Where are windows 10 defender offline scan logs/results?

windows anti-virus eventviewer log-files

I can't find any events or log files,
are there such records somewhere or WD reports only if it finds something?

Windows 10 pro,
drive is encrypted with bitlocker (might affects somehow?)


Windows Defender adds entries to the Event Viewer in the following location:

Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> Windows Defender >> Operational


Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)


According to Microsoft, any threats detected by the offline scanner will show up in the Threat History (where the online scanner also records any viruses found):

Where can I find scan results?

To see the Windows Defender Offline scan results:

Select Start , and then select Settings > Update & Security > Windows Security > Virus & threat protection . On the Virus & threat protection screen, do one of the following:

  • In current version of Windows 10: Under Current threats, select Scan options, and then select Threat history.
  • In previous versions of Windows: Select Threat history.

The log showing the offline scan run seems to be stored in a file below C:\Windows\Microsoft Antimalware\Support, using the naming scheme MPLog-<date>-<time>.log (e.g. MPLog-20181217-055720.log). You can tell that it is an offline scan log by the following line somewhere at the beginning: 2018-12-17T04:57:20.837Z [PlatUpd] Service launched successfully from: C:\ProgramData\Microsoft\Windows Defender\Offline Scanner

Usually the log contains a lot of lines with the string Internal signature match:subtype=Lowfi, but these don't seem to be real virus detections: They don't show up in Threat History and virustotal.com finds nothing ("No engines detected this file").

According to Moderator/Microsoft Agent Justine Pel in a thread in the Microsoft Community Forums, the log files are intended for submitting Windows Defender errors to Microsoft, therefore I suspect the Internal match entries are included for debugging purposes only:

Those logs are usually use for submission of errors or problems with Windows Defender. Our Windows Defender team are the one who are capable of providing the exact meaning of those lines.

Related

Create non-root user and disable root SSH in Ansible
Save output to a text file from Mac terminal
How to see if USB stick has MBR?
Is there any benefit of using HDMI over DVI?
How to change password in SSH
Sublime Text, move tabs with keyboard
Can sublime text be used as hex editor?
Is it safe to change the harddrive power feature so that it never turns off?
How do I install Wget for Windows?
Bash Man Page: kill <pid> vs kill -9 <pid>
How do I copy hyperlinks in non-encoded format in Firefox? [duplicate]
Mac OS X Yosemite - How to Disable Automatic Logout when idle?