Configure and validate exclusions based on file extension and folder location
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
Platforms
- Windows
You can define exclusions for Microsoft Defender Antivirus that apply to scheduled scans, on-demand scans, and always-on, real-time protection and monitoring. Generally, you don't need to apply exclusions. If you do need to apply exclusions, then you can choose from the following types:
- Exclusions based on file extensions and folder locations (described in this article)
- Exclusions for files that are opened by processes
Important
Microsoft Defender Antivirus exclusions do apply to some Microsoft Defender for Endpoint capabilities, such as attack surface reduction rules. Some Microsoft Defender Antivirus exclusions are applicable to some ASR rule exclusions. See Attack surface reduction rules reference - Microsoft Defender Antivirus exclusions and ASR rules. Files that you exclude using the methods described in this article can still trigger Endpoint Detection and Response (EDR) alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint custom indicators.
Before you begin
See Recommendations for defining exclusions before defining your exclusion lists.
Exclusion lists
To exclude certain files from Microsoft Defender Antivirus scans, modify your exclusion lists. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.
Note
Exclusions apply to potentially unwanted apps (PUA) detections as well. Automatic exclusions apply only to Windows Server 2016 and later. These exclusions are not visible in the Windows Security app and in PowerShell.
The following table lists some examples of exclusions based on file extension and folder location.
Exclusion | Examples | Exclusion list |
---|---|---|
Any file with a specific extension | All files with the specified extension, anywhere on the machine. Valid syntax: .test and test |
Extension exclusions |
Any file or folder under a specific folder | All files and folders under the c:\test\sample folder |
File and folder exclusions |
A specific file in a specific folder | The file c:\sample\sample.test only |
File and folder exclusions |
A specific process | The executable file c:\test\process.exe |
File and folder exclusions |
Characteristics of exclusion lists
- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
- File extensions apply to any file name with the defined extension if a path or folder isn't defined.
Important notes about exclusions based on file extensions and folder locations
Using wildcards such as the asterisk (*) alters how exclusion rules are interpreted. See the section, Use wildcards in the file name and folder path or extension exclusion lists for important information about how wildcards work.
Don't exclude mapped network drives. Specify the actual network path.
Folders that are reparse points are created after the Microsoft Defender Antivirus service starts, and those that were added to the exclusion list aren't included. Restart the service by restarting Windows for new reparse points to be recognized as a valid exclusion target.
Exclusions apply to scheduled scans, on-demand scans, and real-time protection, but not across all Defender for Endpoint capabilities. To define exclusions across Defender for Endpoint, use custom indicators.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) are merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts. In addition, exclusion list changes made with Group Policy are visible in the Windows Security app.
To allow local changes to override managed deployment settings, configure how locally and globally defined exclusions lists are merged.
Configure the list of exclusions based on folder name or file extension
You can choose from several methods to define exclusions for Microsoft Defender Antivirus.
Use Intune to configure file name, folder, or file extension exclusions
See the following articles:
- Configure device restriction settings in Microsoft Intune
- Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune
Use Configuration Manager to configure file name, folder, or file extension exclusions
See How to create and deploy antimalware policies: Exclusion settings for details on configuring Microsoft Configuration Manager (current branch).
Use Group Policy to configure folder or file extension exclusions
Note
If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and sub-directories under that folder are excluded.
On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then select Edit.
In the Group Policy Management Editor go to Computer configuration, and select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus > Exclusions.
Open the Path Exclusions setting for editing, and add your exclusions.
Set the option to Enabled.
Under the Options section, select Show.
Specify each folder on its own line under the Value name column.
If you're specifying a file, ensure that you enter a fully qualified path to the file, including the drive letter, folder path, file name, and extension.
Enter 0 in the Value column.
Choose OK.
Open the Extension Exclusions setting for editing and add your exclusions.
Set the option to Enabled.
Under the Options section, select Show.
Enter each file extension on its own line under the Value name column.
Enter 0 in the Value column.
Choose OK.
Use PowerShell cmdlets to configure file name, folder, or file extension exclusions
Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and appropriate exclusion list parameter. The cmdlets are all in the Defender module.
The format for the cmdlets is as follows:
<cmdlet> -<exclusion list> "<item>"
The following table lists cmdlets that you can use in the <cmdlet>
portion of the PowerShell cmdlet:
Configuration action | PowerShell cmdlet |
---|---|
Create or overwrite the list | Set-MpPreference |
Add to the list | Add-MpPreference |
Remove item from the list | Remove-MpPreference |
The following table lists values that you can use in the <exclusion list>
portion of the PowerShell cmdlet:
Exclusion type | PowerShell parameter |
---|---|
All files with a specified file extension | -ExclusionExtension |
All files under a folder (including files in subdirectories), or a specific file | -ExclusionPath |
Important
If you have created a list, either with Set-MpPreference
or Add-MpPreference
, using the Set-MpPreference
cmdlet again overwrites the existing list.
For example, the following code snippet would cause Microsoft Defender Antivirus scans to exclude any file with the .test
file extension:
Add-MpPreference -ExclusionExtension ".test"
Tip
For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.
Use Windows Management Instrumentation (WMI) to configure file name, folder, or file extension exclusions
Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:
ExclusionExtension
ExclusionPath
Using Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference
, Add-MpPreference
, and Remove-MpPreference
.
Tip
For more information, see Windows Defender WMIv2 APIs.
Use the Windows Security app to configure file name, folder, or file extension exclusions
See Add exclusions in the Windows Security app for instructions.
Use wildcards in the file name and folder path or extension exclusion lists
You can use the asterisk *
, question mark ?
, or environment variables (such as %ALLUSERSPROFILE%
) as wildcards when defining items in the file name or folder path exclusion list. You can mix and match *
and ?
and environment variables into a single exclusion. The way these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
Important
There are key limitations and usage scenarios for these wildcards:
- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
- You can only use a maximum of six wildcards per entry.
- You cannot use a wildcard in place of a drive letter.
- An asterisk
*
in a folder exclusion stands in place for a single folder. Use multiple instances of\*\
to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
Wildcard | Examples |
---|---|
* (asterisk) In file name and file extension inclusions, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. In folder exclusions, the asterisk replaces a single folder. Use multiple * with folder slashes \ to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. |
C:\MyData\*.txt includes C:\MyData\notes.txt C:\somepath\*\Data includes any file in C:\somepath\Archives\Data and its subfolders, and C:\somepath\Authorized\Data and its subfolders C:\Serv\*\*\Backup includes any file in C:\Serv\Primary\Denied\Backup and its subfolders, and C:\Serv\Secondary\Allowed\Backup and its subfolders |
? (question mark) In file name and file extension inclusions, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. In folder exclusions, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |
C:\MyData\my?.zip includes C:\MyData\my1.zip C:\somepath\?\Data includes any file in C:\somepath\P\Data and its subfolders C:\somepath\test0?\Data would include any file in C:\somepath\test01\Data and its subfolders |
Environment variables The defined variable is populated as a path when the exclusion is evaluated. |
%ALLUSERSPROFILE%\CustomLogFiles would include C:\ProgramData\CustomLogFiles\Folder1\file1.txt |
Mix and Match Environment variables * and ? can be combined into a single exclusion |
%PROGRAMFILES%\Contoso*\v?\bin\contoso.exe would include c:\Program Files\Contoso Labs\v1\bin\contoso.exe |
Important
If you mix a file exclusion argument with a folder exclusion argument, the rules stop at the file argument match in the matched folder, and don't look for file matches in any subfolders.
For example, you can exclude all files that start with "date" in the folders c:\data\final\marked
and c:\data\review\marked
by using the rule argument c:\data\*\marked\date*
.
This argument doesn't match any files in subfolders under c:\data\final\marked
or c:\data\review\marked
.
System environment variables
The following table lists and describes the system account environment variables.
This system environment variable... | Redirects to this |
---|---|
%APPDATA% |
C:\Windows\system32\config\systemprofile\Appdata\Roaming |
%APPDATA%\Microsoft\Internet Explorer\Quick Launch |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch |
%APPDATA%\Microsoft\Windows\Start Menu |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu |
%APPDATA%\Microsoft\Windows\Start Menu\Programs |
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs |
%LOCALAPPDATA% |
C:\WINDOWS\system32\config\systemprofile\AppData\Local |
%ProgramData% |
C:\ProgramData |
%ProgramFiles% |
C:\Program Files |
%ProgramFiles%\Common Files |
C:\Program Files\Common Files |
%ProgramFiles%\Windows Sidebar\Gadgets |
C:\Program Files\Windows Sidebar\Gadgets |
%ProgramFiles%\Common Files |
C:\Program Files\Common Files |
%ProgramFiles(x86)% |
C:\Program Files (x86) |
%ProgramFiles(x86)%\Common Files |
C:\Program Files (x86)\Common Files |
%SystemDrive% |
C: |
%SystemDrive%\Program Files |
C:\Program Files |
%SystemDrive%\Program Files (x86) |
C:\Program Files (x86) |
%SystemDrive%\Users |
C:\Users |
%SystemDrive%\Users\Public |
C:\Users\Public |
%SystemRoot% |
C:\Windows |
%windir% |
C:\Windows |
%windir%\Fonts |
C:\Windows\Fonts |
%windir%\Resources |
C:\Windows\Resources |
%windir%\resources\0409 |
C:\Windows\resources\0409 |
%windir%\system32 |
C:\Windows\System32 |
%ALLUSERSPROFILE% |
C:\ProgramData |
%ALLUSERSPROFILE%\Application Data |
C:\ProgramData\Application Data |
%ALLUSERSPROFILE%\Documents |
C:\ProgramData\Documents |
%ALLUSERSPROFILE%\Documents\My Music\Sample Music |
C:\ProgramData\Documents\My Music\Sample Music |
%ALLUSERSPROFILE%\Documents\My Music |
C:\ProgramData\Documents\My Music |
%ALLUSERSPROFILE%\Documents\My Pictures |
C:\ProgramData\Documents\My Pictures |
%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures |
C:\ProgramData\Documents\My Pictures\Sample Pictures |
%ALLUSERSPROFILE%\Documents\My Videos |
C:\ProgramData\Documents\My Videos |
%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore |
C:\ProgramData\Microsoft\Windows\DeviceMetadataStore |
%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer |
C:\ProgramData\Microsoft\Windows\GameExplorer |
%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones |
C:\ProgramData\Microsoft\Windows\Ringtones |
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu |
C:\ProgramData\Microsoft\Windows\Start Menu |
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs |
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools |
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp |
%ALLUSERSPROFILE%\Microsoft\Windows\Templates |
C:\ProgramData\Microsoft\Windows\Templates |
%ALLUSERSPROFILE%\Start Menu |
C:\ProgramData\Start Menu |
%ALLUSERSPROFILE%\Start Menu\Programs |
C:\ProgramData\Start Menu\Programs |
%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools |
C:\ProgramData\Start Menu\Programs\Administrative Tools |
%ALLUSERSPROFILE%\Templates |
C:\ProgramData\Templates |
%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates |
%LOCALAPPDATA%\Microsoft\Windows\History |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History |
%PUBLIC% |
C:\Users\Public |
%PUBLIC%\AccountPictures |
C:\Users\Public\AccountPictures |
%PUBLIC%\Desktop |
C:\Users\Public\Desktop |
%PUBLIC%\Documents |
C:\Users\Public\Documents |
%PUBLIC%\Downloads |
C:\Users\Public\Downloads |
%PUBLIC%\Music\Sample Music |
C:\Users\Public\Music\Sample Music |
%PUBLIC%\Music\Sample Playlists |
C:\Users\Public\Music\Sample Playlists |
%PUBLIC%\Pictures\Sample Pictures |
C:\Users\Public\Pictures\Sample Pictures |
%PUBLIC%\RecordedTV.library-ms |
C:\Users\Public\RecordedTV.library-ms |
%PUBLIC%\Videos |
C:\Users\Public\Videos |
%PUBLIC%\Videos\Sample Videos |
C:\Users\Public\Videos\Sample Videos |
%USERPROFILE% |
C:\Windows\system32\config\systemprofile |
%USERPROFILE%\AppData\Local |
C:\Windows\system32\config\systemprofile\AppData\Local |
%USERPROFILE%\AppData\LocalLow |
C:\Windows\system32\config\systemprofile\AppData\LocalLow |
%USERPROFILE%\AppData\Roaming |
C:\Windows\system32\config\systemprofile\AppData\Roaming |
Review the list of exclusions
You can retrieve the items in the exclusion list by using one of the following methods:
Important
Exclusion list changes made with Group Policy will show in the lists of Windows Security app. Changes made in the Windows Security app will not show in the Group Policy lists.
If you use PowerShell, you can retrieve the list in the following two ways:
- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you're interested in. Each use of
Add-MpPreference
is written to a new line.
Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated command-line tool mpcmdrun.exe, use the following command:
Start, CMD (Run as admin)
cd "%programdata%\microsoft\windows defender\platform"
cd 4.18.2111-5.0 (Where 4.18.2111-5.0 is this month's Microsoft Defender Antivirus "Platform Update".)
MpCmdRun.exe -CheckExclusion -path <path>
Note
Checking exclusions with MpCmdRun
requires Microsoft Defender Antivirus version 4.18.2111-5.0 (released in December 2021) or later.
Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
Get-MpPreference
In the following example, the items contained in the ExclusionExtension
list are highlighted:
For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.
Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label you want to name the variable:
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath
In the following example, the list is split into new lines for each use of the Add-MpPreference
cmdlet:
For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.
Validate exclusions lists with the EICAR test file
You can validate that your exclusion lists are working by using PowerShell with either the Invoke-WebRequest
cmdlet or the .NET WebClient class to download a test file.
In the following PowerShell snippet, replace test.txt
with a file that conforms to your exclusion rules. For example, if you're excluding the .testing
extension, replace test.txt
with test.testing
. If you're testing a path, make sure that you run the cmdlet within that path.
Invoke-WebRequest "https://secure.eicar.org/eicar.com.txt" -OutFile "test.txt"
If Microsoft Defender Antivirus reports malware, then the rule isn't working. If there's no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the EICAR test file website.
You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the Invoke-WebRequest
cmdlet; replace c:\test.txt
with a file that conforms to the rule you're validating:
$client = new-object System.Net.WebClient
$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
If you don't have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command:
[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you're attempting to exclude.
See also
- Configure and validate exclusions in Microsoft Defender Antivirus scans
- Configure and validate exclusions for files opened by processes
- Configure Microsoft Defender Antivirus exclusions on Windows Server
- Common mistakes to avoid when defining exclusions
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.