From 76a3984e39040260e6fdc8e3ab9ff0585234cc2b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Mar 2020 12:43:08 -0700 Subject: [PATCH 1/4] WDAV fixes --- ...e-exclusions-windows-defender-antivirus.md | 2 +- ...e-exclusions-windows-defender-antivirus.md | 75 +++++++------------ 2 files changed, 26 insertions(+), 51 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index 03cf88d610..e0805ca3fb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 02/05/2020 +ms.date: 03/12/2020 ms.reviewer: manager: dansimp --- diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 7f217bed68..8135fb28a9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 12/10/2018 ms.reviewer: manager: dansimp --- @@ -33,7 +32,7 @@ You can exclude certain files from Windows Defender Antivirus scans by modifying > [!NOTE] > Automatic exclusions apply only to Windows Server 2016 and above. The default antimalware policy we deploy at Microsoft doesn't set any exclusions by default. -This topic describes how to configure exclusion lists for the files and folders. +This article describes how to configure exclusion lists for the files and folders. Exclusion | Examples | Exclusion list ---|---|--- @@ -90,21 +89,22 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// 3. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. -4. Double-click the **Path Exclusions** setting and add the exclusions: +4. Double-click the **Path Exclusions** setting and add the exclusions. - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...**. - 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. + - Set the option to **Enabled**. + - Under the **Options** section, click **Show...**. + - Specify each folder on its own line under the **Value name** column. + - If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column. 5. Click **OK**. ![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png) -6. Double-click the **Extension Exclusions** setting and add the exclusions: +6. Double-click the **Extension Exclusions** setting and add the exclusions. - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...**. - 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. + - Set the option to **Enabled**. + - Under the **Options** section, click **Show...**. + - Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column. 7. Click **OK**. @@ -116,13 +116,13 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). -The format for the cmdlets is: +The format for the cmdlets is as follows: ```PowerShell - "" ``` -The following are allowed as the \: +The following are allowed as the ``: Configuration action | PowerShell cmdlet ---|--- @@ -130,7 +130,7 @@ Create or overwrite the list | `Set-MpPreference` Add to the list | `Add-MpPreference` Remove item from the list | `Remove-MpPreference` -The following are allowed as the \: +The following are allowed as the ``: Exclusion type | PowerShell parameter ---|--- @@ -168,6 +168,7 @@ For more information, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.c See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + ## Use wildcards in the file name and folder path or extension exclusion lists You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations. @@ -180,43 +181,17 @@ You can use the asterisk `*`, question mark `?`, or environment variables (such >- An asterisk `*` in a folder exclusion will stand in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names. The following table describes how the wildcards can be used and provides some examples. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
WildcardUse in file name and file extension exclusionsUse in folder exclusionsExample useExample matches
* (asterisk)Replaces any number of characters.
Only applies to files in the last folder defined in the argument. 		Replaces a single folder.
Use multiple * with folder slashes \ to indicate multiple, nested folders.
After matching the number of wild carded and named folders, all subfolders will also be included.		 -
    -
  1. C:\MyData\*.txt
    2. -
  2. C:\somepath\*\Data
    3. -
  3. C:\Serv\*\*\Backup -
- 		-
    -
  1. C:\MyData\notes.txt
    2. -
  2. Any file in: -
      -
    • C:\somepath\Archives\Data and its subfolders
      • -
    • C:\somepath\Authorized\Data and its subfolders
      • -
    -
  3. Any file in: -
      -
    • C:\Serv\Primary\Denied\Backup and its subfolders
      • -
    • C:\Serv\Secondary\Allowed\Backup and its subfolders
      • -
    -
-
+ + +|Wildcard |Examples | +|---------|---------| +|`*` (asterisk)

In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.

In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`

`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`

`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | +|`?` (question mark) | | +|Row3 | | +|Row4 | | +|Row5 | | + + ? (question mark) 		From 15e437bab94c6a3d0b26244eb0d136ad542cc18e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Mar 2020 16:44:06 -0700 Subject: [PATCH 2/4] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...e-exclusions-windows-defender-antivirus.md | 54 ++----------------- 1 file changed, 5 insertions(+), 49 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 8135fb28a9..a0c707ea60 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -186,60 +186,16 @@ The following table describes how the wildcards can be used and provides some ex |Wildcard |Examples | |---------|---------| |`*` (asterisk)

In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument.

In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple, nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`

`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders`

`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` | -|`?` (question mark) | | -|Row3 | | -|Row4 | | -|Row5 | | - - - ? (question mark) - 		- Replaces a single character.
- Only applies to files in the last folder defined in the argument. - 		- Replaces a single character in a folder name.
- After matching the number of wild carded and named folders, all subfolders will also be included. - 		-
    -
  1. C:\MyData\my?.zip
    2. -
  2. C:\somepath\?\Data
    3. -
  3. C:\somepath\test0?\Data
    4. -
- 		-
    -
  1. C:\MyData\my1.zip
    2. -
  2. Any file in C:\somepath\P\Data and its subfolders
    3. -
  3. Any file in C:\somepath\test01\Data and its subfolders
    4. -
-
Environment variablesThe defined variable will be populated as a path when the exclusion is evaluated.Same as file and extension use. -
    -
  1. %ALLUSERSPROFILE%\CustomLogFiles
    2. -
- 		-
    -
  1. C:\ProgramData\CustomLogFiles\Folder1\file1.txt
    2. -
-
+|`?` (question mark)

In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument.

In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my` would include `C:\MyData\my1.zip`

`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders

`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders | +|Environment variables

The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` | + >[!IMPORTANT] >If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders. > ->For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument c:\data\\\*\marked\date*.\*. +>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`. > ->This argument, however, will not match any files in **subfolders** under `c:\data\final\marked` or `c:\data\review\marked`. +>This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`. From 8b2803b0be07bf471e0693da018c39481cc329eb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Mar 2020 16:44:37 -0700 Subject: [PATCH 3/4] Update configure-extension-file-exclusions-windows-defender-antivirus.md --- ...e-extension-file-exclusions-windows-defender-antivirus.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index a0c707ea60..10c52c2aba 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -292,7 +292,4 @@ You can also copy the string into a blank text file and attempt to save it with - [Configure and validate exclusions in Windows Defender Antivirus scans](configure-exclusions-windows-defender-antivirus.md) - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) -- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) -- [Customize, initiate, and review the results of Windows Defender Antivirus scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) -- [Handling false positives/negatives](antivirus-false-positives-negatives.md) +- [Configure Windows Defender Antivirus exclusions on Windows Server](configure-server-exclusions-windows-defender-antivirus.md) \ No newline at end of file From 617e8a23830f66efe96ce2a171e605c4babe4fc1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 12 Mar 2020 16:45:43 -0700 Subject: [PATCH 4/4] Update configure-process-opened-file-exclusions-windows-defender-antivirus.md --- ...-process-opened-file-exclusions-windows-defender-antivirus.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 94b115e1e2..1b19f98ccd 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -12,7 +12,6 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 12/10/2018 ms.reviewer: manager: dansimp ---