From 51c4e2756359d920b5e33845138a6e70d7fdac70 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Tue, 14 Jul 2020 17:47:24 -0700 Subject: [PATCH 1/9] Added common mistakes section --- ...exclusions-microsoft-defender-antivirus.md | 118 ++++++++++++++++++ 1 file changed, 118 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index 17b4284fa0..21244a7d3c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -564,6 +564,124 @@ If you do not have Internet access, you can create your own EICAR test file by w You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. +## Common mistakes to avoid when configuring exclusion lists +This section describes some common mistakes that you should avoid making when adding exclusions to Microsoft Defender Antivirus scans. + +### Excluding certain trusted items +If you trust a file, file type, folder, or a process, you can add that to the exclusion list for Microsoft Defender Antivirus scans. However, there are certain items that you should not exclude from scanning even though you trust them. + +The following lists provide the , including: +- Paths +- File extension +- Processes + +### Paths not to be excluded +The following table provides the paths that you should not add in the exclusion list: + +| File path | Comments | +|-----------| --------- | +|- %systemdrive%
- C:
- C:\
- C:\* | | +|- %ProgramFiles%\Java
- C:\Program Files\Java | | +|- %ProgramFiles%\Contoso\
- C:\Program Files\Contoso\ | It’s common to see applications and/or services have documentation to open up the whole folder and subfolders. | +|- %ProgramFiles(x86)%\Contoso\
- C:\Program Files (x86)\Contoso\ | It’s common to see applications and/or services have documentation to open up the whole folder and subfolders. | +|- C:\Temp
- C:\Temp\
- C:\Temp\* | | +|- C:\Users\
- C:\Users\* | | +|C:\Users\\AppData\Local\Temp\ | | +|C:\Users\\AppData\LocalLow\Temp\ | | +|C:\Users\\AppData\Roaming\Temp\ | | +|- %Windir%\Prefetch
- C:\Windows\Prefetch
- C:\Windows\Prefetch\
- C:\Windows\Prefetch\* | | +|- %Windir%\System32\Spool
- C:\Windows\System32\Spool | | +|C:\Windows\System32\CatRoot2 | | +|- %Windir%\Temp
- C:\Windows\Temp
- C:\Windows\Temp\
- C:\Windows\Temp\* | | + +### File extensions that should not be excluded +The following is the list of file extensions that you should not add to the exclusion list: + +- .7zip +- .bat +- .bin +- .cab +- .cmd +- .com +- .cpl +- .dll +- .exe +- .fla +- .gif +- .gz +- .hta +- .inf +- .java +- .jar +- .job +- .jpeg +- .jpg +- .js +- .ko +- .ko.gz +- .msi +- .ocx +- .png +- .ps1 +- .py +- .rar +- .reg +- .scr +- .sys +- .tar +- .tmp +- .url +- .vbe +- .vbs +- .wsf +- .zip + +### Processes that should not be excluded +The following is the list of processes that should not be added to the exclusion list: +- AcroRd32.exe +- bitsadmin.exe +- excel.exe +- iexplore.exe +- java.exe +- outlook.exe +- psexec.exe +- powerpnt.exe +- powershell.exe +- schtasks.exe +- svchost.exe +- wmic.exe +- winword.exe +- wuauclt.exe +- addinprocess.exe +- addinprocess32.exe +- addinutil.exe +- bash.exe +- bginfo.exe[1] +- cdb.exe +- csi.exe +- dbghost.exe +- dbgsvc.exe +- dnx.exe +- fsi.exe +- fsiAnyCpu.exe +- kd.exe +- ntkd.exe +- lxssmanager.dll +- msbuild.exe[2] +- mshta.exe +- ntsd.exe +- rcsi.exe +- system.management.automation.dll +- windbg.exe + +### Using only the file name in the exclusion list +It is possible that a malware is named exactly same as the file that you trust and want to exclude from scanning. In such cases, to avoid excluding the malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`. + +### On Server workloads, using a single exclusion for multiple exceptions + +Do not include every single application/service into just ‘1’ exclusion. You don’t want to include exceptions for IIS on your SQL server, or File Server, etc. You should split different application/service workloads to multiple exceptions. + + ## Related topics - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) From dc0e82669b0ef1e10a5520081f87ce4de11c0ac0 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 15 Jul 2020 16:51:32 -0700 Subject: [PATCH 2/9] more updates --- ...exclusions-microsoft-defender-antivirus.md | 36 ++++++++----------- ...emediation-microsoft-defender-antivirus.md | 4 +-- 2 files changed, 17 insertions(+), 23 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index 21244a7d3c..e203735345 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -199,9 +199,9 @@ The following table describes how the wildcards can be used and provides some ex -### System environmental variables +### System environment variables -The following table lists and describes the system account environmental variables. +The following table lists and describes the system account environment variables. @@ -564,21 +564,17 @@ If you do not have Internet access, you can create your own EICAR test file by w You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. -## Common mistakes to avoid when configuring exclusion lists -This section describes some common mistakes that you should avoid making when adding exclusions to Microsoft Defender Antivirus scans. +## Common mistakes to avoid when defining exclusions +This section describes some common mistakes that you should avoid making when defining exclusions for Microsoft Defender Antivirus scans. ### Excluding certain trusted items If you trust a file, file type, folder, or a process, you can add that to the exclusion list for Microsoft Defender Antivirus scans. However, there are certain items that you should not exclude from scanning even though you trust them. -The following lists provide the , including: -- Paths -- File extension -- Processes +The following lists contain the items that you should not add as exclusions. -### Paths not to be excluded -The following table provides the paths that you should not add in the exclusion list: +**Do not add exclusions for the following folder locations:** -| File path | Comments | +| Folder location | Comments | |-----------| --------- | |- %systemdrive%
- C:
- C:\
- C:\* | | |- %ProgramFiles%\Java
- C:\Program Files\Java | | @@ -594,9 +590,7 @@ The following table provides the paths that you should not add in the exclusion |C:\Windows\System32\CatRoot2 | | |- %Windir%\Temp
- C:\Windows\Temp
- C:\Windows\Temp\
- C:\Windows\Temp\* | | -### File extensions that should not be excluded -The following is the list of file extensions that you should not add to the exclusion list: - +**Do not add exclusions for the following file extensions:** - .7zip - .bat - .bin @@ -636,8 +630,7 @@ The following is the list of file extensions that you should not add to the excl - .wsf - .zip -### Processes that should not be excluded -The following is the list of processes that should not be added to the exclusion list: +**Do not add exclusions for the following processes:** - AcroRd32.exe - bitsadmin.exe - excel.exe @@ -674,13 +667,14 @@ The following is the list of processes that should not be added to the exclusion - system.management.automation.dll - windbg.exe -### Using only the file name in the exclusion list -It is possible that a malware is named exactly same as the file that you trust and want to exclude from scanning. In such cases, to avoid excluding the malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`. +### Using just the file name in the exclusion list +It is possible that the name of a malware is same as the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**. -### On Server workloads, using a single exclusion for multiple exceptions - -Do not include every single application/service into just ‘1’ exclusion. You don’t want to include exceptions for IIS on your SQL server, or File Server, etc. You should split different application/service workloads to multiple exceptions. +### Using a single exclusion for multiple exceptions on Server workloads +Do not include every application or service into a single exclusion. You don’t want to include exceptions for IIS on your SQL server, or File Server, etc. You should split different application and service workloads into multiple exceptions. +### Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists +Microsoft Defender Antivirus Service runs as a Local System account, which means it gets information from the "system" environment variable instead of the "user" environment variable. Therefore, you must use "system" environment variables when defining Microsoft Defender Antivirus folder or process exclusions. See the table under [System environment variables](#system-environment-variables) for a complete list of system account environment variables. ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md index f8ac6071ef..65400ddb8c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md @@ -54,9 +54,9 @@ Threats | Specify threats upon which default action should not be taken when det > [!IMPORTANT] > Microsoft Defender Antivirus detects and remediates files based on many factors. Sometimes, completing a remediation requires a reboot. Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed. ->

+> > If you are certain Microsoft Defender Antivirus quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Microsoft Defender Antivirus](restore-quarantined-files-microsoft-defender-antivirus.md). ->

+> > To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md). Also see [Configure remediation-required scheduled full Microsoft Defender Antivirus scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md#remed) for more remediation-related settings. From ee4cd4131bfe4740f4ba3f7798d1f115adc0c297 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Wed, 15 Jul 2020 17:25:44 -0700 Subject: [PATCH 3/9] updates --- ...ion-file-exclusions-microsoft-defender-antivirus.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index e203735345..714afa6ea3 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -570,8 +570,6 @@ This section describes some common mistakes that you should avoid making when de ### Excluding certain trusted items If you trust a file, file type, folder, or a process, you can add that to the exclusion list for Microsoft Defender Antivirus scans. However, there are certain items that you should not exclude from scanning even though you trust them. -The following lists contain the items that you should not add as exclusions. - **Do not add exclusions for the following folder locations:** | Folder location | Comments | @@ -668,13 +666,13 @@ The following lists contain the items that you should not add as exclusions. - windbg.exe ### Using just the file name in the exclusion list -It is possible that the name of a malware is same as the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**. +A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**. -### Using a single exclusion for multiple exceptions on Server workloads -Do not include every application or service into a single exclusion. You don’t want to include exceptions for IIS on your SQL server, or File Server, etc. You should split different application and service workloads into multiple exceptions. +### Using a single exclusion for multiple server workloads +Do not add every application or service into a single exclusion. For example, do not add exclusions for IIS to your SQL server or File server exclusions. On server workloads, split different application and service workloads into multiple exclusions. ### Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists -Microsoft Defender Antivirus Service runs as a Local System account, which means it gets information from the "system" environment variable instead of the "user" environment variable. Therefore, you must use "system" environment variables when defining Microsoft Defender Antivirus folder or process exclusions. See the table under [System environment variables](#system-environment-variables) for a complete list of system account environment variables. +Microsoft Defender Antivirus Service runs as a Local System account, which means it gets information from the system environment variable instead of the user environment variable. Environment variable usage as a wildcard is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](#system-environment-variables) for a complete list of system account environment variables. ## Related topics From 7181c128e79a0076192bf1af452d3c1baea06b9d Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 16 Jul 2020 17:48:52 -0700 Subject: [PATCH 4/9] Converted common mistakes topic to a new topic --- ...n-mistakes-microsoft-defender-antivirus.md | 148 ++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md new file mode 100644 index 0000000000..c4e8740b49 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md @@ -0,0 +1,148 @@ +--- +title: Common mistakes to avoid when defining exclusions +description: Avoid common mistakes when defining exclusions for Microsoft Defender Antivirus scans. +keywords: exclusions, files, extension, file type, folder name, file name, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: denisebmsft +ms.author: deniseb +ms.custom: nextgen +ms.reviewer: +manager: dansimp +--- + +# Common mistakes to avoid when defining exclusions +This article describes some common mistakes that you should avoid when defining exclusions for Microsoft Defender Antivirus scans. + +## Excluding certain trusted items +There are certain file, file type, folder, or a process that you should not exclude from scanning even though you trust them. Refer to the following section for items that you should not exclude from scanning. + +**Do not add exclusions for the following folder locations:** + +- %systemdrive% +- C: +- C:\ +- C:\* +- %ProgramFiles%\Java +- C:\Program Files\Java +- %ProgramFiles%\Contoso\ +- C:\Program Files\Contoso\ +- %ProgramFiles(x86)%\Contoso\ +- C:\Program Files (x86)\Contoso\ +- C:\Temp +- C:\Temp\ +- C:\Temp\* +- C:\Users\ +- C:\Users\* +- C:\Users\\AppData\Local\Temp\ +- C:\Users\\AppData\LocalLow\Temp\ +- C:\Users\\AppData\Roaming\Temp\ +- %Windir%\Prefetch +- C:\Windows\Prefetch +- C:\Windows\Prefetch\ +- C:\Windows\Prefetch\* +- %Windir%\System32\Spool +- C:\Windows\System32\Spool +- C:\Windows\System32\CatRoot2 +- %Windir%\Temp +- C:\Windows\Temp +- C:\Windows\Temp\ +- C:\Windows\Temp\* + +**Do not add exclusions for the following file extensions:** +- .7zip +- .bat +- .bin +- .cab +- .cmd +- .com +- .cpl +- .dll +- .exe +- .fla +- .gif +- .gz +- .hta +- .inf +- .java +- .jar +- .job +- .jpeg +- .jpg +- .js +- .ko +- .ko.gz +- .msi +- .ocx +- .png +- .ps1 +- .py +- .rar +- .reg +- .scr +- .sys +- .tar +- .tmp +- .url +- .vbe +- .vbs +- .wsf +- .zip + +**Do not add exclusions for the following processes:** +- AcroRd32.exe +- bitsadmin.exe +- excel.exe +- iexplore.exe +- java.exe +- outlook.exe +- psexec.exe +- powerpnt.exe +- powershell.exe +- schtasks.exe +- svchost.exe +- wmic.exe +- winword.exe +- wuauclt.exe +- addinprocess.exe +- addinprocess32.exe +- addinutil.exe +- bash.exe +- bginfo.exe[1] +- cdb.exe +- csi.exe +- dbghost.exe +- dbgsvc.exe +- dnx.exe +- fsi.exe +- fsiAnyCpu.exe +- kd.exe +- ntkd.exe +- lxssmanager.dll +- msbuild.exe[2] +- mshta.exe +- ntsd.exe +- rcsi.exe +- system.management.automation.dll +- windbg.exe + +## Using just the file name in the exclusion list +A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**. + +## Using a single exclusion for multiple server workloads +Do not use a single exclusion list to define exclusions for multiple server workloads. On Server workloads, split the different application or service workloads into multiple exceptions. For example, create separate exclusion lists for workloads on IIS Server and File Server. + +## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists +Microsoft Defender Antivirus Service runs as a Local System account, which means it gets information from the system environment variable instead of the user environment variable. Environment variable usage as a wildcard is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system account environment variables. + +## Related topics + +- [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions based on file extension and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) +- [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) From 48fc020bf4460f73cadfc0e48a4d44ce19cddc6b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 17 Jul 2020 09:49:42 -0700 Subject: [PATCH 5/9] more updates --- windows/security/threat-protection/TOC.md | 2 +- ...lusion-mistakes-microsoft-defender-antivirus.md | 14 +++++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 666cf8cb70..8285168070 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -153,7 +153,7 @@ ####### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md) ####### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) ####### [Configure antivirus exclusions Windows Server 2016](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md) - +####### [Common mistakes when defining exclusions](microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md) ###### [Configure scanning antivirus options](microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md) ###### [Configure remediation for scans](microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md) ###### [Configure scheduled scans](microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md index c4e8740b49..f0cac112ec 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md @@ -17,10 +17,13 @@ manager: dansimp --- # Common mistakes to avoid when defining exclusions -This article describes some common mistakes that you should avoid when defining exclusions for Microsoft Defender Antivirus scans. +You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. +See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) for more information. + +This article describes some common mistakes that you should avoid when defining exclusions from Microsoft Defender Antivirus scans. ## Excluding certain trusted items -There are certain file, file type, folder, or a process that you should not exclude from scanning even though you trust them. Refer to the following section for items that you should not exclude from scanning. +There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning. **Do not add exclusions for the following folder locations:** @@ -134,11 +137,12 @@ There are certain file, file type, folder, or a process that you should not excl ## Using just the file name in the exclusion list A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**. -## Using a single exclusion for multiple server workloads -Do not use a single exclusion list to define exclusions for multiple server workloads. On Server workloads, split the different application or service workloads into multiple exceptions. For example, create separate exclusion lists for workloads on IIS Server and File Server. +## Using a single exclusion list for multiple server workloads +Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload. ## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists -Microsoft Defender Antivirus Service runs as a Local System account, which means it gets information from the system environment variable instead of the user environment variable. Environment variable usage as a wildcard is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system account environment variables. +Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables. +See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists. ## Related topics From 9efb1f53f6fd72723a8bccf107e4cb494cfafeb7 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Fri, 17 Jul 2020 09:50:38 -0700 Subject: [PATCH 6/9] Removed common mistake section --- ...exclusions-microsoft-defender-antivirus.md | 110 ------------------ 1 file changed, 110 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index 714afa6ea3..30f77a7b34 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -564,116 +564,6 @@ If you do not have Internet access, you can create your own EICAR test file by w You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude. -## Common mistakes to avoid when defining exclusions -This section describes some common mistakes that you should avoid making when defining exclusions for Microsoft Defender Antivirus scans. - -### Excluding certain trusted items -If you trust a file, file type, folder, or a process, you can add that to the exclusion list for Microsoft Defender Antivirus scans. However, there are certain items that you should not exclude from scanning even though you trust them. - -**Do not add exclusions for the following folder locations:** - -| Folder location | Comments | -|-----------| --------- | -|- %systemdrive%
- C:
- C:\
- C:\* | | -|- %ProgramFiles%\Java
- C:\Program Files\Java | | -|- %ProgramFiles%\Contoso\
- C:\Program Files\Contoso\ | It’s common to see applications and/or services have documentation to open up the whole folder and subfolders. | -|- %ProgramFiles(x86)%\Contoso\
- C:\Program Files (x86)\Contoso\ | It’s common to see applications and/or services have documentation to open up the whole folder and subfolders. | -|- C:\Temp
- C:\Temp\
- C:\Temp\* | | -|- C:\Users\
- C:\Users\* | | -|C:\Users\\AppData\Local\Temp\ | | -|C:\Users\\AppData\LocalLow\Temp\ | | -|C:\Users\\AppData\Roaming\Temp\ | | -|- %Windir%\Prefetch
- C:\Windows\Prefetch
- C:\Windows\Prefetch\
- C:\Windows\Prefetch\* | | -|- %Windir%\System32\Spool
- C:\Windows\System32\Spool | | -|C:\Windows\System32\CatRoot2 | | -|- %Windir%\Temp
- C:\Windows\Temp
- C:\Windows\Temp\
- C:\Windows\Temp\* | | - -**Do not add exclusions for the following file extensions:** -- .7zip -- .bat -- .bin -- .cab -- .cmd -- .com -- .cpl -- .dll -- .exe -- .fla -- .gif -- .gz -- .hta -- .inf -- .java -- .jar -- .job -- .jpeg -- .jpg -- .js -- .ko -- .ko.gz -- .msi -- .ocx -- .png -- .ps1 -- .py -- .rar -- .reg -- .scr -- .sys -- .tar -- .tmp -- .url -- .vbe -- .vbs -- .wsf -- .zip - -**Do not add exclusions for the following processes:** -- AcroRd32.exe -- bitsadmin.exe -- excel.exe -- iexplore.exe -- java.exe -- outlook.exe -- psexec.exe -- powerpnt.exe -- powershell.exe -- schtasks.exe -- svchost.exe -- wmic.exe -- winword.exe -- wuauclt.exe -- addinprocess.exe -- addinprocess32.exe -- addinutil.exe -- bash.exe -- bginfo.exe[1] -- cdb.exe -- csi.exe -- dbghost.exe -- dbgsvc.exe -- dnx.exe -- fsi.exe -- fsiAnyCpu.exe -- kd.exe -- ntkd.exe -- lxssmanager.dll -- msbuild.exe[2] -- mshta.exe -- ntsd.exe -- rcsi.exe -- system.management.automation.dll -- windbg.exe - -### Using just the file name in the exclusion list -A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**. - -### Using a single exclusion for multiple server workloads -Do not add every application or service into a single exclusion. For example, do not add exclusions for IIS to your SQL server or File server exclusions. On server workloads, split different application and service workloads into multiple exclusions. - -### Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists -Microsoft Defender Antivirus Service runs as a Local System account, which means it gets information from the system environment variable instead of the user environment variable. Environment variable usage as a wildcard is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](#system-environment-variables) for a complete list of system account environment variables. - ## Related topics - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) From f219a4b8706d2b1d8ec9d0932fd231e7d5ee58e3 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 20 Jul 2020 13:07:00 -0700 Subject: [PATCH 7/9] more updates --- ...sion-mistakes-microsoft-defender-antivirus.md | 5 ++++- ...re-exclusions-microsoft-defender-antivirus.md | 16 +++++++++++++--- ...le-exclusions-microsoft-defender-antivirus.md | 1 + ...le-exclusions-microsoft-defender-antivirus.md | 1 + 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md index f0cac112ec..bbdf9fc0e5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md @@ -20,7 +20,7 @@ manager: dansimp You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. Such excluded items could contain threats that make your device vulnerable. See [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) for more information. -This article describes some common mistakes that you should avoid when defining exclusions from Microsoft Defender Antivirus scans. +Also, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. ## Excluding certain trusted items There are certain files, file types, folders, or processes that you should not exclude from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning. @@ -97,6 +97,9 @@ There are certain files, file types, folders, or processes that you should not e - .wsf - .zip +>[!NOTE] +> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities. + **Do not add exclusions for the following processes:** - AcroRd32.exe - bitsadmin.exe diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md index 78dd9f20a7..d0b737f37f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md @@ -25,13 +25,23 @@ manager: dansimp You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection. ->[!WARNING] ->Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. +## Recommendations for defining exclusions +Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. +The following is a list of recommendations that you should keep in mind when defining exclusions: +- Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc. +- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process. +- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate. +- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded. + +## Configure and validate exclusions + +To configure and validate exclusions, see the following: - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location. - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md). This enables you to exclude files from scans that have been opened by a specific process. ## Related articles -[Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md) \ No newline at end of file +- [Microsoft Defender Antivirus exclusions on Windows Server 2016](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index 30f77a7b34..a474f7f68a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -569,3 +569,4 @@ You can also copy the string into a blank text file and attempt to save it with - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) - [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index ffe624dd8e..8ded21f66b 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -194,5 +194,6 @@ See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](u - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) - [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md) +- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) From 482523084fefada52d322b5f651e94d4c4b00b52 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 20 Jul 2020 13:48:50 -0700 Subject: [PATCH 8/9] Added xrefs --- ...tension-file-exclusions-microsoft-defender-antivirus.md | 2 +- ...-opened-file-exclusions-microsoft-defender-antivirus.md | 2 +- ...igure-server-exclusions-microsoft-defender-antivirus.md | 7 ++----- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md index a474f7f68a..5074fb8a80 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md @@ -32,7 +32,7 @@ You can exclude certain files from Microsoft Defender Antivirus scans by modifyi > [!NOTE] > Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. -This article describes how to configure exclusion lists for the files and folders. +This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. Exclusion | Examples | Exclusion list ---|---|--- diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md index 8ded21f66b..9fb92406dc 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md @@ -22,7 +22,7 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. +You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. This topic describes how to configure exclusion lists for the following: diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index 59e059aeb5..3365f5ccee 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -43,7 +43,7 @@ In addition to server role-defined automatic exclusions, you can add or remove c ## Opt out of automatic exclusions -In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. +In Windows Server 2016 and 2019, the predefined exclusions delivered by Security intelligence updates only exclude the default paths for a role or feature. If you installed a role or feature in a custom path, or you want to manually control the set of exclusions, make sure to opt out of the automatic exclusions delivered in Security intelligence updates. But keep in mind that the exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists. > [!WARNING] > Opting out of automatic exclusions may adversely impact performance, or result in data corruption. The exclusions that are delivered automatically are optimized for Windows Server 2016 and 2019 roles. @@ -401,11 +401,8 @@ This section lists the folder exclusions that are delivered automatically when y ## Related articles - [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) - - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) - +- - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md) From 7ac6604793a392c9c96f49c5252b1e75d0f8c786 Mon Sep 17 00:00:00 2001 From: Manika Dhiman Date: Wed, 22 Jul 2020 08:19:34 -0700 Subject: [PATCH 9/9] Update configure-server-exclusions-microsoft-defender-antivirus.md Removed an extra bullet --- .../configure-server-exclusions-microsoft-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index 3365f5ccee..756e4191f5 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -403,6 +403,6 @@ This section lists the folder exclusions that are delivered automatically when y - [Configure and validate exclusions for Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-microsoft-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md) -- - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) +- [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md) - [Customize, initiate, and review the results of Microsoft Defender Antivirus scans and remediation](customize-run-review-remediate-scans-microsoft-defender-antivirus.md) - [Microsoft Defender Antivirus in Windows 10](microsoft-defender-antivirus-in-windows-10.md)