deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into scorecard

Browse Source
This commit is contained in:
jcaparas 2021-01-13 14:00:21 -08:00 committed by GitHub
commit 48d55b4114
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
13 changed files with 165 additions and 506 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
.openpublishing.publish.config.json
View File

@ -390,7 +390,7 @@
"elizapo@microsoft.com"
],
"sync_notification_subscribers": [
"daniha@microsoft.com"
"dstrome@microsoft.com"
],
"branches_to_filter": [
""
@ -431,9 +431,9 @@
"template_folder": "_themes.pdf"
}
},
"need_generate_pdf": false,
"need_generate_intellisense": false,
"docs_build_engine": {
"name": "docfx_v3"
}
}
},
"need_generate_pdf": false,
"need_generate_intellisense": false
}

16
windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
View File

@ -107,9 +107,10 @@ The following methodology was used to derive the network endpoints:
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
|||HTTPS/HTTP|*smartscreen-prod.microsoft.com|
||||wdcpalt.microsoft.com|
|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
|||TLSv1.2|definitionupdates.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*smartscreen.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
@ -180,8 +181,9 @@ The following methodology was used to derive the network endpoints:
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
|||HTTPS/HTTP|*smartscreen-prod.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*smartscreen.microsoft.com|
||||wdcpalt.microsoft.com|
|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
@ -245,8 +247,9 @@ The following methodology was used to derive the network endpoints:
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled|TLSv1.2/HTTPS|wdcp.microsoft.com|
|||HTTPS/HTTP|*smartscreen-prod.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*smartscreen.microsoft.com|
||||wdcpalt.microsoft.com|
|||HTTPS/HTTP|*.smartscreen-prod.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications.|TLSv1.2|*.smartscreen.microsoft.com|
|||TLSv1.2/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.|TLSv1.2/HTTPS/HTTP|arc.msn.com*|
|||TLSv1.2/HTTPS/HTTP|ris.api.iris.microsoft.com|
@ -261,4 +264,3 @@ The following methodology was used to derive the network endpoints:
|Xbox Live|The following endpoints are used for Xbox Live.|
|||TLSv1.2/HTTPS/HTTP|dlassets-ssl.xboxlive.com|
|||TLSv1.2/HTTPS|da.xboxservices.com|
|

4
windows/security/threat-protection/TOC.md
View File

@ -195,8 +195,7 @@
##### [Customize, initiate, and review the results of scans and remediation]()
###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)
@ -1334,7 +1333,6 @@
#### [Windows security baselines](windows-security-configuration-framework/windows-security-baselines.md)
##### [Security Compliance Toolkit](windows-security-configuration-framework/security-compliance-toolkit-10.md)
##### [Get support](windows-security-configuration-framework/get-support-for-security-baselines.md)
### [MBSA removal and alternatives](mbsa-removal-and-guidance.md)
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)

3
windows/security/threat-protection/mbsa-removal-and-guidance.md
View File

@ -6,8 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: dansimp
author: dulcemontemayor
ms.date: 10/05/2018
author: dansimp
ms.reviewer:
manager: dansimp
---

120
windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
View File

@ -26,128 +26,30 @@ This article describes some common mistake that you should avoid when defining e
Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
## Excluding certain trusted items
Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
**Do not add exclusions for the following folder locations:**
Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious.
- %systemdrive%
- C:
- C:\
- C:\*
- %ProgramFiles%\Java
- C:\Program Files\Java
- %ProgramFiles%\Contoso\
- C:\Program Files\Contoso\
- %ProgramFiles(x86)%\Contoso\
- C:\Program Files (x86)\Contoso\
- C:\Temp
- C:\Temp\
- C:\Temp\*
- C:\Users\
- C:\Users\*
- C:\Users\<UserProfileName>\AppData\Local\Temp\
- C:\Users\<UserProfileName>\AppData\LocalLow\Temp\
- C:\Users\<UserProfileName>\AppData\Roaming\Temp\
- %Windir%\Prefetch
- C:\Windows\Prefetch
- C:\Windows\Prefetch\
- C:\Windows\Prefetch\*
- %Windir%\System32\Spool
- C:\Windows\System32\Spool
- C:\Windows\System32\CatRoot2
- %Windir%\Temp
- C:\Windows\Temp
- C:\Windows\Temp\
- C:\Windows\Temp\*
Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following table:
**Do not add exclusions for the following file extensions:**
- `.7zip`
- `.bat`
- `.bin`
- `.cab`
- `.cmd`
- `.com`
- `.cpl`
- `.dll`
- `.exe`
- `.fla`
- `.gif`
- `.gz`
- `.hta`
- `.inf`
- `.java`
- `.jar`
- `.job`
- `.jpeg`
- `.jpg`
- `.js`
- `.ko`
- `.ko.gz`
- `.msi`
- `.ocx`
- `.png`
- `.ps1`
- `.py`
- `.rar`
- `.reg`
- `.scr`
- `.sys`
- `.tar`
- `.tmp`
- `.url`
- `.vbe`
- `.vbs`
- `.wsf`
- `.zip`
| Folder locations | File extensions | Processes |
|:--|:--|:--|
| `%systemdrive%` <br/> `C:`<br/> `C:\` <br/> `C:\*` <br/> `%ProgramFiles%\Java` <br/> `C:\Program Files\Java` <br/> `%ProgramFiles%\Contoso\` <br/> `C:\Program Files\Contoso\` <br/> `%ProgramFiles(x86)%\Contoso\` <br/> `C:\Program Files (x86)\Contoso\` <br/> `C:\Temp` <br/> `C:\Temp\` <br/> `C:\Temp\*` <br/> `C:\Users\` <br/> `C:\Users\*` <br/> `C:\Users\<UserProfileName>\AppData\Local\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\LocalLow\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\Roaming\Temp\` <br/> `%Windir%\Prefetch` <br/> `C:\Windows\Prefetch` <br/> `C:\Windows\Prefetch\` <br/> `C:\Windows\Prefetch\*` <br/> `%Windir%\System32\Spool` <br/> `C:\Windows\System32\Spool` <br/> `C:\Windows\System32\CatRoot2` <br/> `%Windir%\Temp` <br/> `C:\Windows\Temp` <br/> `C:\Windows\Temp\` <br/> `C:\Windows\Temp\*` | `.7zip` <br/> `.bat` <br/> `.bin` <br/> `.cab` <br/> `.cmd` <br/> `.com` <br/> `.cpl` <br/> `.dll` <br/> `.exe` <br/> `.fla` <br/> `.gif` <br/> `.gz` <br/> `.hta` <br/> `.inf` <br/> `.java` <br/> `.jar` <br/> `.job` <br/> `.jpeg` <br/> `.jpg` <br/> `.js` <br/> `.ko` <br/> `.ko.gz` <br/> `.msi` <br/> `.ocx` <br/> `.png` <br/> `.ps1` <br/> `.py` <br/> `.rar` <br/> `.reg` <br/> `.scr` <br/> `.sys` <br/> `.tar` <br/> `.tmp` <br/> `.url` <br/> `.vbe` <br/> `.vbs` <br/> `.wsf` <br/> `.zip` | `AcroRd32.exe` <br/> `bitsadmin.exe` <br/> `excel.exe` <br/> `iexplore.exe` <br/> `java.exe` <br/> `outlook.exe` <br/> `psexec.exe` <br/> `powerpnt.exe` <br/> `powershell.exe` <br/> `schtasks.exe` <br/> `svchost.exe` <br/>`wmic.exe` <br/> `winword.exe` <br/> `wuauclt.exe` <br/> `addinprocess.exe` <br/> `addinprocess32.exe` <br/> `addinutil.exe` <br/> `bash.exe` <br/> `bginfo.exe`[1] <br/>`cdb.exe` <br/> `csi.exe` <br/> `dbghost.exe` <br/> `dbgsvc.exe` <br/> `dnx.exe` <br/> `fsi.exe` <br/> `fsiAnyCpu.exe` <br/> `kd.exe` <br/> `ntkd.exe` <br/> `lxssmanager.dll` <br/> `msbuild.exe`[2] <br/> `mshta.exe` <br/> `ntsd.exe` <br/> `rcsi.exe` <br/> `system.management.automation.dll` <br/> `windbg.exe` |
>[!NOTE]
> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
**Do not add exclusions for the following processes:**
- AcroRd32.exe
- bitsadmin.exe
- excel.exe
- iexplore.exe
- java.exe
- outlook.exe
- psexec.exe
- powerpnt.exe
- powershell.exe
- schtasks.exe
- svchost.exe
- wmic.exe
- winword.exe
- wuauclt.exe
- addinprocess.exe
- addinprocess32.exe
- addinutil.exe
- bash.exe
- bginfo.exe[1]
- cdb.exe
- csi.exe
- dbghost.exe
- dbgsvc.exe
- dnx.exe
- fsi.exe
- fsiAnyCpu.exe
- kd.exe
- ntkd.exe
- lxssmanager.dll
- msbuild.exe[2]
- mshta.exe
- ntsd.exe
- rcsi.exe
- system.management.automation.dll
- windbg.exe
> You can chose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
## Using just the file name in the exclusion list
A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**.
A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`.
## Using a single exclusion list for multiple server workloads
Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
## Related articles

4
windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
View File

@ -10,7 +10,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 03/12/2020
ms.reviewer:
manager: dansimp
---
@ -41,8 +40,11 @@ Defining exclusions lowers the protection offered by Microsoft Defender Antiviru
The following is a list of recommendations that you should keep in mind when defining exclusions:
- Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate.
- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
## Related articles

426
windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
View File

@ -12,7 +12,6 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
ms.date: 10/21/2020
---
# Configure and validate exclusions based on file extension and folder location
@ -29,40 +28,37 @@ ms.date: 10/21/2020
## Exclusion lists
You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
Exclusion | Examples | Exclusion list
---|---|---
Any file with a specific extension | All files with the specified extension, anywhere on the machine.<br/>Valid syntax: `.test` and `test` | Extension exclusions
Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
| Exclusion | Examples | Exclusion list |
|:---|:---|:---|
|Any file with a specific extension | All files with the specified extension, anywhere on the machine.<br/>Valid syntax: `.test` and `test` | Extension exclusions |
|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions |
| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions |
| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions |
Exclusion lists have the following characteristics:
- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
- File extensions apply to any file name with the defined extension if a path or folder is not defined.
>[!IMPORTANT]
>Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
>
>You cannot exclude mapped network drives. You must specify the actual network path.
>
>Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
> [!IMPORTANT]
> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
> - You cannot exclude mapped network drives. You must specify the actual network path.
> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md).
The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
>[!IMPORTANT]
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
>
>Changes made in the Windows Security app **will not show** in the Group Policy lists.
> [!IMPORTANT]
> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> Changes made in the Windows Security app **will not show** in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
@ -85,32 +81,30 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
>[!NOTE]
>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
4. Double-click the **Path Exclusions** setting and add the exclusions.
4. Open the **Path Exclusions** setting for editing, and add your exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
5. Choose **OK**.
![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
6. Double-click the **Extension Exclusions** setting and add the exclusions.
6. Open the **Extension Exclusions** setting for editing and add your exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Under the **Options** section, select **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**.
![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png)
7. Choose **OK**.
<a id="ps"></a>
@ -126,21 +120,21 @@ The format for the cmdlets is as follows:
The following are allowed as the `<cmdlet>`:
Configuration action | PowerShell cmdlet
---|---
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove item from the list | `Remove-MpPreference`
| Configuration action | PowerShell cmdlet |
|:---|:---|
|Create or overwrite the list | `Set-MpPreference` |
|Add to the list | `Add-MpPreference` |
|Remove item from the list | `Remove-MpPreference` |
The following are allowed as the `<exclusion list>`:
Exclusion type | PowerShell parameter
---|---
All files with a specified file extension | `-ExclusionExtension`
All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath`
| Exclusion type | PowerShell parameter |
|:---|:---|
| All files with a specified file extension | `-ExclusionExtension` |
| All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` |
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
> [!IMPORTANT]
> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file with the `.test` file extension:
@ -175,29 +169,26 @@ See [Add exclusions in the Windows Security app](microsoft-defender-security-cen
You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
>[!IMPORTANT]
>There are key limitations and usage scenarios for these wildcards:
>
>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
>- You cannot use a wildcard in place of a drive letter.
>- An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
> [!IMPORTANT]
> There are key limitations and usage scenarios for these wildcards:
> - Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
> - You cannot use a wildcard in place of a drive letter.
> - An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
|Wildcard |Examples |
|---------|---------|
|:---------|:---------|
|`*` (asterisk) <br/><br/>In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`<br/><br/>`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders` <br/><br/>`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
|`?` (question mark) <br/><br/>In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip` <br/><br/>`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders <br/><br/>`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|Environment variables <br/><br/>The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
>[!IMPORTANT]
>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
>
>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
>
>This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
> [!IMPORTANT]
> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
<a id="review"></a>
@ -205,273 +196,68 @@ The following table describes how the wildcards can be used and provides some ex
The following table lists and describes the system account environment variables.
<table border="0" cellspacing="0" cellpadding="20">
<thead>
<tr>
<th valign="top">System environment variables</th>
<th valign="top">Will redirect to:</th>
</tr>
</thead><tbody>
<tr>
<td valign="top">%APPDATA%</td>
<td valign="top">C:\Users\UserName.DomainName\AppData\Roaming</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Internet Explorer\Quick Launch</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Windows\Start Menu</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Windows\Start Menu\Programs</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA% </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local</td>
</tr>
<tr>
<td valign="top">%ProgramData%</td>
<td valign="top">C:\ProgramData</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%</td>
<td valign="top">C:\Program Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Common Files </td>
<td valign="top">C:\Program Files\Common Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Windows Sidebar\Gadgets </td>
<td valign="top">C:\Program Files\Windows Sidebar\Gadgets</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Common Files</td>
<td valign="top">C:\Program Files\Common Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles(x86)% </td>
<td valign="top">C:\Program Files (x86)</td>
</tr>
<tr>
<td valign="top">%ProgramFiles(x86)%\Common Files </td>
<td valign="top">C:\Program Files (x86)\Common Files</td>
</tr>
<tr>
<td valign="top">%SystemDrive%</td>
<td valign="top">C:</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Program Files</td>
<td valign="top">C:\Program Files</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Program Files (x86) </td>
<td valign="top">C:\Program Files (x86)</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Users </td>
<td valign="top">C:\Users</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Users\Public</td>
<td valign="top">C:\Users\Public</td>
</tr>
<tr>
<td valign="top">%SystemRoot%</td>
<td valign="top"> C:\Windows</td>
</tr>
<tr>
<td valign="top">%windir%</td>
<td valign="top">C:\Windows</td>
</tr>
<tr>
<td valign="top">%windir%\Fonts</td>
<td valign="top">C:\Windows\Fonts</td>
</tr>
<tr>
<td valign="top">%windir%\Resources </td>
<td valign="top">C:\Windows\Resources</td>
</tr>
<tr>
<td valign="top">%windir%\resources\0409</td>
<td valign="top">C:\Windows\resources\0409</td>
</tr>
<tr>
<td valign="top">%windir%\system32</td>
<td valign="top">C:\Windows\System32</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%</td>
<td valign="top">C:\ProgramData</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Application Data</td>
<td valign="top">C:\ProgramData\Application Data</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents</td>
<td valign="top">C:\ProgramData\Documents</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Music\Sample Music</td>
<td valign="top">
<p>C:\ProgramData\Documents\My Music\Sample Music</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Music </td>
<td valign="top">C:\ProgramData\Documents\My Music</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Pictures </td>
<td valign="top">
<p>C:\ProgramData\Documents\My Pictures
</p>
</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures </td>
<td valign="top">C:\ProgramData\Documents\My Pictures\Sample Pictures</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Videos </td>
<td valign="top">C:\ProgramData\Documents\My Videos</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\DeviceMetadataStore</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\GameExplorer</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Ringtones</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs </td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools</td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Templates </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Templates</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu </td>
<td valign="top">C:\ProgramData\Start Menu</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu\Programs </td>
<td valign="top">C:\ProgramData\Start Menu\Programs</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools </td>
<td valign="top">C:\ProgramData\Start Menu\Programs\Administrative Tools</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Templates </td>
<td valign="top">C:\ProgramData\Templates</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA%\Microsoft\Windows\History </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History</td>
</tr>
<tr>
<td valign="top">
<p>
%PUBLIC% </p>
</td>
<td valign="top">C:\Users\Public</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\AccountPictures </td>
<td valign="top">C:\Users\Public\AccountPictures</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Desktop </td>
<td valign="top">C:\Users\Public\Desktop</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Documents </td>
<td valign="top">C:\Users\Public\Documents</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Downloads </td>
<td valign="top">C:\Users\Public\Downloads</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Music\Sample Music </td>
<td valign="top">
<p>C:\Users\Public\Music\Sample Music</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Music\Sample Playlists </td>
<td valign="top">
<p>C:\Users\Public\Music\Sample Playlists</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Pictures\Sample Pictures </td>
<td valign="top">C:\Users\Public\Pictures\Sample Pictures</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\RecordedTV.library-ms</td>
<td valign="top">C:\Users\Public\RecordedTV.library-ms</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Videos</td>
<td valign="top">C:\Users\Public\Videos</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Videos\Sample Videos</td>
<td valign="top">
<p>C:\Users\Public\Videos\Sample Videos</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%USERPROFILE% </td>
<td valign="top">C:\Windows\System32\config\systemprofile</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\Local </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\LocalLow </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\LocalLow</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\Roaming </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming</td>
</tr>
</tbody>
</table>
| This system environment variable... | Redirects to this |
|:--|:--|
| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` |
| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` |
| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` |
| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` |
| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
| `%ProgramData%` | `C:\ProgramData` |
| `%ProgramFiles%` | `C:\Program Files` |
| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` |
| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` |
| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` |
| `%SystemDrive%` | `C:` |
| `%SystemDrive%\Program Files` | `C:\Program Files` |
| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` |
| `%SystemDrive%\Users` | `C:\Users` |
| `%SystemDrive%\Users\Public` | `C:\Users\Public` |
| `%SystemRoot%` | `C:\Windows` |
| `%windir%` | `C:\Windows` |
| `%windir%\Fonts` | `C:\Windows\Fonts` |
| `%windir%\Resources` | `C:\Windows\Resources` |
| `%windir%\resources\0409` | `C:\Windows\resources\0409` |
| `%windir%\system32` | `C:\Windows\System32` |
| `%ALLUSERSPROFILE%` | `C:\ProgramData` |
| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` |
| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` |
| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` |
| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` |
| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` |
| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` |
| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` |
| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` |
| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs |
| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` |
| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` |
| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` |
| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` |
| `%PUBLIC%` | `C:\Users\Public` |
| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` |
| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` |
| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` |
| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` |
| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` |
| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` |
| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` |
| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` |
| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` |
| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` |
| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` |
| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` |
| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` |
## Review the list of exclusions
@ -490,7 +276,7 @@ You can retrieve the items in the exclusion list using one of the following meth
If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line.
- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
### Validate the exclusion list by using MpCmdRun

16
windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
View File

@ -77,8 +77,6 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
5. Click **OK**.
![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
@ -106,11 +104,11 @@ For example, the following code snippet would cause Microsoft Defender AV scans
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
```
For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true).
For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender).
### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
```WMI
ExclusionProcess
@ -118,7 +116,7 @@ ExclusionProcess
The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
### Use the Windows Security app to exclude files that have been opened by specified processes from scans
@ -154,8 +152,8 @@ To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://
MpCmdRun.exe -CheckExclusion -path <path>
```
>[!NOTE]
>Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
> [!NOTE]
> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
@ -166,7 +164,7 @@ Use the following cmdlet:
Get-MpPreference
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### Retrieve a specific exclusions list by using PowerShell
@ -177,7 +175,7 @@ $WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.
## Related articles

40
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
View File

@ -204,43 +204,11 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
#### Hyper-V exclusions
This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role.
- File type exclusions:
- `*.vhd`
- `*.vhdx`
- `*.avhd`
- `*.avhdx`
- `*.vsv`
- `*.iso`
- `*.rct`
- `*.vmcx`
- `*.vmrs`
- Folder exclusions:
- `%ProgramData%\Microsoft\Windows\Hyper-V`
- `%ProgramFiles%\Hyper-V`
- `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
- `%Public%\Documents\Hyper-V\Virtual Hard Disks`
- Process exclusions:
- `%systemroot%\System32\Vmms.exe`
- `%systemroot%\System32\Vmwp.exe`
|File type exclusions |Folder exclusions | Process exclusions |
|:--|:--|:--|
| `*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V` <br/> `%ProgramFiles%\Hyper-V` <br/> `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` <br/> `%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe` <br/> `%systemroot%\System32\Vmwp.exe` |
#### SYSVOL files

12
windows/security/threat-protection/microsoft-defender-atp/gov.md
View File

@ -40,14 +40,14 @@ The following OS versions are supported:
OS version | GCC | GCC High
:---|:---|:---
Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4490481)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4490481)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1909 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1903 (with [KB4586819](https://support.microsoft.com/help/4586819)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1809 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1803 | ![No](../images/svg/check-no.svg) Rolling out | ![Yes](../images/svg/check-yes.svg) With [KB4499183](https://support.microsoft.com/help/4499183)
Windows 10, version 1709 | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported | ![Yes](../images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)<br>Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade
Windows 10, version 1703 and earlier | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported | ![No](../images/svg/check-no.svg)<br>Note: Will not be supported
Windows 10, version 1803 (with [KB4598245](https://support.microsoft.com/help/4598245)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows 10, version 1709 | ![No](../images/svg/check-no.svg)<br>Note: Won't be supported | ![Yes](../images/svg/check-yes.svg) With [KB4499147](https://support.microsoft.com/help/4499147)<br>Note: [Deprecated](https://docs.microsoft.com/lifecycle/announcements/revised-end-of-service-windows-10-1709), please upgrade
Windows 10, version 1703 and earlier | ![No](../images/svg/check-no.svg)<br>Note: Won't be supported | ![No](../images/svg/check-no.svg)<br>Note: Won't be supported
Windows Server 2019 (with [KB4586839](https://support.microsoft.com/help/4586839)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg)
Windows Server 2016 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
Windows Server 2012 R2 | ![No](../images/svg/check-no.svg) Rolling out | ![No](../images/svg/check-no.svg) In development
@ -100,7 +100,7 @@ GCC High | `https://login.microsoftonline.us` | `https://api-gov.securitycenter.
## Feature parity with commercial
Defender for Endpoint do not have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight.
Defender for Endpoint doesn't have complete parity with the commercial offering. While our goal is to deliver all commercial features and functionality to our US Government customers, there are some capabilities not yet available that we'd like to highlight.
These are the known gaps as of January 2021:

14
windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain.md
View File

@ -51,14 +51,14 @@ It's important to understand the following prerequisites prior to creating indic
> Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs.
> For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](network-protection.md) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement: <br>
> NOTE:
>- IP is supported for all three protocols
>- Only single IP addresses are supported (no CIDR blocks or IP ranges)
>- Encrypted URLs (full path) can only be blocked on first party browsers
>- Encrypted URLS (FQDN only) can be blocked outside of first party browsers
>- Full URL path blocks can be applied on the domain level and all unencrypted URLs
> - IP is supported for all three protocols
> - Only single IP addresses are supported (no CIDR blocks or IP ranges)
> - Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
> - Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
> - Full URL path blocks can be applied on the domain level and all unencrypted URLs
>[!NOTE]
>There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
> [!NOTE]
> There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
### Create an indicator for IPs, URLs, or domains from the settings page

4
windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md
View File

@ -29,6 +29,10 @@ ms.topic: conceptual
> [!IMPORTANT]
> Support for macOS 10.13 (High Sierra) will be discontinued on February 15th, 2021.
## 101.19.21
- Bug fixes
## 101.15.26
- Improved the reliability of the agent when running on macOS 11 Big Sur

2
windows/whats-new/whats-new-windows-10-version-2004.md
View File

@ -212,7 +212,7 @@ You can now [rename your virtual desktops](https://docs.microsoft.com/windows-in
### Bluetooth pairing
Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/at-home/Whats-new-wip-at-home-20h1#improving-your-bluetooth-pairing-experience-build-18985).
Pairing Bluetooth devices with your computer will occur through notifications, so you won't need to go to the Settings app to finish pairing. Other improvements include faster pairing and device name display. For more information, see [Improving your Bluetooth pairing experience](https://docs.microsoft.com/windows-insider/archive/new-in-20h1#improving-your-bluetooth-pairing-experience-build-18985).
### Reset this PC