Where are windows 10 defender offline scan logs/results?
I can't find any events or log files,
are there such records somewhere or WD reports only if it finds something?
Windows 10 pro,
drive is encrypted with bitlocker (might affects somehow?)
Windows Defender adds entries to the Event Viewer in the following location:
Event Viewer >> Applications and Services Logs >> Microsoft >> Windows >> Windows Defender >> Operational
Where you'll see:
Windows Defender scan has started. (Event ID 1000)
Windows Defender scan has finished. (Event ID 1001)
Windows Defender signature version has been updated. (2000)
According to Microsoft, any threats detected by the offline scanner will show up in the Threat History (where the online scanner also records any viruses found):
Where can I find scan results?
To see the Windows Defender Offline scan results:
Select Start , and then select Settings > Update & Security > Windows Security > Virus & threat protection . On the Virus & threat protection screen, do one of the following:
- In current version of Windows 10: Under Current threats, select Scan options, and then select Threat history.
- In previous versions of Windows: Select Threat history.
The log showing the offline scan run seems to be stored in a file below C:\Windows\Microsoft Antimalware\Support
, using the naming scheme MPLog-<date>-<time>.log
(e.g. MPLog-20181217-055720.log
).
You can tell that it is an offline scan log by the following line somewhere at the beginning:
2018-12-17T04:57:20.837Z [PlatUpd] Service launched successfully from: C:\ProgramData\Microsoft\Windows Defender\Offline Scanner
Usually the log contains a lot of lines with the string Internal signature match:subtype=Lowfi
, but these don't seem to be real virus detections: They don't show up in Threat History and virustotal.com finds nothing ("No engines detected this file").
According to Moderator/Microsoft Agent Justine Pel in a thread in the Microsoft Community Forums, the log files are intended for submitting Windows Defender errors to Microsoft, therefore I suspect the Internal match
entries are included for debugging purposes only:
Those logs are usually use for submission of errors or problems with Windows Defender. Our Windows Defender team are the one who are capable of providing the exact meaning of those lines.