In our software, we listen to windows defender events and shoot off software specific alerts based on them.
We expected to always see 1000-1001 pairings 1000: scan started 1001: scan completed
What they've done for one test is they have a virus on a cd to trigger the scan to see if we get the detected alert. That all works, but instead of seeing the expected 1000 then 1001, we see 1000 then eventually a 1118, which we know means MALWAREPROTECTION_STATE_MALWARE_ACTION_FAILED
the error code for the 1118 was
<Data Name="Error Code">0x80070005</Data>
basically "access denied". Makes sense to me being a virus on a CD.
My question is, should we still get the 1001 in this case or is the 1118 event an alternative "I'm done" and we should not expect the 1001 at this point?
Have not found any documentation on this.
User contributions licensed under CC BY-SA 3.0