Windows 10: Explanation of Microsoft Security Scanner for infected files

I noticed that my PC has been running slower lately and decided to do several security scans with the available Microsoft tools. Through the Virus and Threat Protection on the Windows Security it found this virus Trojan:Script/Wacatac.B!ml.After having the script stated above quarantined and removed, I performed a quick and full scan using the Microsoft Security Scanner, and after it scanned through the various files, I saw that the infected filed number hovered somewhere around 33 out of the ~3.5 mil files it scanned. After the scan was complete, it states that there are no viruses, spyware,

:)

 

Microsoft Safety Scanner > Files Infected count

There's a bit of a UX problem with the scanner. As it is running it may encounter files that are suspected of being infected but indicate a count as: "Files Infected: XX"

This suggests the files are infected and apparently no list of these potentially infected files are provided.

1. Change the label to "Possible Infected Files"
   
2. Write to the msert log the list of possibly infected files for further review/action.
   

I say this as I let the tool run for over 3 hours, racking up over 20 "Files Infected". My computer was disconnected from the Internet during the scan. So I was surprised that the files in question were somehow "cleared" despite a lack of Internet connection.

From the log:

Results Summary:

----------------

No infection found.

Failed to submit MAPS report: 0x80072EE7

Failed to submit clean hearbeat MAPS report: 0x80072EE7

Microsoft Safety Scanner Finished On Sun Apr 30 13:20:56 2023

If the suspected files couldn't be submitted, then how were they cleared? Which files were suspected?

I appreciate the tool just cannot trust the results.

 

Microsoft safety scanner finds no virus?

Hello Anxious,

I am Jaspreet Singh.

Microsoft Scanner works in steps.

So at first stage it will detect what may be an infected file and it will add that to a list. This is the number you see when you see the scanner progressing. These are not actual infections, just suspicious files.

Once the scan is done the safety scanner will match the suspected files with the most recent database of threats and then tell you the actual infections on your system. If the last number is 0 it means no actual infection was found.

 

microsoft safety scanner showing same files infected

If you're seeing these 15 infected files only during the scanning process listed next to the line titled 'Files infected', then that's a well-known situation that confuses many who don't understand how this, or any other Microsoft malware scanner truly operates.

During the scan itself, the Safety Scanner displays this Files infected counter that includes all of the individual fragments of potential malware it has detected using the signatures contained within the downloaded file. However, once the scanning portion has reached roughly 95% completed (per the progress bar), the scanning tool (and most other Microsoft scanners like Defender) perform a 'phone home' request using a cloud service also known as MAPS (Microsoft Active Protection Service).

What this MAPS request does for the Safety Scanner is allows it to not only verify that the items detected aren't actually a false positive detection, but also that the remediation (fix) for these particular items hasn't been updated or changed, as well as that the combination of items are truly 'active' malware and not simply leftover fragments of an already 'dead' or failed malware attack, which commonly occurs for example when a website file download is either aborted or fails to truly operate due to protections like SmartScreen filter or others built into either the Edge browser or Windows itself.

Once the MAPS process is complete, the reporting and any remediation instructions or other items required for the Safety Scanner to finish its process are returned to the client via the cloud and performed locally, at which point the Safety Scanner UI displays a final reporting of whether any truly active malware was detected and/or removed, which in many cases results in 0 (no) active items having been found.

If this no active malware infections result is what you're seeing, that's totally appropriate, since as the above description shows, the initial detections of 15 'Infected files' is only preliminary, so it's this final determination by MAPS that truly matters.

Rob