Microsoft Windows Defender Anti-Virus and App Volumes Scanning Behavior

by | May 15, 2023 | VMware Horizon View


Have you ever been curious about the process that takes place when you initiate an on-demand launch of an App Volumes application on a Windows desktop? Specifically, let’s consider a scenario where we have a Windows 10 Operating System with its default Windows Defender antivirus program. In the screenshot provided, we can observe the behavior of the real-time scanning feature of Windows Defender Antivirus.

To provide some context, the Windows Defender Antivirus program is designed to protect your system from potential threats by continuously monitoring files, programs, and activities on your computer. When you launch an App Volumes application on demand, Windows Defender Antivirus kicks in to scan the application and associated files in real time. Notice that their is a new drive mounted with that application. It is aware of that as well.

In the case of the screenshot I mentioned, the machine where the application was launched was connected to the internet. Windows Defender Antivirus, as part of its functionality, relies on internet connectivity to enhance its scanning capabilities. It utilizes the internet to download the latest virus definition updates, access cloud-based protection services, and analyze potential threats against known patterns and signatures.



  1. Provision and entitle an application to be delivered to a user or computer on demand from the App Volumes Manager.
  2. Start Process Monitor from Microsoft.
  3. Observe results upon clicking on the shortcut in the Process Monitor software.

You can download the Process Monitor from Microsoft Here