Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Endpoint Protection client UI displays an incorrect "Start time" value for a scan in progress

Endpoint Protection client UI displays an incorrect "Start time" value for a scan in progress

View products that this article applies to.

Summary

Consider the following scenario. You log on to your system and notice a spinning icon for Microsoft Forefront Endpoint Protection 2010 or Microsoft System Center Endpoint Protection 2012. (This indicates that the application is performing an action.) You open the application UI and notice that a scan is running.

In this scenario, the value that is displayed for Start time in the application UI may not reflect the actual start time of the scan in progress if the scan was started before you logged on.

Note If the scan was started before you logged on, the Start time value will be the time when the UI was started (that is, when the Msseces.exe process was started).

↑ Back to the top

More Information

When a scan starts, EventID 1000 is logged. The time stamp of EventID 1000 can be considered the start time of the scan (although there can be an insignificant logging delay). You can correlate the start and stop events in the event log by using the ScanID value that is part of the event data. 
If a scan start event (EventID 1000) does not have correlating scan stop event, the scan is still in progress.

To determine when a scan in progress was started, review the System log. To do this, follow these steps:
  1. Open the System log. 
  2. Filter the System log as follows:

    EventID: 1000-1002
    Source: Microsoft Antimalware
  3. Look for the last EventID 1000, and then record its ScanID value.
  4. If there is no EventID 1001 or 1002 after the last EventID 1000 that has the same ScanID that you recorded in step 1, you can use the last EventID 1000 to determine the start time of the scan in progress.  

↑ Back to the top

Keywords: fep2010swept, kb

↑ Back to the top

Article Info
Article ID : 2896610
Revision : 1
Created on : 1/7/2017
Published on : 11/6/2013
Exists online : False
Views : 201