Επεξεργασία

Κοινή χρήση μέσω


Exclusions overview

Microsoft Defender for Endpoint and Defender for Business includes a wide range of capabilities to prevent, detect, investigate, and respond to advanced cyberthreats. Microsoft preconfigures the product to perform well on the operating system that it's installed. No other changes should be needed. Despite preconfigured settings, sometimes unexpected behaviors occur. Here are some examples:

  • False positives: Files, folders, or processes that aren't actually a threat can be detected as malicious by Defender for Endpoint or Microsoft Defender Antivirus. These entities can be blocked or sent to quarantine, even though they're not a threat.
  • Performance issues: Systems experience an unexpected performance impact when running with Defender for Endpoint
  • Application compatibility issues: Applications experience unexpected behavior when running with Defender for Endpoint

Creating an exclusion is one possible approach for addressing these types of issues. But often there are other steps you can take. In addition to providing an overview of indicators and exclusions, this article includes Alternatives to creating exclusions and allow indicators.

Note

Creating an indicator or an exclusion should only be considered after thoroughly understanding the root cause of the unexpected behavior.

Examples of issues and steps to consider

Example scenario Steps to consider
False positive: An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. 1. Review and classify alerts that were generated as a result of the detected entity.
2. Suppress an alert for a known entity.
3. Review remediation actions that were taken for the detected entity.
4. Submit the false positive to Microsoft for analysis.
5. Define an indicator or an exclusion for the entity (only if necessary).
Performance issues such as one of the following issues:
- A system is having high CPU usage or other performance issues.
- A system is having memory leak issues.
- An app is slow to load on devices.
- An app is slow to open a file on devices.
1. Collect diagnostic data for Microsoft Defender Antivirus.
2. If you're using a non-Microsoft antivirus solution, Check with the vendor for known issues with antivirus products.
3. Review performance logs (see Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI) to determine the estimated performance impact. For performance-specific issues related to Microsoft Defender Antivirus, use the Performance analyzer for Microsoft Defender Antivirus.
4. Define an exclusion for Microsoft Defender Antivirus (if necessary).
5. Create an indicator for Defender for Endpoint (only if necessary).
Compatibility issues with non-Microsoft antivirus products.
Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution.
1. If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, set Microsoft Defender Antivirus to passive mode.
2. If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see Make the switch to Defender for Endpoint. This guidance includes:
- Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution;
- Exclusions you might need to define for Microsoft Defender Antivirus; and
- Troubleshooting information (just in case something goes wrong while migrating).
Compatibility with applications.
Example: Applications are crashing or experiencing unexpected behaviors after a device is onboarded to Microsoft Defender for Endpoint.
See Address unwanted behaviors in Microsoft Defender for Endpoint with exclusions, indicators, and other techniques.

Alternatives to creating exclusions and allow indicators

Creating an exclusion or an allow indicator creates a protection gap. These techniques should only be used after determining the root cause of the issue. Until that determination is made, consider these alternatives:

  • Submit a file to Microsoft for analysis
  • Suppress an alert

Submitting files for analysis

If you have a file that you think is wrongly detected as malware (a false positive), or a file that you suspect might be malware even though it wasn't detected (a false negative), you can submit the file to Microsoft for analysis. Your submission is scanned immediately, and will then be reviewed by Microsoft security analysts. You're able to check the status of your submission on the submission history page.

Submitting files for analysis helps reduce false positives and false negatives for all customers. To learn more, see the following articles:

Suppressing alerts

If you're getting alerts in the Microsoft Defender portal for tools or processes that you know aren't actually a threat, you can suppress those alerts. To suppress an alert, you create a suppression rule, and specify what actions to take for that on other, identical alerts. You can create suppression rules for a specific alert on a single device, or for all alerts that have the same title across your organization.

To learn more, see the following articles:

Types of exclusions

There are several different types of exclusions to consider. Some types of exclusions affect multiple capabilities in Defender for Endpoint, whereas other types are specific to Microsoft Defender Antivirus.

For information about indicators, see Overview of indicators in Microsoft Defender for Endpoint.

Custom exclusions

Microsoft Defender for Endpoint allows you to configure custom exclusions to optimize performance and avoid false positives. The types of exclusions you can set vary by Defender for Endpoint capabilities and by operating systems.

The following table summarizes types of custom exclusions that you can define. Note the scope for each exclusion type.

Exclusion types Scope Use cases
Custom Defender for Endpoint exclusions Antivirus
Attack surface reduction rules
Defender for Endpoint
Network Protection
A file, folder, or process is identified as malicious, even though it's not a threat.

An application encounters unexpected performance or application compatibility issue when running with Defender for Endpoint
Defender for Endpoint attack surface reduction exclusions Attack surface reduction rules An attack surface reduction rule causes unexpected behavior.
Defender for Endpoint automation folder exclusions Automated investigation and response Automated investigation and remediation take action on a file, extension, or directory that should be done manually.
Defender for Endpoint controlled folder access exclusions Controlled folder access Controlled folder access blocks an application from accessing a protected folder.
Defender for Endpoint File and Certificate Allow Indicators Antivirus
Attack surface reduction rules
Controlled folder access
A file or process signed by a certificate is identified as malicious even through it's not.
Defender for Endpoint Domain/URL and IP address Indicators Network Protection
SmartScreen
Web Content Filtering
SmartScreen reports a false positive.

You want to override a Web Content Filtering block on a specific site.

Note

Network protection is directly impacted by process exclusions on all platforms. A process exclusion on any OS (Windows, MacOS, Linux) results in preventing Network Protection from inspecting traffic or enforcing rules for that specific process.

Exclusions on Mac

For macOS, you can define exclusions that apply to on-demand scans, real-time protection, and monitoring. The supported exclusion types include:

  • File extension: Exclude all files with a specific extension.
  • File: Exclude a specific file identified by its full path.
  • Folder: Exclude all files under a specified folder recursively.
  • Process: Exclude a specific process and all files opened by it.

For more information, see Configure and validate exclusions for Microsoft Defender for Endpoint on macOS.

Exclusions on Linux

On Linux, you can configure both antivirus and global exclusions.

  • Antivirus exclusions: Apply to on-demand scans, real-time protection (RTP), and behavior monitoring (BM).
  • Global exclusions: Apply to real-time protection (RTP), behavior monitoring (BM), and endpoint detection and response (EDR), stopping all associated antivirus detections and EDR alerts.

For more information, see Configure and validate exclusions for Microsoft Defender for Endpoint on Linux.

Exclusions on Windows

Microsoft Defender Antivirus can be configured to exclude combinations of processes, files, and extensions from scheduled scans, on-demand scans, and real-time protection. See Configure custom exclusions for Microsoft Defender Antivirus.

For more granular control that helps minimize protection gaps, consider using Contextual file and process exclusions.

Antivirus preconfigured exclusions

These exclusion types are preconfigured in Microsoft Defender for Endpoint for Microsoft Defender Antivirus.

Exclusion types Configuration Description
Automatic Microsoft Defender Antivirus exclusions Automatic Automatic Exclusions for server roles and features in Windows Server. When you install a role on Windows Server 2016 or later, Microsoft Defender Antivirus includes automatic exclusions for the server role and any files that are added while installing the role.
These exclusions are only for active roles on Windows Server 2016 and later.
Built-in Microsoft Defender Antivirus exclusions Automatic Microsoft Defender Antivirus includes built-in exclusions for operating system files on all versions of Windows.

Automatic server role exclusions

Automatic server role exclusions include exclusions for server roles and features in Windows Server 2016 and later. These exclusions aren't scanned by real-time protection but are still subject to quick, full, or on-demand antivirus scans.

Examples include:

  • File Replication Service (FRS)
  • Hyper-V
  • SYSVOL
  • Active Directory
  • DNS Server
  • Print Server
  • Web Server
  • Windows Server Update Services
  • ...and more.

Note

Automatic exclusions for server roles aren't supported on Windows Server 2012 R2. For servers running Windows Server 2012 R2 with the Active Directory Domain Services (AD DS) server role installed, exclusions for domain controllers must be specified manually. See Active Directory exclusions.

For more information, see Automatic server role exclusions.

Built-in antivirus exclusions

Built-in antivirus exclusions include certain operating system files that are excluded by Microsoft Defender Antivirus on all versions of Windows (including Windows 10, Windows 11, and Windows Server).

Examples include:

  • %windir%\SoftwareDistribution\Datastore\*\Datastore.edb
  • %allusersprofile%\NTUser.pol
  • Windows Update files
  • Windows Security files
  • ... and more.

The list of built-in exclusions in Windows is kept up to date as the threat landscape changes. To learn more about these exclusions, see Microsoft Defender Antivirus exclusions on Windows Server: Built-in exclusions.

Attack surface reduction exclusions

Attack surface reduction rules (also known as ASR rules) target certain software behaviors, such as:

  • Launching executable files and scripts that attempt to download or run files
  • Running scripts that seem to be obfuscated or otherwise suspicious
  • Performing behaviors that apps don't usually initiate during normal day-to-day work

Sometimes, legitimate applications exhibit software behaviors that could be blocked by attack surface reduction rules. If that's occurring in your organization, you can define exclusions for certain files and folders. Such exclusions are applied to all attack surface reduction rules. See Enable attack surface reduction rules.

Note

Attack surface reduction rules honor process exclusions, but not all attack surface reduction rules honor Microsoft Defender Antivirus exclusions. See Attack surface reduction rules reference - Microsoft Defender Antivirus exclusions and ASR rules.

Automation folder exclusions

Automation folder exclusions apply to automated investigation and remediation in Defender for Endpoint, which is designed to examine alerts and take immediate action to resolve detected breaches. As alerts are triggered, and an automated investigation runs, a verdict (Malicious, Suspicious, or No threats found) is reached for each piece of evidence investigated. Depending on the automation level and other security settings, remediation actions can occur automatically or only upon approval by your security operations team.

You can specify folders, file extensions in a specific directory, and file names to be excluded from automated investigation and remediation capabilities. Such automation folder exclusions apply to all devices onboarded to Defender for Endpoint. These exclusions are still subject to antivirus scans.

For more information, see Manage automation folder exclusions.

Controlled folder access exclusions

Controlled folder access monitors apps for activities that are detected as malicious and protects the contents of certain (protected) folders on Windows devices. Controlled folder access allows only trusted apps to access protected folders, such as common system folders (including boot sectors) and other folders that you specify. You can allow certain apps or signed executables to access protected folders by defining exclusions.

For more information, See Customize controlled folder access.

Custom remediation actions

When Microsoft Defender Antivirus detects a potential threat while running a scan, it attempts to remediate or remove the detected threat. You can define custom remediation actions to configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed.

For more information, see Configure remediation actions for Microsoft Defender Antivirus detections.

How exclusions and indicators are evaluated

Most organizations have several different types of exclusions and indicators to determine whether users should be able to access and use a file or process. Exclusions and indicators are processed in a particular order so that policy conflicts are handled systematically.

Here's how it works:

  1. If a detected file/process isn't allowed by Windows Defender Application Control and AppLocker, it's blocked. Otherwise, it proceeds to Microsoft Defender Antivirus.

  2. If the detected file/process isn't part of an exclusion for Microsoft Defender Antivirus, it's blocked. Otherwise, Defender for Endpoint checks for a custom indicator for the file/process.

  3. If the detected file/process has a Block or Warn indicator, that action is taken. Otherwise, the file/process is allowed, and proceeds to evaluation by attack surface reduction rules, controlled folder access, and SmartScreen protection.

  4. If the detected file/process isn't blocked by attack surface reduction rules, controlled folder access, or SmartScreen protection, it proceeds to Microsoft Defender Antivirus.

  5. If the detected file/process isn't allowed by Microsoft Defender Antivirus, it's checked for an action based on its threat ID.

How policy conflicts are handled

In cases where Defender for Endpoint indicators conflict, here's what to expect:

  • If there are conflicting file indicators, the indicator that uses the most secure hash is applied. For example, SHA256 takes precedence over SHA-1, which takes precedence over MD5.

  • If there are conflicting URL indicators, the more strict indicator is used. For Microsoft Defender SmartScreen, an indicator that uses the longest URL path is applied. For example, www.dom.ain/admin/ takes precedence over www.dom.ain. (Network protection applies to domains, rather than subpages within a domain.)

  • If there are similar indicators for a file or process that have different actions, the indicator that is scoped to a specific device group takes precedence over an indicator that targets all devices.

How automated investigation and remediation works with indicators

Automated investigation and remediation capabilities in Defender for Endpoint first determine a verdict for each piece of evidence, and then take an action depending on Defender for Endpoint indicators. Thus, a file/process could get a verdict of "good" (which means no threats were found) and still be blocked if there's an indicator with that action. Similarly, an entity could get a verdict of "bad" (which means it's determined to be malicious) and still be allowed if there's an indicator with that action.

For more information, see automated investigation and remediation and indicators.

Other server workloads and exclusions

If your organization is using other server workloads, such as Exchange Server, SharePoint Server, or SQL Server, keep in mind that only built-in server roles (that could be prerequisites for software you install later) on Windows Server are excluded by automatic server role exclusions feature (and only when using their default installation location). You'll likely need to define antivirus exclusions for these other workloads, or for all workloads if you disable automatic exclusions.

Here are some examples of technical documentation to identify and implement the exclusions you need:

Depending on what you're using, you might need to refer to the documentation for that server workload.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.