deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2945 from MicrosoftDocs/jreeds-antivurus11

Browse Source 
updated files names to microsoft-defender-antivirus
This commit is contained in:
jreeds 2020-05-29 12:29:13 -07:00 committed by GitHub
commit 2f09c9f4aa
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
49 changed files with 0 additions and 1955 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
View File

@ -1,45 +0,0 @@
---
title: Manage Windows Defender in your business
description: Learn how to use Group Policy, Configuration Manager, PowerShell, WMI, Intune, and the command line to manage Windows Defender AV
keywords: group policy, gpo, config manager, sccm, scep, powershell, wmi, intune, defender, antivirus, antimalware, security, protection
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
# Manage Windows Defender Antivirus in your business
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can manage and configure Windows Defender Antivirus with the following tools:
- Microsoft Intune
- Microsoft Endpoint Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
- The mpcmdrun.exe utility
The articles in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus.
## In this section
Article | Description
---|---
[Manage Windows Defender Antivirus with Microsoft Intune and Microsoft Endpoint Configuration Manager](use-intune-config-manager-microsoft-defender-antivirus.md)|Information about using Intune and Configuration Manager to deploy, manage, report, and configure Windows Defender Antivirus
[Manage Windows Defender Antivirus with Group Policy settings](use-group-policy-microsoft-defender-antivirus.md)|List of all Group Policy settings located in ADMX templates
[Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md)|Instructions for using PowerShell cmdlets to manage Windows Defender Antivirus, plus links to documentation for all cmdlets and allowed parameters
[Manage Windows Defender Antivirus with Windows Management Instrumentation (WMI)](use-wmi-microsoft-defender-antivirus.md)| Instructions for using WMI to manage Windows Defender Antivirus, plus links to documentation for the WMIv2 APIs (including all classes, methods, and properties)
[Manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool](command-line-arguments-microsoft-defender-antivirus.md)|Instructions on using the dedicated command-line tool to manage and use Windows Defender Antivirus

93
windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
View File

@ -1,93 +0,0 @@
---
title: Configure scanning options for Windows Defender AV
description: You can configure Windows Defender AV to scan email storage files, back-up or reparse points, network files, and archived files (such as .zip files).
keywords: advanced scans, scanning, email, archive, zip, rar, archive, reparse scanning
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
---
# Configure Windows Defender Antivirus scanning options
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Use Microsoft Intune to configure scanning options**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
<a id="ref1"></a>
## Use Microsoft Endpoint Configuration Manager to configure scanning options:
See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
## Use Group Policy to configure scanning options
To configure the Group Policy settings described in the following table:
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
Description | Location and setting | Default setting (if not configured) | PowerShell `Set-MpPreference` parameter or WMI property for `MSFT_MpPreference` class
---|---|---|---
Email scanning See [Email scanning limitations](#ref1)| Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning`
Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | Not available
Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan`
Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md) will take precedence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning`
Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles`
Scan packed executables | Scan > Scan packed executables | Enabled | Not available
Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning`
Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
>[!NOTE]
>If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives.
## Use PowerShell to configure scanning options
See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
## Use WMI to configure scanning options
For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
## Email scanning limitations
Email scanning enables scanning of email files used by Outlook and other mail clients during on-demand and scheduled scans. Embedded objects within an email file (such as attachments and archived files) are also scanned. The following file format types can be scanned and remediated:
- DBX
- MBX
- MIME
PST files used by Outlook 2003 or older (where the archive type is set to non-unicode) will also be scanned, but Windows Defender cannot remediate threats detected inside PST files.
If Windows Defender Antivirus detects a threat inside an email, it will show you the following information to assist you in identifying the compromised email, so you can remediate the threat manually:
- Email subject
- Attachment name
## Related topics
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

180
windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
View File

@ -1,180 +0,0 @@
---
title: Enable Block at First Sight to detect malware in seconds
description: Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.
keywords: scan, BAFS, malware, first seen, first sight, cloud, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.reviewer:
manager: dansimp
ms.custom: nextgen
---
# Enable block at first sight
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention.
You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-microsoft-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
>[!TIP]
>Visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
## How it works
When Windows Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or clean.
Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).
![List of Windows Defender AV engines](images/microsoft-defender-atp-next-generation-protection-engines.png)
In Windows 10, version 1803, block at first sight can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
Block at first sight only uses the cloud protection backend for executable files and non-portable executable files that are downloaded from the Internet, or that originate from the Internet zone. A hash value of the .exe file is checked via the cloud backend to determine if this is a previously undetected file.
If the cloud backend is unable to make a determination, Windows Defender Antivirus locks the file and uploads a copy to the cloud. The cloud performs additional analysis to reach a determination before it either allows the file to run or blocks it in all future encounters, depending on whether it determines the file to be malicious or safe.
In many cases, this process can reduce the response time for new malware from hours to seconds.
## Confirm and validate that block at first sight is enabled
Block at first sight requires a number of settings to be configured correctly or it will not work. These settings are enabled by default in most enterprise Windows Defender Antivirus deployments.
### Confirm block at first sight is enabled with Intune
1. In Intune, navigate to **Device configuration - Profiles** > *Profile name* > **Device restrictions** > **Windows Defender Antivirus**.
> [!NOTE]
> The profile you select must be a Device Restriction profile type, not an Endpoint Protection profile type.
2. Verify these settings are configured as follows:
- **Cloud-delivered protection**: **Enable**
- **File Blocking Level**: **High**
- **Time extension for file scanning by the cloud**: **50**
- **Prompt users before sample submission**: **Send all data without prompting**
![Intune config](images/defender/intune-block-at-first-sight.png)
> [!WARNING]
> Setting the file blocking level to **High** will apply a strong level of detection. In the unlikely event that it causes a false positive detection of legitimate files, use the option to [restore the quarantined files](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus).
For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus).
### Enable block at first sight with Microsoft Endpoint Configuration Manager
1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **AntiMalware Policies**.
2. Click **Home** > **Create Antimalware Policy**.
3. Enter a name and a description, and add these settings:
- **Real time protection**
- **Advanced**
- **Cloud Protection Service**
4. In the left column, click **Real time protection**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
![Enable real-time protection](images/defender/sccm-real-time-protection.png)
5. Click **Advanced**, set **Enable real-time protection** to **Yes**, and set **Scan system files** to **Scan incoming and outgoing files**.
![Enable Advanced settings](images/defender/sccm-advanced-settings.png)
6. Click **Cloud Protection Service**, set **Cloud Protection Service membership type** to **Advanced membership**, set **Level for blocking malicious files** to **High**, and set **Allow extended cloud check to block and scan suspicious files for up to (seconds)** to **50** seconds.
![Enable Cloud Protection Service](images/defender/sccm-cloud-protection-service.png)
7. Click **OK** to create the policy.
### Confirm block at first sight is enabled with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **MAPS**, configure the following Group Policies, and then click **OK**:
- Double-click **Join Microsoft MAPS** and ensure the option is set to **Enabled**. Click **OK**.
- Double-click **Send file samples when further analysis is required** and ensure the option is set to **Enabled** and the additional options are either **Send safe samples (1)** or **Send all samples (3)**.
> [!WARNING]
> Setting to **Always prompt (0)** will lower the protection state of the device. Setting to **Never send (2)** means block at first sight will not function.
4. In the **Group Policy Management Editor**, expand the tree to **Windows components** > **Windows Defender Antivirus** > **Real-time Protection**:
1. Double-click **Scan all downloaded files and attachments** and ensure the option is set to **Enabled**, and then click **OK**.
2. Double-click **Turn off real-time protection** and ensure the option is set to **Disabled**, and then click **OK**.
If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
### Confirm block at first sight is enabled with Registry editor
1. Start Registry Editor.
2. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet**, and make sure that
1. **SpynetReporting** key is set to **1**
2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples)
3. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection**, and make sure that
1. **DisableIOAVProtection** key is set to **0**
2. **DisableRealtimeMonitoring** key is set to **0**
### Confirm Block at First Sight is enabled on individual clients
You can confirm that block at first sight is enabled on individual clients using Windows security settings.
Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
1. Open the Windows Security app.
2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**.
![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
3. Confirm that **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
> [!NOTE]
> If the prerequisite settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
### Validate block at first sight is working
You can validate that the feature is working by following the steps outlined in [Validate connections between your network and the cloud](configure-network-connections-microsoft-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud).
## Disable block at first sight
> [!WARNING]
> Disabling block at first sight will lower the protection state of the endpoint and your network.
You may choose to disable block at first sight if you want to retain the prerequisite settings without using block at first sight protection. You might wish to do this if you are experiencing latency issues or you want to test the feature's impact on your network.
### Disable block at first sight with Group Policy
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and then click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree through **Windows components** > **Windows Defender Antivirus** > **MAPS**.
4. Double-click **Configure the 'Block at First Sight' feature** and set the option to **Disabled**.
> [!NOTE]
> Disabling block at first sight will not disable or alter the prerequisite group policies.
## Related topics
- [Windows Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)

54
windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md
View File

@ -1,54 +0,0 @@
---
title: Configure the Windows Defender AV cloud block timeout period
description: You can configure how long Windows Defender Antivirus will block a file from running while waiting for a cloud determination.
keywords: windows defender antivirus, antimalware, security, defender, cloud, timeout, block, period, seconds
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
ms.custom: nextgen
---
# Configure the cloud block timeout period
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
The default period that the file will be [blocked](configure-block-at-first-sight-microsoft-defender-antivirus.md) is 10 seconds. You can specify an additional period of time to wait before the file is allowed to run. This can help ensure there is enough time to receive a proper determination from the Windows Defender Antivirus cloud service.
## Prerequisites to use the extended cloud block timeout
[Block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md) and its prerequisites must be enabled before you can specify an extended timeout period.
## Specify the extended timeout period
You can use Group Policy to specify an extended timeout for cloud checks.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > MpEngine**
4. Double-click **Configure extended cloud check** and ensure the option is enabled. Specify the additional amount of time to prevent the file from running while waiting for a cloud determination. You can specify the additional time, in seconds, from 1 second to 50 seconds. This time will be added to the default 10 seconds.
5. Click **OK**.
## Related topics
- [Windows Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Use next-generation antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md)
- [Configure block at first sight](configure-block-at-first-sight-microsoft-defender-antivirus.md)
- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)

36
windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md
View File

@ -1,36 +0,0 @@
---
title: Configure how users can interact with Windows Defender AV
description: Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings.
keywords: endpoint, user, interaction, notifications, ui lockdown mode, headless mode, hide interface
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
# Configure end-user interaction with Windows Defender Antivirus
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus.
This includes whether they see the Windows Defender Antivirus interface, what notifications they see, and if they can locally override globally-deployed Group Policy settings.
## In this section
Topic | Description
---|---
[Configure notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md) | Configure and customize additional notifications, customized text for notifications, and notifications about reboots for remediation
[Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) | Hide the user interface from users
[Prevent users from locally modifying policy settings](configure-local-policy-overrides-microsoft-defender-antivirus.md) | Prevent (or allow) users from overriding policy settings on their individual endpoints

37
windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-windows-defender-antivirus.md
View File

@ -1,37 +0,0 @@
---
title: Set up exclusions for Windows Defender AV scans
description: You can exclude files (including files modified by specified processes) and folders from being scanned by Windows Defender AV. Validate your exclusions with PowerShell.
keywords:
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 03/12/2020
ms.reviewer:
manager: dansimp
---
# Configure and validate exclusions for Windows Defender Antivirus scans
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
>[!WARNING]
>Defining exclusions lowers the protection offered by Windows Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location.
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process.
## Related articles
[Windows Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md)

295
windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
View File

@ -1,295 +0,0 @@
---
title: Configure and validate exclusions based on extension, name, or location
description: Exclude files from Windows Defender Antivirus scans based on their file extension, file name, or location.
keywords: exclusions, files, extension, file type, folder name, file name, scans
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
---
# Configure and validate exclusions based on file extension and folder location
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
> [!IMPORTANT]
> Windows Defender Antivirus exclusions don't apply to other Microsoft Defender ATP capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender ATP [custom indicators](../microsoft-defender-atp/manage-indicators.md).
## Exclusion lists
You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Windows Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default.
This article describes how to configure exclusion lists for the files and folders.
Exclusion | Examples | Exclusion list
---|---|---
Any file with a specific extension | All files with the specified extension, anywhere on the machine.<br/>Valid syntax: `.test` and `test` | Extension exclusions
Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
Exclusion lists have the following characteristics:
- Folder exclusions will apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
- File extensions will apply to any file name with the defined extension if a path or folder is not defined.
>[!IMPORTANT]
>The use of wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
>
>You cannot exclude mapped network drives. You must specify the actual network path.
>
>Folders that are reparse points that are created after the Windows Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md).
The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
>[!IMPORTANT]
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
>
>Changes made in the Windows Security app **will not show** in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence when there are conflicts.
You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
## Configure the list of exclusions based on folder name or file extension
### Use Intune to configure file name, folder, or file extension exclusions
See the following articles:
- [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure)
- [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus)
### Use Configuration Manager to configure file name, folder, or file extension exclusions
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
### Use Group Policy to configure folder or file extension exclusions
>[!NOTE]
>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
4. Double-click the **Path Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
6. Double-click the **Extension Exclusions** setting and add the exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**.
![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png)
<a id="ps"></a>
### Use PowerShell cmdlets to configure file name, folder, or file extension exclusions
Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
The format for the cmdlets is as follows:
```PowerShell
<cmdlet> -<exclusion list> "<item>"
```
The following are allowed as the `<cmdlet>`:
Configuration action | PowerShell cmdlet
---|---
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove item from the list | `Remove-MpPreference`
The following are allowed as the `<exclusion list>`:
Exclusion type | PowerShell parameter
---|---
All files with a specified file extension | `-ExclusionExtension`
All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath`
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the `.test` file extension:
```PowerShell
Add-MpPreference -ExclusionExtension ".test"
```
For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
### Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
ExclusionExtension
ExclusionPath
```
The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
<a id="man-tools"></a>
### Use the Windows Security app to configure file name, folder, or file extension exclusions
See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
<a id="wildcards"></a>
## Use wildcards in the file name and folder path or extension exclusion lists
You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
>[!IMPORTANT]
>There are key limitations and usage scenarios for these wildcards:
>
>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
>- You cannot use a wildcard in place of a drive letter.
>- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
|Wildcard |Examples |
|---------|---------|
|`*` (asterisk) <br/><br/>In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`<br/><br/>`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders` <br/><br/>`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
|`?` (question mark) <br/><br/>In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip` <br/><br/>`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders <br/><br/>`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|Environment variables <br/><br/>The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
>[!IMPORTANT]
>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
>
>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
>
>This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
<a id="review"></a>
## Review the list of exclusions
You can retrieve the items in the exclusion list using one of the following methods:
- [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)
- [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings)
- MpCmdRun
- PowerShell
- [Windows Security app](windows-defender-security-center-antivirus.md#exclusions)
>[!IMPORTANT]
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
>
>Changes made in the Windows Security app **will not show** in the Group Policy lists.
If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
### Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
MpCmdRun.exe -CheckExclusion -path <path>
```
>[!NOTE]
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
```PowerShell
Get-MpPreference
```
In the following example, the items contained in the `ExclusionExtension` list are highlighted:
![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png)
For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
### Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
```PowerShell
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath
```
In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet:
![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png)
For more information, see [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
<a id="validate"></a>
## Validate exclusions lists with the EICAR test file
You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you are testing a path, ensure you run the cmdlet within that path.
```PowerShell
Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"
```
If Windows Defender Antivirus reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](http://www.eicar.org/86-0-Intended-use.html).
You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating:
```PowerShell
$client = new-object System.Net.WebClient
$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
```
If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command:
```PowerShell
[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
```
You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
## Related topics
- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)

92
windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
View File

@ -1,92 +0,0 @@
---
title: Configure local overrides for Windows Defender AV settings
description: Enable or disable users from locally changing settings in Windows Defender AV.
keywords: local override, local policy, group policy, gpo, lockdown,merge, lists
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 02/13/2020
ms.reviewer:
manager: dansimp
---
# Prevent or allow users to locally modify Windows Defender Antivirus policy settings
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
By default, Windows Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
For example, it may be necessary to allow certain user groups (such as security researchers and threat investigators) further control over individual settings on the endpoints they use.
## Configure local overrides for Windows Defender Antivirus settings
The default setting for these policies is **Disabled**.
If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting.
To configure these settings:
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
5. Deploy the Group Policy Object as usual.
Location | Setting | Article
---|---|---|---
MAPS | Configure local setting override for reporting to Microsoft MAPS | [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
Quarantine | Configure local setting override for the removal of items from Quarantine folder | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
Real-time protection | Configure local setting override for monitoring file and program activity on your computer | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
Real-time protection | Configure local setting override for monitoring for incoming and outgoing file activity | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
Real-time protection | Configure local setting override for scanning all downloaded files and attachments | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
Real-time protection | Configure local setting override for turn on behavior monitoring | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
Real-time protection | Configure local setting override to turn on real-time protection | [Enable and configure Windows Defender Antivirus always-on protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md)
Remediation | Configure local setting override for the time of day to run a scheduled full scan to complete remediation | [Configure remediation for scans](configure-remediation-microsoft-defender-antivirus.md)
Scan | Configure local setting override for maximum percentage of CPU utilization | [Configure and run scans](run-scan-microsoft-defender-antivirus.md)
Scan | Configure local setting override for schedule scan day | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
Scan | Configure local setting override for scheduled quick scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
Scan | Configure local setting override for scheduled scan time | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
Scan | Configure local setting override for the scan type to use for a scheduled scan | [Configure scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
<a id="merge-lists"></a>
## Configure how locally and globally defined threat remediation and exclusions lists are merged
You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-microsoft-defender-antivirus.md), [specified remediation lists](configure-remediation-microsoft-defender-antivirus.md), and [attack surface reduction](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction).
By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence.
You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
### Use Group Policy to disable local list merging
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus**.
4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Disabled**. Click **OK**.
> [!NOTE]
> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Allow a blocked app in Windows Security](https://support.microsoft.com/help/4046851/windows-10-allow-blocked-app-windows-security).
## Related topics
- [Windows Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)

130
windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
View File

@ -1,130 +0,0 @@
---
title: Configure and validate Windows Defender Antivirus network connections
description: Configure and test your connection to the Windows Defender Antivirus cloud protection service.
keywords: antivirus, windows defender antivirus, antimalware, security, defender, cloud, aggressiveness, protection level
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 10/08/2018
ms.reviewer:
manager: dansimp
---
# Configure and validate Windows Defender Antivirus network connections
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
This article lists the connections that must be allowed, such as by using firewall rules, and provides instructions for validating your connection. Configuring your protection properly helps ensure that you receive the best value from your cloud-delivered protection services.
See the blog post [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006) for some details about network connectivity.
>[!TIP]
>You can also visit the Microsoft Defender ATP demo website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the following features are working:
>
>- Cloud-delivered protection
>- Fast learning (including block at first sight)
>- Potentially unwanted application blocking
## Allow connections to the Windows Defender Antivirus cloud service
The Windows Defender Antivirus cloud service provides fast, strong protection for your endpoints. Enabling the cloud-delivered protection service is optional, however it is highly recommended because it provides important protection against malware on your endpoints and across your network.
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
See [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md) for details on enabling the service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
Because your protection is a cloud service, computers must have access to the internet and reach the ATP machine learning services. Do not exclude the URL `*.blob.core.windows.net` from any kind of network inspection. The table below lists the services and their associated URLs. Make sure that there are no firewall or network filtering rules denying access to these URLs, or you may need to create an allow rule specifically for them (excluding the URL `*.blob.core.windows.net`). Below mention URLs are using port 443 for communication.
| **Service**| **Description** |**URL** |
| :--: | :-- | :-- |
| Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)|Used by Windows Defender Antivirus to provide cloud-delivered protection|`*.wdcp.microsoft.com` <br/> `*.wdcpalt.microsoft.com` <br/> `*.wd.microsoft.com`|
| Microsoft Update Service (MU)| Security intelligence and product updates |`*.update.microsoft.com`|
|Security intelligence updates Alternate Download Location (ADL)| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| `*.download.microsoft.com`|
| Malware submission storage|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | `ussus1eastprod.blob.core.windows.net` <br/> `ussus1westprod.blob.core.windows.net` <br/> `usseu1northprod.blob.core.windows.net` <br/> `usseu1westprod.blob.core.windows.net` <br/> `ussuk1southprod.blob.core.windows.net` <br/> `ussuk1westprod.blob.core.windows.net` <br/> `ussas1eastprod.blob.core.windows.net` <br/> `ussas1southeastprod.blob.core.windows.net` <br/> `ussau1eastprod.blob.core.windows.net` <br/> `ussau1southeastprod.blob.core.windows.net` |
| Certificate Revocation List (CRL)|Used by Windows when creating the SSL connection to MAPS for updating the CRL | `https://www.microsoft.com/pkiops/crl/` <br/> `https://www.microsoft.com/pkiops/certs` <br/> `https://crl.microsoft.com/pki/crl/products` <br/> `https://www.microsoft.com/pki/certs` |
| Symbol Store|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | `https://msdl.microsoft.com/download/symbols` |
| Universal Telemetry Client| Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: `vortex-win.data.microsoft.com` <br/> `settings-win.data.microsoft.com`|
## Validate connections between your network and the cloud
After whitelisting the URLs listed above, you can test if you are connected to the Windows Defender Antivirus cloud service and are correctly reporting and receiving information to ensure you are fully protected.
**Use the cmdline tool to validate cloud-delivered protection:**
Use the following argument with the Windows Defender Antivirus command-line utility (`mpcmdrun.exe`) to verify that your network can communicate with the Windows Defender Antivirus cloud service:
```DOS
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
```
> [!NOTE]
> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher.
For more information, see [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-microsoft-defender-antivirus.md).
**Attempt to download a fake malware file from Microsoft:**
You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud.
Download the file by visiting the following link:
- https://aka.ms/ioavtest
>[!NOTE]
>This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud.
If you are properly connected, you will see a warning Windows Defender Antivirus notification:
![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-malware-detected.png)
If you are using Microsoft Edge, you'll also see a notification message:
![Microsoft Edge informing the user that malware was found](images/defender/wdav-bafs-edge.png)
A similar message occurs if you are using Internet Explorer:
![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png)
You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png)
3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware:
![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png)
>[!NOTE]
>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md).
The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-microsoft-defender-antivirus.md).
>[!IMPORTANT]
>You will not be able to use a proxy auto-config (.pac) file to test network connections to these URLs. You will need to verify your proxy servers and any network filtering tools manually to ensure connectivity.
## Related articles
- [Windows Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Enable cloud-delivered protection](enable-cloud-protection-microsoft-defender-antivirus.md)
- [Run an Windows Defender Antivirus scan from the command line](command-line-arguments-microsoft-defender-antivirus.md) and [Command line arguments](command-line-arguments-microsoft-defender-antivirus.md)
- [Important changes to Microsoft Active Protection Services endpoint](https://techcommunity.microsoft.com/t5/Configuration-Manager-Archive/Important-changes-to-Microsoft-Active-Protection-Service-MAPS/ba-p/274006)

106
windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-windows-defender-antivirus.md
View File

@ -1,106 +0,0 @@
---
title: Configure Windows Defender Antivirus notifications
description: Configure and customize Windows Defender Antivirus notifications.
keywords: notifications, defender, antivirus, endpoint, management, admin
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
# Configure the notifications that appear on endpoints
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
Notifications appear on endpoints when manually triggered and scheduled scans are completed and threats are detected. These notifications also appear in the **Notification Center**, and a summary of scans and threat detections appear at regular time intervals.
You can also configure how standard notifications appear on endpoints, such as notifications for reboot or when a threat has been detected and remediated.
## Configure the additional notifications that appear on endpoints
You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy.
> [!NOTE]
> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**.
> [!IMPORTANT]
> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
**Use the Windows Security app to disable additional notifications:**
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png)
3. Scroll to the **Notifications** section and click **Change notification settings**.
4. Slide the switch to **Off** or **On** to disable or enable additional notifications.
**Use Group Policy to disable additional notifications:**
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Reporting**.
5. Double-click **Turn off enhanced notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
## Configure standard notifications on endpoints
You can use Group Policy to:
- Display additional, customized text on endpoints when the user needs to perform an action
- Hide all notifications on endpoints
- Hide reboot notifications on endpoints
Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-microsoft-defender-antivirus.md) for more information.
> [!NOTE]
> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [Microsoft Endpoint Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/configmgr/protect/deploy-use/monitor-endpoint-protection).
See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
**Use Group Policy to hide notifications:**
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure, and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
4. Double-click **Suppress all notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
**Use Group Policy to hide reboot notifications:**
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**.
3. Click **Administrative templates**.
4. Expand the tree to **Windows components > Windows Defender Antivirus > Client interface**.
5. Double-click **Suppresses reboot notifications** and set the option to **Enabled**. Click **OK**. This will prevent additional notifications from appearing.
## Related topics
- [Windows Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)
- [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)

198
windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
View File

@ -1,198 +0,0 @@
---
title: Configure exclusions for files opened by specific processes
description: You can exclude files from scans if they have been opened by a specific process.
keywords: Windows Defender Antivirus, process, exclusion, files, scans
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
---
# Configure exclusions for files opened by processes
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans.
This topic describes how to configure exclusion lists for the following:
<a id="examples"></a>
Exclusion | Example
---|---
Any file on the machine that is opened by any process with a specific file name | Specifying "test.exe" would exclude files opened by: <ul><li>c:\sample\test.exe</li><li>d:\internal\files\test.exe</li></ul>
Any file on the machine that is opened by any process under a specific folder | Specifying "c:\test\sample\\*" would exclude files opened by:<ul><li>c:\test\sample\test.exe</li><li>c:\test\sample\test2.exe</li><li>c:\test\sample\utility.exe</li></ul>
Any file on the machine that is opened by a specific process in a specific folder | Specifying "c:\test\process.exe" would exclude files only opened by c:\test\process.exe
When you add a process to the process exclusion list, Windows Defender Antivirus won't scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-microsoft-defender-antivirus.md).
The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [Microsoft Endpoint Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-microsoft-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
## Configure the list of exclusions for files opened by specified processes
<a id="gp"></a>
### Use Microsoft Intune to exclude files that have been opened by specified processes from scans
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#microsoft-defender-antivirus) for more details.
### Use Microsoft Endpoint Configuration Manager to exclude files that have been opened by specified processes from scans
See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring Microsoft Endpoint Configuration Manager (current branch).
### Use Group Policy to exclude files that have been opened by specified processes from scans
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**.
4. Double-click **Process Exclusions** and add the exclusions:
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**.
3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
5. Click **OK**.
![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
<a id="ps"></a>
### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
The format for the cmdlets is:
```PowerShell
<cmdlet> -ExclusionProcess "<item>"
```
The following are allowed as the \<cmdlet>:
Configuration action | PowerShell cmdlet
---|---
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove items from the list | `Remove-MpPreference`
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the specified process:
```PowerShell
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
```
See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-defender-Windows Defender Antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
ExclusionProcess
```
The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
<a id="man-tools"></a>
### Use the Windows Security app to exclude files that have been opened by specified processes from scans
See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
<a id="wildcards"></a>
## Use wildcards in the process exclusion list
The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
In particular, you cannot use the question mark ? wildcard, and the asterisk \* wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list.
The following table describes how the wildcards can be used in the process exclusion list:
Wildcard | Use | Example use | Example matches
---|---|---|---
\* (asterisk) | Replaces any number of characters | <ul><li>C:\MyData\\*</li></ul> | <ul><li>Any file opened by C:\MyData\file.exe</li></ul>
? (question mark) | Not available | \- | \-
Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | <ul><li>%ALLUSERSPROFILE%\CustomLogFiles\file.exe</li></ul> | <ul><li>Any file opened by C:\ProgramData\CustomLogFiles\file.exe</li></ul>
<a id="review"></a>
## Review the list of exclusions
You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
### Validate the exclusion list by using MpCmdRun
To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command:
```DOS
MpCmdRun.exe -CheckExclusion -path <path>
```
>[!NOTE]
>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
### Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell
Use the following cmdlet:
```PowerShell
Get-MpPreference
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
### Retrieve a specific exclusions list by using PowerShell
Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable:
```PowerShell
$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
## Related articles
- [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

43
windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-windows-defender-antivirus.md
View File

@ -1,43 +0,0 @@
---
title: Enable and configure Windows Defender Antivirus protection features
description: Enable behavior-based, heuristic, and real-time protection in Windows Defender AV.
keywords: heuristic, machine-learning, behavior monitor, real-time protection, always-on, windows defender antivirus, antimalware, security, defender
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
# Configure behavioral, heuristic, and real-time protection
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Windows Defender Antivirus uses several methods to provide threat protection:
- Cloud-delivered protection for near-instant detection and blocking of new and emerging threats
- Always-on scanning, using file and process behavior monitoring and other heuristics (also known as "real-time protection")
- Dedicated protection updates based on machine-learning, human and automated big-data analysis, and in-depth threat resistance research
You can configure how Windows Defender Antivirus uses these methods with Group Policy, System Center Configuration Manage, PowerShell cmdlets, and Windows Management Instrumentation (WMI).
This section covers configuration for always-on scanning, including how to detect and block apps that are deemed unsafe, but may not be detected as malware.
See [Use next-gen Windows Defender Antivirus technologies through cloud-delivered protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) for how to enable and configure Windows Defender Antivirus cloud-delivered protection.
## In this section
Topic | Description
---|---
[Detect and block potentially unwanted applications](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) | Detect and block apps that may be unwanted in your network, such as adware, browser modifiers and toolbars, and rogue or fake antivirus apps
[Enable and configure Windows Defender Antivirus protection capabilities](configure-real-time-protection-microsoft-defender-antivirus.md) | Enable and configure real-time protection, heuristics, and other always-on Windows Defender Antivirus monitoring features

114
windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md
View File

@ -1,114 +0,0 @@
---
title: Enable and configure Windows Defender Antivirus protection capabilities
description: Enable and configure Windows Defender Antivirus real-time protection features such as behavior monitoring, heuristics, and machine-learning
keywords: antivirus, real-time protection, rtp, machine-learning, behavior monitoring, heuristics
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 12/16/2019
ms.reviewer:
manager: dansimp
ms.custom: nextgen
---
# Enable and configure Windows Defender Antivirus always-on protection in Group Policy
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
These activities include events, such as processes making unusual changes to existing files, modifying or creating automatic startup registry keys and startup locations (also known as auto-start extensibility points, or ASEPs), and other changes to the file system or file structure.
## Enable and configure always-on protection in Group Policy
You can use **Local Group Policy Editor** to enable and configure Windows Defender Antivirus always-on protection settings.
To enable and configure always-on protection:
1. Open **Local Group Policy Editor**. To do this:
1. In your Windows 10 taskbar search box, type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
![GPEdit taskbar search result](images/gpedit-search.png)
2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus**.
![Windows Defender Antivirus](images/gpedit-microsoft-defender-antivirus.png)
3. Configure the Windows Defender Antivirus antimalware service policy settings. To do this:
1. In the **Windows Defender Antivirus** details pane on right, double-click the policy setting as specified in the following table:
| Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------|
| Allow antimalware service to startup with normal priority | You can lower the priority of the Windows Defender Antivirus engine, which may be useful in lightweight deployments where you want to have as lean a startup process as possible. This may impact protection on the endpoint. | Enabled
| Allow antimalware service to remain running always | If protection updates have been disabled, you can set Windows Defender Antivirus to still run. This lowers the protection on the endpoint. | Disabled |
2. Configure the setting as appropriate, and click **OK**.
3. Repeat the previous steps for each setting in the table.
4. Configure the Windows Defender Antivirus real-time protection policy settings. To do this:
1. In the **Windows Defender Antivirus** details pane, double-click **Real-time Protection**. Or, from the **Windows Defender Antivirus** tree on left pane, click **Real-time Protection**.
![Windows Defender Antivirus Real-time Protection options](images/gpedit-real-time-protection.png)
2. In the **Real-time Protection** details pane on right, double-click the policy setting as specified in the following table:
| Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------|
| Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity. | Enabled |
| Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the Windows Defender SmartScreen filter, which scans files before and during downloading. | Enabled |
| Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run). | Enabled |
| Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring. | Enabled |
| Turn on process scanning whenever real-time protection is enabled | You can independently enable the Microsoft Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled. | Enabled |
| Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes. | Enabled |
| Configure local setting override for turn on behavior monitoring | Configure a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override for scanning all downloaded files and attachments | Configure a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override for monitoring file and program activity on your computer | Configure a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override to turn on real-time protection | Configure a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting.| Enabled |
| Configure local setting override for monitoring for incoming and outgoing file activity | Configure a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If you disable or do not configure this setting, Group Policy will take priority over the local preference setting. | Enabled |
| Configure monitoring for incoming and outgoing file and program activity | Specify whether monitoring should occur on incoming, outgoing, both, or neither direction. This is relevant for Windows Server installations where you have defined specific servers or Server Roles that see large amounts of file changes in only one direction and you want to improve network performance. Fully updated endpoints (and servers) on a network will see little performance impact irrespective of the number or direction of file changes. | Enabled (both directions) |
3. Configure the setting as appropriate, and click **OK**.
4. Repeat the previous steps for each setting in the table.
5. Configure the Windows Defender Antivirus scanning policy setting. To do this:
1. From the **Windows Defender Antivirus** tree on left pane, click **Scan**.
![Windows Defender Antivirus Scan options](images/gpedit-microsoft-defender-antivirus-scan.png)
2. In the **Scan** details pane on right, double-click the policy setting as specified in the following table:
| Setting | Description | Default setting |
|-----------------------------|------------------------|-------------------------------|
| Turn on heuristics | Heuristic protection will disable or block suspicious activity immediately before the Windows Defender Antivirus engine is asked to detect the activity. | Enabled |
3. Configure the setting as appropriate, and click **OK**.
6. Close **Local Group Policy Editor**.
## Disable real-time protection in Group Policy
> [!WARNING]
> Disabling real-time protection drastically reduces the protection on your endpoints and is not recommended.
The main real-time protection capability is enabled by default, but you can disable it by using **Local Group Policy Editor**.
To disable real-time protection in Group policy:
1. Open **Local Group Policy Editor**.
1. In your Windows 10 taskbar search box, type **gpedit**.
2. Under **Best match**, click **Edit group policy** to launch **Local Group Policy Editor**.
2. In the left pane of **Local Group Policy Editor**, expand the tree to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Real-time Protection**.
3. In the **Real-time Protection** details pane on right, double-click **Turn off real-time protection**.
![Turn off real-time protection](images/gpedit-turn-off-real-time-protection.png)
4. In the **Turn off real-time protection** setting window, set the option to **Enabled**.
![Turn off real-time protection enabled](images/gpedit-turn-off-real-time-protection-enabled.png)
5. Click **OK**.
6. Close **Local Group Policy Editor**.
## Related articles
- [Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

72
windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-windows-defender-antivirus.md
View File

@ -1,72 +0,0 @@
---
title: Remediate and resolve infections detected by Windows Defender Antivirus
description: Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
keywords: remediation, fix, remove, threats, quarantine, scan, restore
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
# Configure remediation for Windows Defender Antivirus scans
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
This topic describes how to configure these settings with Group Policy, but you can also use [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure).
You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings.
## Configure remediation options
You can configure how remediation works with the Group Policy settings described in this section.
To configure these settings:
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
3. Expand the tree to **Windows components > Windows Defender Antivirus** and then the **Location** specified in the table below.
4. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings.
Location | Setting | Description | Default setting (if not configured)
---|---|---|---
Scan | Create a system restore point | A system restore point will be created each day before cleaning or scanning is attempted | Disabled
Scan | Turn on removal of items from scan history folder | Specify how many days items should be kept in the scan history | 30 days
Root | Turn off routine remediation | You can specify whether Windows Defender Antivirus automatically remediates threats, or if it should ask the endpoint user what to do. | Disabled (threats are remediated automatically)
Quarantine | Configure removal of items from Quarantine folder | Specify how many days items should be kept in quarantine before being removed | Never removed
Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender Antivirus is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
> [!IMPORTANT]
> Windows Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
> </p>
> If you are certain Windows Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md).
> </p>
> To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md).
Also see [Configure remediation-required scheduled full Windows Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings.
## Related topics
- [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-microsoft-defender-antivirus.md)
- [Configure scheduled Windows Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md)
- [Configure and run on-demand Windows Defender Antivirus scans](run-scan-microsoft-defender-antivirus.md)
- [Configure the notifications that appear on endpoints](configure-notifications-microsoft-defender-antivirus.md)
- [Configure end-user Windows Defender Antivirus interaction](configure-end-user-interaction-microsoft-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

411
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
View File

@ -1,411 +0,0 @@
---
title: Configure Windows Defender Antivirus exclusions on Windows Server 2016 or 2019
ms.reviewer:
manager: dansimp
description: Windows Servers 2016 and 2019 include automatic exclusions, based on server role. You can also add custom exclusions.
keywords: exclusions, server, auto-exclusions, automatic, custom, scans, Windows Defender Antivirus
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
---
# Configure Windows Defender Antivirus exclusions on Windows Server
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Windows Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
> [!NOTE]
> Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
In addition to server role-defined automatic exclusions, you can add or remove custom exclusions. To do that, refer to these articles:
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
## A few points to keep in mind
- Custom exclusions take precedence over automatic exclusions.
- Automatic exclusions only apply to Real-time protection (RTP) scanning. Automatic exclusions are not honored during a Full/Quick or On-demand scan.
- Custom and duplicate exclusions do not conflict with automatic exclusions.
- Windows Defender Antivirus uses the Deployment Image Servicing and Management (DISM) tools to determine which roles are installed on your computer.
## Opt out of automatic exclusions
In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
> [!WARNING]
> Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles.
Because predefined exclusions only exclude **default paths**, if you move NTDS and SYSVOL to another drive or path that is *different from the original path*, you must add exclusions manually using the information [here](configure-extension-file-exclusions-microsoft-defender-antivirus.md#configure-the-list-of-exclusions-based-on-folder-name-or-file-extension) .
You can disable the automatic exclusion lists with Group Policy, PowerShell cmdlets, and WMI.
### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and 2019
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx). Right-click the Group Policy Object you want to configure, and then click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Exclusions**.
4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**.
### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019
Use the following cmdlets:
```PowerShell
Set-MpPreference -DisableAutoExclusions $true
```
[Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
[Use PowerShell with Windows Defender Antivirus](https://technet.microsoft.com/itpro/powershell/windows/defender/index).
### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and 2019
Use the **Set** method of the [MSFT_MpPreference](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
```WMI
DisableAutoExclusions
```
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx)
## List of automatic exclusions
The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types.
### Default exclusions for all roles
This section lists the default exclusions for all Windows Server 2016 and 2019 roles.
#### Windows "temp.edb" files
- *%windir%*\SoftwareDistribution\Datastore\\*\tmp.edb
- *%ProgramData%*\Microsoft\Search\Data\Applications\Windows\\*\\\*.log
#### Windows Update files or Automatic Update files
- *%windir%*\SoftwareDistribution\Datastore\\*\Datastore.edb
- *%windir%*\SoftwareDistribution\Datastore\\*\edb.chk
- *%windir%*\SoftwareDistribution\Datastore\\*\edb\*.log
- *%windir%*\SoftwareDistribution\Datastore\\*\Edb\*.jrs
- *%windir%*\SoftwareDistribution\Datastore\\*\Res\*.log
#### Windows Security files
- *%windir%*\Security\database\\*.chk
- *%windir%*\Security\database\\*.edb
- *%windir%*\Security\database\\*.jrs
- *%windir%*\Security\database\\*.log
- *%windir%*\Security\database\\*.sdb
#### Group Policy files
- *%allusersprofile%*\NTUser.pol
- *%SystemRoot%*\System32\GroupPolicy\Machine\registry.pol
- *%SystemRoot%*\System32\GroupPolicy\User\registry.pol
#### WINS files
- *%systemroot%*\System32\Wins\\*\\\*.chk
- *%systemroot%*\System32\Wins\\*\\\*.log
- *%systemroot%*\System32\Wins\\*\\\*.mdb
- *%systemroot%*\System32\LogFiles\
- *%systemroot%*\SysWow64\LogFiles\
#### File Replication Service (FRS) exclusions
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- *%windir%*\Ntfrs\jet\sys\\*\edb.chk
- *%windir%*\Ntfrs\jet\\*\Ntfrs.jdb
- *%windir%*\Ntfrs\jet\log\\*\\\*.log
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\Ntfrs\Parameters\DB Log File Directory`
- *%windir%*\Ntfrs\\*\Edb\*.log
- The FRS staging folder. The staging folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\NtFrs\Parameters\Replica Sets\GUID\Replica Set Stage`
- *%systemroot%*\Sysvol\\*\Nntfrs_cmp\*\
- The FRS preinstall folder. This folder is specified by the folder `Replica_root\DO_NOT_REMOVE_NtFrs_PreInstall_Directory`
- *%systemroot%*\SYSVOL\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory\\*\Ntfrs\*\
- The Distributed File System Replication (DFSR) database and working folders. These folders are specified by the registry key `HKEY_LOCAL_MACHINE\System\Currentcontrolset\Services\DFSR\Parameters\Replication Groups\GUID\Replica Set Configuration File`
> [!NOTE]
> For custom locations, see [Opt out of automatic exclusions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus#opt-out-of-automatic-exclusions).
- *%systemdrive%*\System Volume Information\DFSR\\$db_normal$
- *%systemdrive%*\System Volume Information\DFSR\FileIDTable_*
- *%systemdrive%*\System Volume Information\DFSR\SimilarityTable_*
- *%systemdrive%*\System Volume Information\DFSR\\*.XML
- *%systemdrive%*\System Volume Information\DFSR\\$db_dirty$
- *%systemdrive%*\System Volume Information\DFSR\\$db_clean$
- *%systemdrive%*\System Volume Information\DFSR\\$db_lostl$
- *%systemdrive%*\System Volume Information\DFSR\Dfsr.db
- *%systemdrive%*\System Volume Information\DFSR\\*.frx
- *%systemdrive%*\System Volume Information\DFSR\\*.log
- *%systemdrive%*\System Volume Information\DFSR\Fsr*.jrs
- *%systemdrive%*\System Volume Information\DFSR\Tmp.edb
#### Process exclusions
- *%systemroot%*\System32\dfsr.exe
- *%systemroot%*\System32\dfsrs.exe
#### Hyper-V exclusions
This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
- File type exclusions:
- *.vhd
- *.vhdx
- *.avhd
- *.avhdx
- *.vsv
- *.iso
- *.rct
- *.vmcx
- *.vmrs
- Folder exclusions:
- *%ProgramData%*\Microsoft\Windows\Hyper-V
- *%ProgramFiles%*\Hyper-V
- *%SystemDrive%*\ProgramData\Microsoft\Windows\Hyper-V\Snapshots
- *%Public%*\Documents\Hyper-V\Virtual Hard Disks
- Process exclusions:
- *%systemroot%*\System32\Vmms.exe
- *%systemroot%*\System32\Vmwp.exe
#### SYSVOL files
- *%systemroot%*\Sysvol\Domain\\*.adm
- *%systemroot%*\Sysvol\Domain\\*.admx
- *%systemroot%*\Sysvol\Domain\\*.adml
- *%systemroot%*\Sysvol\Domain\Registry.pol
- *%systemroot%*\Sysvol\Domain\\*.aas
- *%systemroot%*\Sysvol\Domain\\*.inf
- *%systemroot%*\Sysvol\Domain\\*.Scripts.ini
- *%systemroot%*\Sysvol\Domain\\*.ins
- *%systemroot%*\Sysvol\Domain\Oscfilter.ini
### Active Directory exclusions
This section lists the exclusions that are delivered automatically when you install Active Directory Domain Services.
#### NTDS database files
The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- %windir%\Ntds\ntds.dit
- %windir%\Ntds\ntds.pat
#### The AD DS transaction log files
The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- %windir%\Ntds\EDB*.log
- %windir%\Ntds\Res*.log
- %windir%\Ntds\Edb*.jrs
- %windir%\Ntds\Ntds*.pat
- %windir%\Ntds\TEMP.edb
#### The NTDS working folder
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- %windir%\Ntds\Temp.edb
- %windir%\Ntds\Edb.chk
#### Process exclusions for AD DS and AD DS-related support files
- %systemroot%\System32\ntfrs.exe
- %systemroot%\System32\lsass.exe
### DHCP Server exclusions
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- *%systemroot%*\System32\DHCP\\*\\\*.mdb
- *%systemroot%*\System32\DHCP\\*\\\*.pat
- *%systemroot%*\System32\DHCP\\*\\\*.log
- *%systemroot%*\System32\DHCP\\*\\\*.chk
- *%systemroot%*\System32\DHCP\\*\\\*.edb
### DNS Server exclusions
This section lists the file and folder exclusions and the process exclusions that are delivered automatically when you install the DNS Server role.
#### File and folder exclusions for the DNS Server role
- *%systemroot%*\System32\Dns\\*\\\*.log
- *%systemroot%*\System32\Dns\\*\\\*.dns
- *%systemroot%*\System32\Dns\\*\\\*.scc
- *%systemroot%*\System32\Dns\\*\BOOT
#### Process exclusions for the DNS Server role
- *%systemroot%*\System32\dns.exe
### File and Storage Services exclusions
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- *%SystemDrive%*\ClusterStorage
- *%clusterserviceaccount%*\Local Settings\Temp
- *%SystemDrive%*\mscs
### Print Server exclusions
This section lists the file type exclusions, folder exclusions, and the process exclusions that are delivered automatically when you install the Print Server role.
#### File type exclusions
- *.shd
- *.spl
#### Folder exclusions
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printers\DefaultSpoolDirectory`
- *%system32%*\spool\printers\\*
#### Process exclusions
- spoolsv.exe
### Web Server exclusions
This section lists the folder exclusions and the process exclusions that are delivered automatically when you install the Web Server role.
#### Folder exclusions
- *%SystemRoot%*\IIS Temporary Compressed Files
- *%SystemDrive%*\inetpub\temp\IIS Temporary Compressed Files
- *%SystemDrive%*\inetpub\temp\ASP Compiled Templates
- *%systemDrive%*\inetpub\logs
- *%systemDrive%*\inetpub\wwwroot
#### Process exclusions
- *%SystemRoot%*\system32\inetsrv\w3wp.exe
- *%SystemRoot%*\SysWOW64\inetsrv\w3wp.exe
- *%SystemDrive%*\PHP5433\php-cgi.exe
### Windows Server Update Services exclusions
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- *%systemroot%*\WSUS\WSUSContent
- *%systemroot%*\WSUS\UpdateServicesDBFiles
- *%systemroot%*\SoftwareDistribution\Datastore
- *%systemroot%*\SoftwareDistribution\Download
## Related articles
- [Configure and validate exclusions for Windows Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md)
- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
- [Windows Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)

49
windows/security/threat-protection/microsoft-defender-antivirus/configure-windows-defender-antivirus-features.md
View File

@ -1,49 +0,0 @@
---
title: Configure Windows Defender Antivirus features
description: You can configure Windows Defender Antivirus features with Intune, Microsoft Endpoint Configuration Manager, Group Policy, and PowerShell.
keywords: Windows Defender Antivirus, antimalware, security, defender, configure, configuration, Config Manager, Microsoft Endpoint Configuration Manager, SCCM, Intune, MDM, mobile device management, GP, group policy, PowerShell
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.reviewer:
manager: dansimp
---
# Configure Windows Defender Antivirus features
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
You can configure Windows Defender Antivirus with a number of tools, including:
- Microsoft Intune
- Microsoft Endpoint Configuration Manager
- Group Policy
- PowerShell cmdlets
- Windows Management Instrumentation (WMI)
The following broad categories of features can be configured:
- Cloud-delivered protection
- Always-on real-time protection, including behavioral, heuristic, and machine-learning-based protection
- How end-users interact with the client on individual endpoints
The topics in this section describe how to perform key tasks when configuring Windows Defender Antivirus. Each topic includes instructions for the applicable configuration tool (or tools).
You can also review the [Reference topics for management and configuration tools](configuration-management-reference-microsoft-defender-antivirus.md) topic for an overview of each tool and links to further help.
## In this section
Topic | Description
:---|:---
[Utilize Microsoft cloud-provided Windows Defender Antivirus protection](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection
[Configure behavioral, heuristic, and real-time protection](configure-protection-features-microsoft-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time antivirus protection
[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md)|Configure how end-users interact with Windows Defender Antivirus, what notifications they see, and whether they can override settings

0
windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/deploy-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/evaluate-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/windows-defender-antivirus-in-windows-10.md → windows/security/threat-protection/microsoft-defender-antivirus/microsft-defender-antivirus-in-windows-10.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/windows-defender-antivirus-compatibility.md → windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md → windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/windows-defender-offline.md → windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/windows-defender-security-center-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/office-365-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/run-scan-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
View File

0
windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus.md → windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-defender-antivirus.md
View File