New
#1
scheduling Windows Defender full scan: problems and questions
I have a new Windows 10 Pro 64 bit laptop that I am configuring. I am coming from a Windows 7 desktop. Much has changed.
For its malware defense, I am using Windows Defender and Malwarebytes Premium.
Scheduling Malwarebytes to scan at a certain time of day is trivial, but I have found it difficult to schedule Windows Defender to do a full scan.
~~~~~~~~~~
I first tried to schedule Windows Defender using Schedule tasks as described here.
That worked, except that I see no option to specify a full scan, so surely it is doing the default of a quick scan.
Story to be continued below...
~~~~~~~~~~
I next stumbled across other links that said that you can control many (all?) aspects of Windows Defender scans via Group Policy.
The 3 best links being this, and this, and this.
So, I opened Group Policy Management Editor and made these changes from the defaults:
Problem: when I try to make the "Specify the day of the week to run a scheduled scan" change above, after I click the OK button, the value changes from my Enabled setting to Disabled!Code:Group Policy Management Editor > Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus Randomize scheduled task times: Disabled Scan Allow users to pause scan: Enabled (could have left unconfigured, but wanted to be explicit) Check for the latest virus and spyware definitions before running a scheduled scan: Enabled Scan archive files: Enabled (could have left unconfigured, but wanted to be explicit) Scan packed executables: Enabled (could have left unconfigured, but wanted to be explicit) Scan removable drives: Enabled Specify the day of the week to run a scheduled scan: Enabled with Options: Every Day Specify the maximum percentage of CPU utilization during a scan: Enabled with Options: 90 Specify the scan type to use for a scheduled scan: Enabled with Options: Full system scan Specify the time of day to run a scheduled scan: Enabled with Options: 330 (330 minutes = 5.5 hours = 05:30) Start the scheduled scan only when computer is on but not in use: Disabled Turn on e-mail scanning: Enabled Turn on heuristics: Enabled (could have left unconfigured, but wanted to be explicit)
What the heck is going on?
My guess was that maybe I had some other setting that conflicted with this one, which was causing the auto reset to Disabled. I scoured thru all the settings, but found nothing.
Please advise!
Another problem: to see if a scheduled scan would take place, I tried temporarily changing the "Specify the time of day to run a scheduled scan" value to 2 minutes past my current time. When the current time reached that, no scan took place.
Is the Group Policy alone insufficient to trigger a scan?
~~~~~~~~~~
Doing more web searching, I eventually found out how to make Schedule tasks have Windows Defender do a full scan. As described in this link, you must supply these args to the MpCmdRun.exe program
Question: what is considered the best way to configure Windows? Using tools like Schedule tasks? Or should I always try to get stuff to work via Group Policy of possible?Code:Scan -ScheduleJob -ScanType 2
I am new to Group Policy, but it seems like the more official and thorough way. Please confirm or deny, and further enlighten me.
~~~~~~~~~~
If Group Policy is the way to go, there is one more setting that concerns me.
Under Scan is a "Specify the maximum depth to scan archive files" setting.
The default is 0, which, if I understand the help text (and all links I found when searched), means that it scans to 0 depth. In other words, it does not drill down inside any directories at all!
That sounds awful, and stupid. It also contradicts how a setting of 0 in other contexts means there is no limit.
I want a setting that drills down as deep as necessary into the archive, I want everything scanned!
Any way to achieve that?
I suppose that I could specify a really large value, but that it is an inelegant hack that should not have to do.