What is wrong with the Microsoft Safety Scanner status information and logging?

EXAMPLE #1

MSS reported it found 19-infected files during the scan.  When the scan was complete, it said no infections were found.

Here's the log:

-----------------------------------------------------------

Microsoft Safety Scanner v1.333, (build 1.333.203.0)
Started On Thu Mar 11 23:15:09 2021
Engine: 1.1.17900.7
Signatures: 1.333.203.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode
Results Summary:
----------------
No infection found.
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Fri Mar 12 10:33:14 2021

Return code: 0 (0x0)

-----------------------------------------------------------

Where are the 19-infections it found when scanning and what did it do with them?

EXAMPLE #2

MSS reported it found 3-infected files during the scan.  When the scan was complete it only reported 2-infections.  One was removed and the other needed a restart to complete removal.  Here's the log:

-----------------------------------------------------------

Microsoft Safety Scanner v1.333, (build 1.333.203.0)

Started On Fri Mar 12 00:16:11 2021

Engine: 1.1.17900.7
Signatures: 1.333.203.0
MpGear: 1.1.16330.1
Run Mode: Interactive Graphical Mode
Results Summary:

----------------
No infection found.
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Fri Mar 12 00:18:56 2021
Return code: 0 (0x0)
-----------------------------------------------------------

Not only did it not report infections in the log after reporting them in the scan results, but it also says the scan took 2-seconds when it took over 10-hours.

At this point, I have zero trust in the Microsoft Safety Scanner.  There is no such thing as security without accountability, which, in this case, would mean having an accurate and complete log file.

Does anyone know why MSS is misreporting infections and not logging them when found?  Maybe there is another log hidden somewhere?

|
Answer
Answer

To truly answer your question, you need to understand how the Microsoft security apps actually operate, since that's part of why this sort of situation can be confusing to those who don't.

The "Files Infected" count displayed on the Microsoft Safety Scanner, scan in progress screen or any of their other security products for that matter, is actually just a preliminary status indication that there are items which may contain malware. In many cases these specific items have been found in the past to be related to malware, but they are all really just small fragments that have matched signatures, but aren't yet truly confirmed as the specific malware that might include them.

Near the end of the scanning process around 95% complete, the Microsoft scanners all perform a MAPS (Microsoft Active Protection Service) request via internet to the the Microsoft cloud servers in order to upload their initial findings and request confirmation that these findings are either truly malware or instead possible false positive detections or incomplete fragments of inactive malware.

Though the entire process isn't displayed, the clues to this are the following 2 lines in your first log above.

"No infection found.

Successfully Submitted MAPS Report"

So what actually happened is that the scanner found possible malware fragments, communicated with the MAPS servers and confirmed there weren't any active malware that it can identify running and completed its operation by reporting these final results as well as uploading its reporting to MAPS as a record.

This final step is important, since as I stated above "there weren't any active malware that it can identify running" on your device, but that doesn't necessarily mean there might not be something that Microsoft's Security Intelligence has yet to determine is a new form of malware. What this report does is allows Microsoft to collate this information within the automated MAPS cloud system and look for such possible new malware patterns, along with those from the millions of other Windows Defender and other scanners operating in real time on many systems.

So there's nothing truly wrong with what the Safety Scanner found and likely no true malware, since this activity is fairly common, but the operation of all of these Microsoft scanners is really far more complex and deep than most people understand.

Rob

112 people found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info


Last updated May 17, 2021 Views 4,981 Applies to: