From 0a94ed372ed5b86195cd792208d0b38a524013b4 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 10 Dec 2018 19:17:02 +0000 Subject: [PATCH 1/7] Added procedure for MpCmdRun --- ...file-exclusions-windows-defender-antivirus.md | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 8292217735..02edd111a4 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure and validate exclusions based on file extension and folder location @@ -264,7 +264,7 @@ The following table describes how the wildcards can be used and provides some ex ## Review the list of exclusions -You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). >[!IMPORTANT] >Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). @@ -276,7 +276,17 @@ If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:** +**Validate the exclusion list by using MpCmdRun:** +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) and later. + +**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** Use the following cmdlet: From 73ff21141139bcd9eaf01592c4d8e06e980d27fe Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 10 Dec 2018 19:18:45 +0000 Subject: [PATCH 2/7] Added MpCmdRun procedure. --- ...e-exclusions-windows-defender-antivirus.md | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 320078778c..dcdd00f2e7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure exclusions for files opened by processes @@ -147,14 +147,25 @@ Environment variables | The defined variable will be populated as a path when th ## Review the list of exclusions -You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:** +**Validate the exclusion list by using MpCmdRun:** +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) and later. + + +**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** Use the following cmdlet: @@ -164,7 +175,7 @@ Get-MpPreference See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Retrieve a specific exclusions list:** +**Retrieve a specific exclusions list by using PowerShell:** Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: From fac4e03c8419dd202e9400ced606c10900855a42 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 10 Dec 2018 19:19:37 +0000 Subject: [PATCH 3/7] Differentiated procedure. --- ...gure-extension-file-exclusions-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 02edd111a4..cd2fd7160e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -300,7 +300,7 @@ In the following example, the items contained in the `ExclusionExtension` list a See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Retrieve a specific exclusions list:** +**Retrieve a specific exclusions list by using PowerShell:** Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: From b2963d3401f7997823faf1d5714730f660535e60 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 10 Dec 2018 20:20:24 +0000 Subject: [PATCH 4/7] Fix formatting --- ...igure-extension-file-exclusions-windows-defender-antivirus.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index cd2fd7160e..4ac4014cfb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -277,6 +277,7 @@ If you use PowerShell, you can retrieve the list in two ways: - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. **Validate the exclusion list by using MpCmdRun:** + To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: ```DOS From e41f6c83f5f3ad64291d0603631c5fd5dbde5efa Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 10 Dec 2018 20:20:58 +0000 Subject: [PATCH 5/7] Fixed formatting --- ...-process-opened-file-exclusions-windows-defender-antivirus.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index dcdd00f2e7..3b65a70016 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -155,6 +155,7 @@ If you use PowerShell, you can retrieve the list in two ways: - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. **Validate the exclusion list by using MpCmdRun:** + To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: ```DOS From e5dc75c1fafb9abc0ae541bd40c449d18e868701 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 10 Dec 2018 22:34:24 +0000 Subject: [PATCH 6/7] Minor fix --- ...process-opened-file-exclusions-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 3b65a70016..40785cfdec 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -163,7 +163,7 @@ MpCmdRun.exe -CheckExclusion -path ``` >[!NOTE] ->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) and later. +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. **Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** From 07e8f6818ae7fbc78bcb727da87cac8117b2a8a6 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Mon, 10 Dec 2018 22:34:59 +0000 Subject: [PATCH 7/7] Minor fix --- ...gure-extension-file-exclusions-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 4ac4014cfb..a9db1100c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -285,7 +285,7 @@ MpCmdRun.exe -CheckExclusion -path ``` >[!NOTE] ->Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) and later. +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. **Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:**