Consider the following scenario. You log on to your system and notice a spinning icon for Microsoft Forefront Endpoint Protection 2010 or Microsoft System Center Endpoint Protection 2012. (This indicates that the application is performing an action.) You open the application UI and notice that a scan is running.
In this scenario, the value that is displayed for Start time in the application UI may not reflect the actual start time of the scan in progress if the scan was started before you logged on.
Note If the scan was started before you logged on, the Start time value will be the time when the UI was started (that is, when the Msseces.exe process was started).
When a scan starts, EventID 1000 is logged. The time stamp of EventID 1000 can be considered the start time of the scan (although there can be an insignificant logging delay). You can correlate the start and stop events in the event log by using the ScanID value that is part of the event data. If a scan start event (EventID 1000) does not have correlating scan stop event, the scan is still in progress.
To determine when a scan in progress was started, review the System log. To do this, follow these steps:
Open the System log.
Filter the System log as follows:
EventID: 1000-1002 Source: Microsoft Antimalware
Look for the last EventID 1000, and then record its ScanID value.
If there is no EventID 1001 or 1002 after the last EventID 1000 that has the same ScanID that you recorded in step 1, you can use the last EventID 1000 to determine the start time of the scan in progress.