Defender tries the online scanner first, and if there is no internet connection or it can't connect to the cloud server - then it will try the offline scanner?
Yes, or user have turned off the cloud scanner.
Is the offline scanner only a backup scanner, in case the online scanner fails?
They might work hand in hand. (don't know all the internals)
But what if, that the hash of the file is newer than the local Defender signature update.
Will the offline scanner then still try to scan the file?
Yes, it will still scan the file, even if a file looks clean.
Then it uses heurisics analysis, that examining the file bahivoir, structure/code patterns to indentiy suspicious characteriscs. (Like code obfuscation) And flags it.
Also behavioral monitoring when process is started for malicious activity.
When those things happen, and user have the option on, to send sample file to the cloud. Then the file is uploaded, and run in a sandbox envoirment, to analyse it more more depth. If it triggers enough paramaters, it automaticly gets added to the definitions, or an engineer will look and study the file.
One more thing besides the virusscanner, applications have reputation (smart screen). Smart screen rusn on every win computers (if users have not turned it off), and every exe file you execute smartscreen sends data that that app is started on that machine to microsoft. Every app you start yes!
So when a software engineer publisch his first app on day 1. it has a bad reputation, and you get a warning, not to trust those files, but can run them. The longer the software is around and the more users uses it. And the engineer makes no issues that causes stability, introduce malware like things in the app, it gets a higher reputation, and the warning for that app will go away.
