 2600 files. That took 24 mins, so a full scan might
take days.

Looking at Event Viewer, did you get are all these 'intermediate'
events, or just a clean start and finish?
https://www.dropbox.com/s/0q2bpdsg2k...nder.jpg?raw=1

At https://kb.eventtracker.com I read stuff that's way over my head:

Event Id 1150
--------------
Source Microsoft-Windows-FailoverClustering
Description The removal of the DNS Pointer (PTR) record '%2' for host
'%3' which is associated with the cluster network name resource '%1'
failed with error '%4'. If necessary, the record can be deleted
manually. Contact your DNS administrator for assistance.
(Wish I had one!)

Event Id 1151
--------------
Source Microsoft-Windows-ActiveDirectory_DomainService
Description "Internal event: A new database column was created for
the following new attribute. Database column:%1 Attribute identifier:%2
Attribute name:%3"
Event Information According to Microsoft :
Cause: This event is logged when a new database column was created for
the new attribute.
Resolution:Look for Event ID 1150 in Event Viewer
This is a general error message that indicates there may be an issue
with a recently requested schema modification. If there is an issue,
Event ID 1150 appears in Event Viewer. Use the additional information in
that event to resolve the issue.

Event Id 2010
-------------
Source Microsoft-Windows-Windows Firewall with Advanced Security
Description Network profile changed on an interface. Adapter
GUID:%t%1 Adapter Name:%t%2 Old Profile:%t%3 New Profile:%t%4
Event Information According to Microsoft :
Cause : This event is logged when Network profile changed on an
interface.
Resolution : This is a normal condition. No further action is required.
(That's a relief!)

Terry, East Grinstead, UK

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)
Using this in an Administrator command prompt, will
give an up-to-date list for scantype.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype /?

You might need to modify that path a bit if running 32-bit Windows.

*******

https://technet.microsoft.com/en-us/.../gg131918.aspx

Here, I'm doing a custom scan with scantype 3.
I typed this into an Administrator Command Prompt.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "C:\users\user name\Downloads"

Windows Defender adds entries to the Event Viewer in the following location:

Event Viewer Applications and Services Logs Microsoft Windows Windows Defender Operational

Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)

*******

To prove it works, you may need to inject the EICAR test
virus into a folder on your C: drive while the drive is offline.
Then when you boot C: and run a command line the above,
you would expect EventViewer or even the Command Prompt
window, to show that EICAR was detected and quarantined.
AV applications are supposed to recognize EICAR.

http://www.eicar.org/86-0-Intended-use.html

In theory, clicking the link should be stopped, but
we'll see when you get there :-)

I keep an EICAR here for fun.

*******

I'm not going to try to guess why the menu item is
missing on your machine.

Paul

Thanks, very helpful. Reassuring to know I *can* run it, albeit by that
unfriendly route.

My searching revealed that others have the identical problem. I've used
it rarely so cannot be sure when it started.

During the course of that research I saw several threads about the long
duration times of a Defender full scan. So to try your method I chose
type 3, a custom scan, like you. And opted for \Downloads, which is 18
GB, 190 folders, 2600 files. That took 24 mins, so a full scan might
take days.

Looking at Event Viewer, did you get are all these 'intermediate'
events, or just a clean start and finish?
https://www.dropbox.com/s/0q2bpdsg2k...nder.jpg?raw=1

At https://kb.eventtracker.com I read stuff that's way over my head:

Event Id 1150
--------------
Source Microsoft-Windows-FailoverClustering
Description The removal of the DNS Pointer (PTR) record '%2' for host
'%3' which is associated with the cluster network name resource '%1'
failed with error '%4'. If necessary, the record can be deleted
manually. Contact your DNS administrator for assistance.
(Wish I had one!)

Event Id 1151
--------------
Source Microsoft-Windows-ActiveDirectory_DomainService
Description "Internal event: A new database column was created for
the following new attribute. Database column:%1 Attribute identifier:%2
Attribute name:%3"
Event Information According to Microsoft :
Cause: This event is logged when a new database column was created for
the new attribute.
Resolution:Look for Event ID 1150 in Event Viewer
This is a general error message that indicates there may be an issue
with a recently requested schema modification. If there is an issue,
Event ID 1150 appears in Event Viewer. Use the additional information in
that event to resolve the issue.

Event Id 2010
-------------
Source Microsoft-Windows-Windows Firewall with Advanced Security
Description Network profile changed on an interface. Adapter
GUID:%t%1 Adapter Name:%t%2 Old Profile:%t%3 New Profile:%t%4
Event Information According to Microsoft :
Cause : This event is logged when Network profile changed on an
interface.
Resolution : This is a normal condition. No further action is required.
(That's a relief!)

Terry, East Grinstead, UK

I looked that up mainly in case an active exploit was
already on your machine, making that GUI entry disappear.

The GUI is likely backed by an HTML/JS package. To make
a line of text disappear from the screen is relatively easy.

You're not likely to be on a Domain, so a change
to a setup there is unexpected (in your EventVwr).
Especially as you're in the Windows Defender : Operational
area, you wouldn't expect random events to be
showing up there like that.

I cannot comment on the contents of my Events (yet),
because my scan isn't finished. The scan is running on
one core, even though C: is an SSD and could easily
feed the scanner. According to Task Manager, MsMpEng
reads data at around 1MB/sec or so, which is... pretty slow.
My first hard drive was faster than that.

I think that process in the past, has used multiple
cores, and I don't understand how an on-demand
scan could be assigned that low of a priority. The implication
is, a user is sitting there, waiting for the results
to come in. Why would you delay that ? My guess is,
mine will take ten to fifteen hours.

You know that MsMpEng can easily have multiple threads
of execution, because it has to respond to real-time
events, at the same time it's doing an on-demand
scan. The software is still capable, but isn't tuned
all that well.

I think I've had Kaspersky run at 400% to 500% before,
so that's what the competition can do.

*******

There have been cases before, where the installation of
commercial software which competes with Microsoft software,
causes items in a window to disappear. I doubt that's
the mechanism in this case. And figuring it out would not
be easy. The file the text strings are in, is likely
signed and equipped with some amount of security features,
to prevent things like this from happening.

*******

GPEDIT can be used to modify the behavior.
Nothing here stands out as your problem. WD
apparently has a scheduling capability. As if it's
not doing enough scanning right now...

https://docs.microsoft.com/en-us/win...nder-antivirus

Paul

Paul wrote:

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)
Using this in an Administrator command prompt, will
give an up-to-date list for scantype.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype /?

You might need to modify that path a bit if running 32-bit Windows.

*******

https://technet.microsoft.com/en-us/.../gg131918.aspx

Here, I'm doing a custom scan with scantype 3.
I typed this into an Administrator Command Prompt.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "C:\users\user name\Downloads"

Windows Defender adds entries to the Event Viewer in the following location:

Event Viewer Applications and Services Logs Microsoft Windows Windows Defender Operational

Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)

*******

To prove it works, you may need to inject the EICAR test
virus into a folder on your C: drive while the drive is offline.
Then when you boot C: and run a command line the above,
you would expect EventViewer or even the Command Prompt
window, to show that EICAR was detected and quarantined.
AV applications are supposed to recognize EICAR.

http://www.eicar.org/86-0-Intended-use.html

In theory, clicking the link should be stopped, but
we'll see when you get there :-)

I keep an EICAR here for fun.

*******

I'm not going to try to guess why the menu item is
missing on your machine.

Paul

Thanks, very helpful. Reassuring to know I *can* run it, albeit by that
unfriendly route.

My searching revealed that others have the identical problem. I've used
it rarely so cannot be sure when it started.

During the course of that research I saw several threads about the long
duration times of a Defender full scan. So to try your method I chose
type 3, a custom scan, like you. And opted for \Downloads, which is 18
GB, 190 folders, 2600 files. That took 24 mins, so a full scan might
take days.

Looking at Event Viewer, did you get are all these 'intermediate'
events, or just a clean start and finish?
https://www.dropbox.com/s/0q2bpdsg2k...nder.jpg?raw=1

At https://kb.eventtracker.com I read stuff that's way over my head:

Event Id 1150
--------------
Source Microsoft-Windows-FailoverClustering
Description The removal of the DNS Pointer (PTR) record '%2' for host
'%3' which is associated with the cluster network name resource '%1'
failed with error '%4'. If necessary, the record can be deleted
manually. Contact your DNS administrator for assistance.
(Wish I had one!)

Event Id 1151
--------------
Source Microsoft-Windows-ActiveDirectory_DomainService
Description "Internal event: A new database column was created for
the following new attribute. Database column:%1 Attribute identifier:%2
Attribute name:%3"
Event Information According to Microsoft :
Cause: This event is logged when a new database column was created for
the new attribute.
Resolution:Look for Event ID 1150 in Event Viewer
This is a general error message that indicates there may be an issue
with a recently requested schema modification. If there is an issue,
Event ID 1150 appears in Event Viewer. Use the additional information in
that event to resolve the issue.

Event Id 2010
-------------
Source Microsoft-Windows-Windows Firewall with Advanced Security
Description Network profile changed on an interface. Adapter
GUID:%t%1 Adapter Name:%t%2 Old Profile:%t%3 New Profile:%t%4
Event Information According to Microsoft :
Cause : This event is logged when Network profile changed on an
interface.
Resolution : This is a normal condition. No further action is required.
(That's a relief!)

Terry, East Grinstead, UK

I looked that up mainly in case an active exploit was
already on your machine, making that GUI entry disappear.

The GUI is likely backed by an HTML/JS package. To make
a line of text disappear from the screen is relatively easy.

You're not likely to be on a Domain, so a change
to a setup there is unexpected (in your EventVwr).
Especially as you're in the Windows Defender : Operational
area, you wouldn't expect random events to be
showing up there like that.

I cannot comment on the contents of my Events (yet),
because my scan isn't finished. The scan is running on
one core, even though C: is an SSD and could easily
feed the scanner. According to Task Manager, MsMpEng
reads data at around 1MB/sec or so, which is... pretty slow.
My first hard drive was faster than that.

I think that process in the past, has used multiple
cores, and I don't understand how an on-demand
scan could be assigned that low of a priority. The implication
is, a user is sitting there, waiting for the results
to come in. Why would you delay that ? My guess is,
mine will take ten to fifteen hours.

You know that MsMpEng can easily have multiple threads
of execution, because it has to respond to real-time
events, at the same time it's doing an on-demand
scan. The software is still capable, but isn't tuned
all that well.

I think I've had Kaspersky run at 400% to 500% before,
so that's what the competition can do.

*******

There have been cases before, where the installation of
commercial software which competes with Microsoft software,
causes items in a window to disappear. I doubt that's
the mechanism in this case. And figuring it out would not
be easy. The file the text strings are in, is likely
signed and equipped with some amount of security features,
to prevent things like this from happening.

*******

GPEDIT can be used to modify the behavior.
Nothing here stands out as your problem. WD
apparently has a scheduling capability. As if it's
not doing enough scanning right now...

https://docs.microsoft.com/en-us/win...nder-antivirus

Paul

Just discovered that although my custom scan of \Downloads finished at
14:07 (an hour ago), MsMpEng is still running, taking 12% CPU. No idea
what it's doing, unless it's attempting an unsolicited full scan.

I'm going to end the task and restart.

Terry, East Grinstead, UK

Terry Pinnell wrote:

Paul wrote:

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)
Using this in an Administrator command prompt, will
give an up-to-date list for scantype.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype /?

You might need to modify that path a bit if running 32-bit Windows.

*******

https://technet.microsoft.com/en-us/.../gg131918.aspx

Here, I'm doing a custom scan with scantype 3.
I typed this into an Administrator Command Prompt.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "C:\users\user name\Downloads"

Windows Defender adds entries to the Event Viewer in the following location:

Event Viewer Applications and Services Logs Microsoft Windows Windows Defender Operational

Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)

*******

To prove it works, you may need to inject the EICAR test
virus into a folder on your C: drive while the drive is offline.
Then when you boot C: and run a command line the above,
you would expect EventViewer or even the Command Prompt
window, to show that EICAR was detected and quarantined.
AV applications are supposed to recognize EICAR.

http://www.eicar.org/86-0-Intended-use.html

In theory, clicking the link should be stopped, but
we'll see when you get there :-)

I keep an EICAR here for fun.

*******

I'm not going to try to guess why the menu item is
missing on your machine.

Paul

Thanks, very helpful. Reassuring to know I *can* run it, albeit by that
unfriendly route.

My searching revealed that others have the identical problem. I've used
it rarely so cannot be sure when it started.

During the course of that research I saw several threads about the long
duration times of a Defender full scan. So to try your method I chose
type 3, a custom scan, like you. And opted for \Downloads, which is 18
GB, 190 folders, 2600 files. That took 24 mins, so a full scan might
take days.

Looking at Event Viewer, did you get are all these 'intermediate'
events, or just a clean start and finish?
https://www.dropbox.com/s/0q2bpdsg2k...nder.jpg?raw=1

At https://kb.eventtracker.com I read stuff that's way over my head:

Event Id 1150
--------------
Source Microsoft-Windows-FailoverClustering
Description The removal of the DNS Pointer (PTR) record '%2' for host
'%3' which is associated with the cluster network name resource '%1'
failed with error '%4'. If necessary, the record can be deleted
manually. Contact your DNS administrator for assistance.
(Wish I had one!)

Event Id 1151
--------------
Source Microsoft-Windows-ActiveDirectory_DomainService
Description "Internal event: A new database column was created for
the following new attribute. Database column:%1 Attribute identifier:%2
Attribute name:%3"
Event Information According to Microsoft :
Cause: This event is logged when a new database column was created for
the new attribute.
Resolution:Look for Event ID 1150 in Event Viewer
This is a general error message that indicates there may be an issue
with a recently requested schema modification. If there is an issue,
Event ID 1150 appears in Event Viewer. Use the additional information in
that event to resolve the issue.

Event Id 2010
-------------
Source Microsoft-Windows-Windows Firewall with Advanced Security
Description Network profile changed on an interface. Adapter
GUID:%t%1 Adapter Name:%t%2 Old Profile:%t%3 New Profile:%t%4
Event Information According to Microsoft :
Cause : This event is logged when Network profile changed on an
interface.
Resolution : This is a normal condition. No further action is required.
(That's a relief!)

Terry, East Grinstead, UK

I looked that up mainly in case an active exploit was
already on your machine, making that GUI entry disappear.

The GUI is likely backed by an HTML/JS package. To make
a line of text disappear from the screen is relatively easy.

You're not likely to be on a Domain, so a change
to a setup there is unexpected (in your EventVwr).
Especially as you're in the Windows Defender : Operational
area, you wouldn't expect random events to be
showing up there like that.

I cannot comment on the contents of my Events (yet),
because my scan isn't finished. The scan is running on
one core, even though C: is an SSD and could easily
feed the scanner. According to Task Manager, MsMpEng
reads data at around 1MB/sec or so, which is... pretty slow.
My first hard drive was faster than that.

I think that process in the past, has used multiple
cores, and I don't understand how an on-demand
scan could be assigned that low of a priority. The implication
is, a user is sitting there, waiting for the results
to come in. Why would you delay that ? My guess is,
mine will take ten to fifteen hours.

You know that MsMpEng can easily have multiple threads
of execution, because it has to respond to real-time
events, at the same time it's doing an on-demand
scan. The software is still capable, but isn't tuned
all that well.

I think I've had Kaspersky run at 400% to 500% before,
so that's what the competition can do.

*******

There have been cases before, where the installation of
commercial software which competes with Microsoft software,
causes items in a window to disappear. I doubt that's
the mechanism in this case. And figuring it out would not
be easy. The file the text strings are in, is likely
signed and equipped with some amount of security features,
to prevent things like this from happening.

*******

GPEDIT can be used to modify the behavior.
Nothing here stands out as your problem. WD
apparently has a scheduling capability. As if it's
not doing enough scanning right now...

https://docs.microsoft.com/en-us/win...nder-antivirus

Paul

Just discovered that although my custom scan of \Downloads finished at
14:07 (an hour ago), MsMpEng is still running, taking 12% CPU. No idea
what it's doing, unless it's attempting an unsolicited full scan.

I'm going to end the task and restart.

Terry, East Grinstead, UK

Wouldn't let me do it, "Access Denied".

Darned if I want to be stuck with that CPU burden for a matter of days.
Do you reckon it's safe to restart or reboot?

Terry, East Grinstead, UK

Terry Pinnell wrote:
Terry Pinnell wrote:

Paul wrote:

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)
Using this in an Administrator command prompt, will
give an up-to-date list for scantype.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype /?

You might need to modify that path a bit if running 32-bit Windows.

*******

https://technet.microsoft.com/en-us/.../gg131918.aspx

Here, I'm doing a custom scan with scantype 3.
I typed this into an Administrator Command Prompt.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "C:\users\user name\Downloads"

Windows Defender adds entries to the Event Viewer in the following location:

Event Viewer Applications and Services Logs Microsoft Windows Windows Defender Operational

Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)

*******

To prove it works, you may need to inject the EICAR test
virus into a folder on your C: drive while the drive is offline.
Then when you boot C: and run a command line the above,
you would expect EventViewer or even the Command Prompt
window, to show that EICAR was detected and quarantined.
AV applications are supposed to recognize EICAR.

http://www.eicar.org/86-0-Intended-use.html

In theory, clicking the link should be stopped, but
we'll see when you get there :-)

I keep an EICAR here for fun.

*******

I'm not going to try to guess why the menu item is
missing on your machine.

Paul
Thanks, very helpful. Reassuring to know I *can* run it, albeit by that
unfriendly route.

My searching revealed that others have the identical problem. I've used
it rarely so cannot be sure when it started.

During the course of that research I saw several threads about the long
duration times of a Defender full scan. So to try your method I chose
type 3, a custom scan, like you. And opted for \Downloads, which is 18
GB, 190 folders, 2600 files. That took 24 mins, so a full scan might
take days.

Looking at Event Viewer, did you get are all these 'intermediate'
events, or just a clean start and finish?
https://www.dropbox.com/s/0q2bpdsg2k...nder.jpg?raw=1

At https://kb.eventtracker.com I read stuff that's way over my head:

Event Id 1150
--------------
Source Microsoft-Windows-FailoverClustering
Description The removal of the DNS Pointer (PTR) record '%2' for host
'%3' which is associated with the cluster network name resource '%1'
failed with error '%4'. If necessary, the record can be deleted
manually. Contact your DNS administrator for assistance.
(Wish I had one!)

Event Id 1151
--------------
Source Microsoft-Windows-ActiveDirectory_DomainService
Description "Internal event: A new database column was created for
the following new attribute. Database column:%1 Attribute identifier:%2
Attribute name:%3"
Event Information According to Microsoft :
Cause: This event is logged when a new database column was created for
the new attribute.
Resolution:Look for Event ID 1150 in Event Viewer
This is a general error message that indicates there may be an issue
with a recently requested schema modification. If there is an issue,
Event ID 1150 appears in Event Viewer. Use the additional information in
that event to resolve the issue.

Event Id 2010
-------------
Source Microsoft-Windows-Windows Firewall with Advanced Security
Description Network profile changed on an interface. Adapter
GUID:%t%1 Adapter Name:%t%2 Old Profile:%t%3 New Profile:%t%4
Event Information According to Microsoft :
Cause : This event is logged when Network profile changed on an
interface.
Resolution : This is a normal condition. No further action is required.
(That's a relief!)

Terry, East Grinstead, UK
I looked that up mainly in case an active exploit was
already on your machine, making that GUI entry disappear.

The GUI is likely backed by an HTML/JS package. To make
a line of text disappear from the screen is relatively easy.

You're not likely to be on a Domain, so a change
to a setup there is unexpected (in your EventVwr).
Especially as you're in the Windows Defender : Operational
area, you wouldn't expect random events to be
showing up there like that.

I cannot comment on the contents of my Events (yet),
because my scan isn't finished. The scan is running on
one core, even though C: is an SSD and could easily
feed the scanner. According to Task Manager, MsMpEng
reads data at around 1MB/sec or so, which is... pretty slow.
My first hard drive was faster than that.

I think that process in the past, has used multiple
cores, and I don't understand how an on-demand
scan could be assigned that low of a priority. The implication
is, a user is sitting there, waiting for the results
to come in. Why would you delay that ? My guess is,
mine will take ten to fifteen hours.

You know that MsMpEng can easily have multiple threads
of execution, because it has to respond to real-time
events, at the same time it's doing an on-demand
scan. The software is still capable, but isn't tuned
all that well.

I think I've had Kaspersky run at 400% to 500% before,
so that's what the competition can do.

*******

There have been cases before, where the installation of
commercial software which competes with Microsoft software,
causes items in a window to disappear. I doubt that's
the mechanism in this case. And figuring it out would not
be easy. The file the text strings are in, is likely
signed and equipped with some amount of security features,
to prevent things like this from happening.

*******

GPEDIT can be used to modify the behavior.
Nothing here stands out as your problem. WD
apparently has a scheduling capability. As if it's
not doing enough scanning right now...

https://docs.microsoft.com/en-us/win...nder-antivirus

Paul
Just discovered that although my custom scan of \Downloads finished at
14:07 (an hour ago), MsMpEng is still running, taking 12% CPU. No idea
what it's doing, unless it's attempting an unsolicited full scan.

I'm going to end the task and restart.

Terry, East Grinstead, UK

Wouldn't let me do it, "Access Denied".

Darned if I want to be stuck with that CPU burden for a matter of days.
Do you reckon it's safe to restart or reboot?

Terry, East Grinstead, UK

I rebooted mine. The discretionary scan
wasn't running on the restart.

Paul

On 8/1/2018 9:16 AM, Keith Nuttle wrote:
On 8/1/2018 6:07 AM, Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)

In the set up on my tablet this is the procedure I use for a full scan:

From the Shield icon on the main Home screen,Â* I select "Advance Scan"

This gives me three options Full Scan, Custom Scan, Windows Defender
Offline Scan.

I select Full Scan.


One thing to check when scans using any program run for extended times
is whether or not anything is in their settings under Files or Folder
Exclusions. That is because whenever the scan reads a file or folder it
checks the exclusions list before acting and a lot of exclusions will
greatly extend the scan time.



--
Zaidy036

Paul wrote:

Terry Pinnell wrote:
Terry Pinnell wrote:

Paul wrote:

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)
Using this in an Administrator command prompt, will
give an up-to-date list for scantype.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype /?

You might need to modify that path a bit if running 32-bit Windows.

*******

https://technet.microsoft.com/en-us/.../gg131918.aspx

Here, I'm doing a custom scan with scantype 3.
I typed this into an Administrator Command Prompt.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "C:\users\user name\Downloads"

Windows Defender adds entries to the Event Viewer in the following location:

Event Viewer Applications and Services Logs Microsoft Windows Windows Defender Operational

Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)

*******

To prove it works, you may need to inject the EICAR test
virus into a folder on your C: drive while the drive is offline.
Then when you boot C: and run a command line the above,
you would expect EventViewer or even the Command Prompt
window, to show that EICAR was detected and quarantined.
AV applications are supposed to recognize EICAR.

http://www.eicar.org/86-0-Intended-use.html

In theory, clicking the link should be stopped, but
we'll see when you get there :-)

I keep an EICAR here for fun.

*******

I'm not going to try to guess why the menu item is
missing on your machine.

Paul
Thanks, very helpful. Reassuring to know I *can* run it, albeit by that
unfriendly route.

My searching revealed that others have the identical problem. I've used
it rarely so cannot be sure when it started.

During the course of that research I saw several threads about the long
duration times of a Defender full scan. So to try your method I chose
type 3, a custom scan, like you. And opted for \Downloads, which is 18
GB, 190 folders, 2600 files. That took 24 mins, so a full scan might
take days.

Looking at Event Viewer, did you get are all these 'intermediate'
events, or just a clean start and finish?
https://www.dropbox.com/s/0q2bpdsg2k...nder.jpg?raw=1

At https://kb.eventtracker.com I read stuff that's way over my head:

Event Id 1150
--------------
Source Microsoft-Windows-FailoverClustering
Description The removal of the DNS Pointer (PTR) record '%2' for host
'%3' which is associated with the cluster network name resource '%1'
failed with error '%4'. If necessary, the record can be deleted
manually. Contact your DNS administrator for assistance.
(Wish I had one!)

Event Id 1151
--------------
Source Microsoft-Windows-ActiveDirectory_DomainService
Description "Internal event: A new database column was created for
the following new attribute. Database column:%1 Attribute identifier:%2
Attribute name:%3"
Event Information According to Microsoft :
Cause: This event is logged when a new database column was created for
the new attribute.
Resolution:Look for Event ID 1150 in Event Viewer
This is a general error message that indicates there may be an issue
with a recently requested schema modification. If there is an issue,
Event ID 1150 appears in Event Viewer. Use the additional information in
that event to resolve the issue.

Event Id 2010
-------------
Source Microsoft-Windows-Windows Firewall with Advanced Security
Description Network profile changed on an interface. Adapter
GUID:%t%1 Adapter Name:%t%2 Old Profile:%t%3 New Profile:%t%4
Event Information According to Microsoft :
Cause : This event is logged when Network profile changed on an
interface.
Resolution : This is a normal condition. No further action is required.
(That's a relief!)

Terry, East Grinstead, UK
I looked that up mainly in case an active exploit was
already on your machine, making that GUI entry disappear.

The GUI is likely backed by an HTML/JS package. To make
a line of text disappear from the screen is relatively easy.

You're not likely to be on a Domain, so a change
to a setup there is unexpected (in your EventVwr).
Especially as you're in the Windows Defender : Operational
area, you wouldn't expect random events to be
showing up there like that.

I cannot comment on the contents of my Events (yet),
because my scan isn't finished. The scan is running on
one core, even though C: is an SSD and could easily
feed the scanner. According to Task Manager, MsMpEng
reads data at around 1MB/sec or so, which is... pretty slow.
My first hard drive was faster than that.

I think that process in the past, has used multiple
cores, and I don't understand how an on-demand
scan could be assigned that low of a priority. The implication
is, a user is sitting there, waiting for the results
to come in. Why would you delay that ? My guess is,
mine will take ten to fifteen hours.

You know that MsMpEng can easily have multiple threads
of execution, because it has to respond to real-time
events, at the same time it's doing an on-demand
scan. The software is still capable, but isn't tuned
all that well.

I think I've had Kaspersky run at 400% to 500% before,
so that's what the competition can do.

*******

There have been cases before, where the installation of
commercial software which competes with Microsoft software,
causes items in a window to disappear. I doubt that's
the mechanism in this case. And figuring it out would not
be easy. The file the text strings are in, is likely
signed and equipped with some amount of security features,
to prevent things like this from happening.

*******

GPEDIT can be used to modify the behavior.
Nothing here stands out as your problem. WD
apparently has a scheduling capability. As if it's
not doing enough scanning right now...

https://docs.microsoft.com/en-us/win...nder-antivirus

Paul
Just discovered that although my custom scan of \Downloads finished at
14:07 (an hour ago), MsMpEng is still running, taking 12% CPU. No idea
what it's doing, unless it's attempting an unsolicited full scan.

I'm going to end the task and restart.

Terry, East Grinstead, UK

Wouldn't let me do it, "Access Denied".

Darned if I want to be stuck with that CPU burden for a matter of days.
Do you reckon it's safe to restart or reboot?

Terry, East Grinstead, UK

I rebooted mine. The discretionary scan
wasn't running on the restart.

Paul
Turned out that the cause of Mspeng.exe running continuously was not
truly a Defender issue. Defender gave a 'Health report' which it
described as a driver issue. Its troubleshooter could only narrow it to
'USB Mass Storage Device'. Nothing I could find under Properties
Details appeared to help me identify which one. I thought I had three,
all external USB HDs. But removing all did not fix the problem.
Eventually proved more obscure; isolated finally as some driver problem
with the 3D Connexion Space Navigator I use with Google Earth.

Terry, East Grinstead, UK

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Terry Pinnell wrote:

Paul wrote:

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)
Using this in an Administrator command prompt, will
give an up-to-date list for scantype.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype /?

You might need to modify that path a bit if running 32-bit Windows.

*******

https://technet.microsoft.com/en-us/.../gg131918.aspx

Here, I'm doing a custom scan with scantype 3.
I typed this into an Administrator Command Prompt.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "C:\users\user name\Downloads"

Windows Defender adds entries to the Event Viewer in the following location:

Event Viewer Applications and Services Logs Microsoft Windows Windows Defender Operational

Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)

*******

To prove it works, you may need to inject the EICAR test
virus into a folder on your C: drive while the drive is offline.
Then when you boot C: and run a command line the above,
you would expect EventViewer or even the Command Prompt
window, to show that EICAR was detected and quarantined.
AV applications are supposed to recognize EICAR.

http://www.eicar.org/86-0-Intended-use.html

In theory, clicking the link should be stopped, but
we'll see when you get there :-)

I keep an EICAR here for fun.

*******

I'm not going to try to guess why the menu item is
missing on your machine.

Paul
Thanks, very helpful. Reassuring to know I *can* run it, albeit by that
unfriendly route.

My searching revealed that others have the identical problem. I've used
it rarely so cannot be sure when it started.

During the course of that research I saw several threads about the long
duration times of a Defender full scan. So to try your method I chose
type 3, a custom scan, like you. And opted for \Downloads, which is 18
GB, 190 folders, 2600 files. That took 24 mins, so a full scan might
take days.

Looking at Event Viewer, did you get are all these 'intermediate'
events, or just a clean start and finish?
https://www.dropbox.com/s/0q2bpdsg2k...nder.jpg?raw=1

At https://kb.eventtracker.com I read stuff that's way over my head:

Event Id 1150
--------------
Source Microsoft-Windows-FailoverClustering
Description The removal of the DNS Pointer (PTR) record '%2' for host
'%3' which is associated with the cluster network name resource '%1'
failed with error '%4'. If necessary, the record can be deleted
manually. Contact your DNS administrator for assistance.
(Wish I had one!)

Event Id 1151
--------------
Source Microsoft-Windows-ActiveDirectory_DomainService
Description "Internal event: A new database column was created for
the following new attribute. Database column:%1 Attribute identifier:%2
Attribute name:%3"
Event Information According to Microsoft :
Cause: This event is logged when a new database column was created for
the new attribute.
Resolution:Look for Event ID 1150 in Event Viewer
This is a general error message that indicates there may be an issue
with a recently requested schema modification. If there is an issue,
Event ID 1150 appears in Event Viewer. Use the additional information in
that event to resolve the issue.

Event Id 2010
-------------
Source Microsoft-Windows-Windows Firewall with Advanced Security
Description Network profile changed on an interface. Adapter
GUID:%t%1 Adapter Name:%t%2 Old Profile:%t%3 New Profile:%t%4
Event Information According to Microsoft :
Cause : This event is logged when Network profile changed on an
interface.
Resolution : This is a normal condition. No further action is required.
(That's a relief!)

Terry, East Grinstead, UK
I looked that up mainly in case an active exploit was
already on your machine, making that GUI entry disappear.

The GUI is likely backed by an HTML/JS package. To make
a line of text disappear from the screen is relatively easy.

You're not likely to be on a Domain, so a change
to a setup there is unexpected (in your EventVwr).
Especially as you're in the Windows Defender : Operational
area, you wouldn't expect random events to be
showing up there like that.

I cannot comment on the contents of my Events (yet),
because my scan isn't finished. The scan is running on
one core, even though C: is an SSD and could easily
feed the scanner. According to Task Manager, MsMpEng
reads data at around 1MB/sec or so, which is... pretty slow.
My first hard drive was faster than that.

I think that process in the past, has used multiple
cores, and I don't understand how an on-demand
scan could be assigned that low of a priority. The implication
is, a user is sitting there, waiting for the results
to come in. Why would you delay that ? My guess is,
mine will take ten to fifteen hours.

You know that MsMpEng can easily have multiple threads
of execution, because it has to respond to real-time
events, at the same time it's doing an on-demand
scan. The software is still capable, but isn't tuned
all that well.

I think I've had Kaspersky run at 400% to 500% before,
so that's what the competition can do.

*******

There have been cases before, where the installation of
commercial software which competes with Microsoft software,
causes items in a window to disappear. I doubt that's
the mechanism in this case. And figuring it out would not
be easy. The file the text strings are in, is likely
signed and equipped with some amount of security features,
to prevent things like this from happening.

*******

GPEDIT can be used to modify the behavior.
Nothing here stands out as your problem. WD
apparently has a scheduling capability. As if it's
not doing enough scanning right now...

https://docs.microsoft.com/en-us/win...nder-antivirus

Paul
Just discovered that although my custom scan of \Downloads finished at
14:07 (an hour ago), MsMpEng is still running, taking 12% CPU. No idea
what it's doing, unless it's attempting an unsolicited full scan.

I'm going to end the task and restart.

Terry, East Grinstead, UK
Wouldn't let me do it, "Access Denied".

Darned if I want to be stuck with that CPU burden for a matter of days.
Do you reckon it's safe to restart or reboot?

Terry, East Grinstead, UK
I rebooted mine. The discretionary scan
wasn't running on the restart.

Paul
Turned out that the cause of Mspeng.exe running continuously was not
truly a Defender issue. Defender gave a 'Health report' which it
described as a driver issue. Its troubleshooter could only narrow it to
'USB Mass Storage Device'. Nothing I could find under Properties
Details appeared to help me identify which one. I thought I had three,
all external USB HDs. But removing all did not fix the problem.
Eventually proved more obscure; isolated finally as some driver problem
with the 3D Connexion Space Navigator I use with Google Earth.

Terry, East Grinstead, UK

While some USB devices are composite devices and
hide a "virtual CD" inside with drivers, that doesn't
appear to be the case for your device.

The manufacturer web site has a 300MB installer file instead.

https://www.3dconnexion.com/service/drivers.html

Usually, a virtual CD hides maybe a couple megabytes
of driver files. One of the first cases I know of,
was the invention of the USB LCD monitor, where
graphics travel over USB. Because the device is
composite, the LCD monitor self-installs when you
plug it into modern versions of Windows. I don't
think Windows Defender would like this all that
much. It would scan the drivers. However, if it
decided a file needed to be quarantined, it
would go into a loop trying to remove the file
(as the virtual CD is read-only).

You could watch your device with USBTreeView, but
I doubt the program can follow any arbitrary
set of USB hardwares and enumerate the whole thing.
Only the motherboard side of the connection is
really visible. I don't have enough
USB gear, to do a proper test of USBTreeView.
I don't even own a USB hub.

Paul

Paul wrote:

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Terry Pinnell wrote:

Paul wrote:

Terry Pinnell wrote:
Paul wrote:

Terry Pinnell wrote:
Windows Defender tells me no action is needed. But, noting that its last
Quick Scan' processed only some 64,000 files (a very small proportion of
my total) I used "Run a new advanced scan". Nothing happens. No dialog
to choose option for Full Scan.

Terry, East Grinstead, UK
Version 1803 (OS Build 17134.167)
Using this in an Administrator command prompt, will
give an up-to-date list for scantype.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype /?

You might need to modify that path a bit if running 32-bit Windows.

*******

https://technet.microsoft.com/en-us/.../gg131918.aspx

Here, I'm doing a custom scan with scantype 3.
I typed this into an Administrator Command Prompt.

"C:\Program Files\Windows Defender\MpCmdRun.exe" -scan -scantype 3 -file "C:\users\user name\Downloads"

Windows Defender adds entries to the Event Viewer in the following location:

Event Viewer Applications and Services Logs Microsoft Windows Windows Defender Operational

Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)

*******

To prove it works, you may need to inject the EICAR test
virus into a folder on your C: drive while the drive is offline.
Then when you boot C: and run a command line the above,
you would expect EventViewer or even the Command Prompt
window, to show that EICAR was detected and quarantined.
AV applications are supposed to recognize EICAR.

http://www.eicar.org/86-0-Intended-use.html

In theory, clicking the link should be stopped, but
we'll see when you get there :-)

I keep an EICAR here for fun.

*******

I'm not going to try to guess why the menu item is
missing on your machine.

Paul
Thanks, very helpful. Reassuring to know I *can* run it, albeit by that
unfriendly route.

My searching revealed that others have the identical problem. I've used
it rarely so cannot be sure when it started.

During the course of that research I saw several threads about the long
duration times of a Defender full scan. So to try your method I chose
type 3, a custom scan, like you. And opted for \Downloads, which is 18
GB, 190 folders, 2600 files. That took 24 mins, so a full scan might
take days.

Looking at Event Viewer, did you get are all these 'intermediate'
events, or just a clean start and finish?
https://www.dropbox.com/s/0q2bpdsg2k...nder.jpg?raw=1

At https://kb.eventtracker.com I read stuff that's way over my head:

Event Id 1150
--------------
Source Microsoft-Windows-FailoverClustering
Description The removal of the DNS Pointer (PTR) record '%2' for host
'%3' which is associated with the cluster network name resource '%1'
failed with error '%4'. If necessary, the record can be deleted
manually. Contact your DNS administrator for assistance.
(Wish I had one!)

Event Id 1151
--------------
Source Microsoft-Windows-ActiveDirectory_DomainService
Description "Internal event: A new database column was created for
the following new attribute. Database column:%1 Attribute identifier:%2
Attribute name:%3"
Event Information According to Microsoft :
Cause: This event is logged when a new database column was created for
the new attribute.
Resolution:Look for Event ID 1150 in Event Viewer
This is a general error message that indicates there may be an issue
with a recently requested schema modification. If there is an issue,
Event ID 1150 appears in Event Viewer. Use the additional information in
that event to resolve the issue.

Event Id 2010
-------------
Source Microsoft-Windows-Windows Firewall with Advanced Security
Description Network profile changed on an interface. Adapter
GUID:%t%1 Adapter Name:%t%2 Old Profile:%t%3 New Profile:%t%4
Event Information According to Microsoft :
Cause : This event is logged when Network profile changed on an
interface.
Resolution : This is a normal condition. No further action is required.
(That's a relief!)

Terry, East Grinstead, UK
I looked that up mainly in case an active exploit was
already on your machine, making that GUI entry disappear.

The GUI is likely backed by an HTML/JS package. To make
a line of text disappear from the screen is relatively easy.

You're not likely to be on a Domain, so a change
to a setup there is unexpected (in your EventVwr).
Especially as you're in the Windows Defender : Operational
area, you wouldn't expect random events to be
showing up there like that.

I cannot comment on the contents of my Events (yet),
because my scan isn't finished. The scan is running on
one core, even though C: is an SSD and could easily
feed the scanner. According to Task Manager, MsMpEng
reads data at around 1MB/sec or so, which is... pretty slow.
My first hard drive was faster than that.

I think that process in the past, has used multiple
cores, and I don't understand how an on-demand
scan could be assigned that low of a priority. The implication
is, a user is sitting there, waiting for the results
to come in. Why would you delay that ? My guess is,
mine will take ten to fifteen hours.

You know that MsMpEng can easily have multiple threads
of execution, because it has to respond to real-time
events, at the same time it's doing an on-demand
scan. The software is still capable, but isn't tuned
all that well.

I think I've had Kaspersky run at 400% to 500% before,
so that's what the competition can do.

*******

There have been cases before, where the installation of
commercial software which competes with Microsoft software,
causes items in a window to disappear. I doubt that's
the mechanism in this case. And figuring it out would not
be easy. The file the text strings are in, is likely
signed and equipped with some amount of security features,
to prevent things like this from happening.

*******

GPEDIT can be used to modify the behavior.
Nothing here stands out as your problem. WD
apparently has a scheduling capability. As if it's
not doing enough scanning right now...

https://docs.microsoft.com/en-us/win...nder-antivirus

Paul
Just discovered that although my custom scan of \Downloads finished at
14:07 (an hour ago), MsMpEng is still running, taking 12% CPU. No idea
what it's doing, unless it's attempting an unsolicited full scan.

I'm going to end the task and restart.

Terry, East Grinstead, UK
Wouldn't let me do it, "Access Denied".

Darned if I want to be stuck with that CPU burden for a matter of days.
Do you reckon it's safe to restart or reboot?

Terry, East Grinstead, UK
I rebooted mine. The discretionary scan
wasn't running on the restart.

Paul
Turned out that the cause of Mspeng.exe running continuously was not
truly a Defender issue. Defender gave a 'Health report' which it
described as a driver issue. Its troubleshooter could only narrow it to
'USB Mass Storage Device'. Nothing I could find under Properties
Details appeared to help me identify which one. I thought I had three,
all external USB HDs. But removing all did not fix the problem.
Eventually proved more obscure; isolated finally as some driver problem
with the 3D Connexion Space Navigator I use with Google Earth.

Terry, East Grinstead, UK

While some USB devices are composite devices and
hide a "virtual CD" inside with drivers, that doesn't
appear to be the case for your device.

The manufacturer web site has a 300MB installer file instead.

https://www.3dconnexion.com/service/drivers.html

Usually, a virtual CD hides maybe a couple megabytes
of driver files. One of the first cases I know of,
was the invention of the USB LCD monitor, where
graphics travel over USB. Because the device is
composite, the LCD monitor self-installs when you
plug it into modern versions of Windows. I don't
think Windows Defender would like this all that
much. It would scan the drivers. However, if it
decided a file needed to be quarantined, it
would go into a loop trying to remove the file
(as the virtual CD is read-only).

You could watch your device with USBTreeView, but
I doubt the program can follow any arbitrary
set of USB hardwares and enumerate the whole thing.
Only the motherboard side of the connection is
really visible. I don't have enough
USB gear, to do a proper test of USBTreeView.
I don't even own a USB hub.

Paul

Thanks. Happily all seems stable again in that area at present.

Terry, East Grinstead, UK