0
(0)

You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See Recommendations for defining exclusions before defining your exclusion lists.

This article describes how to configure exclusion lists.

Examples of exclusions

EXAMPLES OF EXCLUSIONS
Exclusion Example
Any file on the machine that is opened by any process with a specific file name Specifying test.exe would exclude files opened by:c:\sample\test.exe

d:\internal\files\test.exe

Any file on the machine that is opened by any process under a specific folder Specifying c:\test\sample\* would exclude files opened by:c:\test\sample\test.exe

c:\test\sample\test2.exe

c:\test\sample\utility.exe

Any file on the machine that is opened by a specific process in a specific folder Specifying c:\test\process.exe would exclude files only opened by c:\test\process.exe

When you add a process to the process exclusion list, Microsoft Defender Antivirus won’t scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the file exclusion list.

The exclusions only apply to always-on real-time protection and monitoring. They don’t apply to scheduled or on-demand scans.

Changes made with Group Policy to the exclusion lists will show in the lists in the Windows Security app. However, changes made in the Windows Security app will not show in the Group Policy lists.

You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.

You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.

By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.

You can configure how locally and globally defined exclusions lists are merged to allow local changes to override managed deployment settings.

Configure the list of exclusions for files opened by specified processes

Use Microsoft Intune to exclude files that have been opened by specified processes from scans

See Configure device restriction settings in Microsoft Intune and Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune for more details.

Use Microsoft Endpoint Manager to exclude files that have been opened by specified processes from scans

See How to create and deploy antimalware policies: Exclusion settings for details on configuring Microsoft Endpoint Manager (current branch).

Use Group Policy to exclude files that have been opened by specified processes from scans

  1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.
  2. In the Group Policy Management Editor go to Computer configuration and click Administrative templates.
  3. Expand the tree to Windows components > Microsoft Defender Antivirus > Exclusions.
  4. Double-click Process Exclusions and add the exclusions:
    1. Set the option to Enabled.
    2. Under the Options section, click Show….
    3. Enter each process on its own line under the Value name column. See the example table for the different types of process exclusions. Enter 0 in the Value column for all processes.
  5. Click OK.

Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans

Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender module.

The format for the cmdlets is:

PowerShell

<cmdlet> -ExclusionProcess "<item>"

The following are allowed as the <cmdlet>:

TABLE 2
Configuration action PowerShell cmdlet
Create or overwrite the list Set-MpPreference
Add to the list Add-MpPreference
Remove items from the list Remove-MpPreference

 Important

If you have created a list, either with Set-MpPreference or Add-MpPreference, using the Set-MpPreference cmdlet again will overwrite the existing list.

For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file that is opened by the specified process:

PowerShell

Add-MpPreference -ExclusionProcess "c:\internal\test.exe"

For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and Microsoft Defender Antivirus cmdlets.

Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans

Use the SetAdd, and Remove methods of the MSFT_MpPreference class for the following properties:

WMI

ExclusionProcess

The use of SetAdd, and Remove is analogous to their counterparts in PowerShell: Set-MpPreferenceAdd-MpPreference, and Remove-MpPreference.

For more information and allowed parameters, see Windows Defender WMIv2 APIs.

Use the Windows Security app to exclude files that have been opened by specified processes from scans

See Add exclusions in the Windows Security app for instructions.

Use wildcards in the process exclusion list

The use of wildcards in the process exclusion list is different from their use in other exclusion lists.

In particular, you cannot use the question mark (?) wildcard, and the asterisk (*) wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list.

The following table describes how the wildcards can be used in the process exclusion list:

USE WILDCARDS IN THE PROCESS EXCLUSION LIST
Wildcard Example use Example matches
* (asterisk)Replaces any number of characters C:\MyData\* Any file opened by C:\MyData\file.exe
Environment variablesThe defined variable is populated as a path when the exclusion is evaluated %ALLUSERSPROFILE%\CustomLogFiles\file.exe Any file opened by C:\ProgramData\CustomLogFiles\file.exe

Review the list of exclusions

You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, Microsoft Endpoint Configuration ManagerIntune, or the Windows Security app.

If you use PowerShell, you can retrieve the list in two ways:

  • Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
  • Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of Add-MpPreference is written to a new line.

Validate the exclusion list by using MpCmdRun

To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the following command:

DOS

MpCmdRun.exe -CheckExclusion -path <path>

 Note

Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.

Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell

Use the following cmdlet:

PowerShell

Get-MpPreference

See Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Microsoft Defender Antivirus cmdlets for more information on how to use PowerShell with Microsoft Defender Antivirus.

Retrieve a specific exclusions list by using PowerShell

Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label you want to name the variable:

PowerShell

$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess

See Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Microsoft Defender Antivirus cmdlets for more information on how to use PowerShell with Microsoft Defender Antivirus.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 13 times, 1 visits today)