deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-30 17:53:53 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into user/tudobril/release-2010-1-mac-patch

Browse Source
This commit is contained in:
Tina Burden
2021-01-12 15:46:42 -08:00
committed by GitHub
parent fffc1c150a ca08333431
commit 99ea00f009
6 changed files with 132 additions and 477 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/threat-protection/TOC.md
View File

@ -195,8 +195,7 @@
##### [Customize, initiate, and review the results of scans and remediation]()
###### [Configuration overview](microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans]()
###### [Exclusions overview](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions in antivirus scans](microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions based on file name, extension, and folder location](microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md)
###### [Configure and validate exclusions for files opened by processes](microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
###### [Configure antivirus exclusions Windows Server](microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md)

120
windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
View File

@ -26,128 +26,30 @@ This article describes some common mistake that you should avoid when defining e
Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
## Excluding certain trusted items
Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
**Do not add exclusions for the following folder locations:**
Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious.
- %systemdrive%
- C:
- C:\
- C:\*
- %ProgramFiles%\Java
- C:\Program Files\Java
- %ProgramFiles%\Contoso\
- C:\Program Files\Contoso\
- %ProgramFiles(x86)%\Contoso\
- C:\Program Files (x86)\Contoso\
- C:\Temp
- C:\Temp\
- C:\Temp\*
- C:\Users\
- C:\Users\*
- C:\Users\<UserProfileName>\AppData\Local\Temp\
- C:\Users\<UserProfileName>\AppData\LocalLow\Temp\
- C:\Users\<UserProfileName>\AppData\Roaming\Temp\
- %Windir%\Prefetch
- C:\Windows\Prefetch
- C:\Windows\Prefetch\
- C:\Windows\Prefetch\*
- %Windir%\System32\Spool
- C:\Windows\System32\Spool
- C:\Windows\System32\CatRoot2
- %Windir%\Temp
- C:\Windows\Temp
- C:\Windows\Temp\
- C:\Windows\Temp\*
Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following table:
**Do not add exclusions for the following file extensions:**
- `.7zip`
- `.bat`
- `.bin`
- `.cab`
- `.cmd`
- `.com`
- `.cpl`
- `.dll`
- `.exe`
- `.fla`
- `.gif`
- `.gz`
- `.hta`
- `.inf`
- `.java`
- `.jar`
- `.job`
- `.jpeg`
- `.jpg`
- `.js`
- `.ko`
- `.ko.gz`
- `.msi`
- `.ocx`
- `.png`
- `.ps1`
- `.py`
- `.rar`
- `.reg`
- `.scr`
- `.sys`
- `.tar`
- `.tmp`
- `.url`
- `.vbe`
- `.vbs`
- `.wsf`
- `.zip`
| Folder locations | File extensions | Processes |
|:--|:--|:--|
| `%systemdrive%` <br/> `C:`<br/> `C:\` <br/> `C:\*` <br/> `%ProgramFiles%\Java` <br/> `C:\Program Files\Java` <br/> `%ProgramFiles%\Contoso\` <br/> `C:\Program Files\Contoso\` <br/> `%ProgramFiles(x86)%\Contoso\` <br/> `C:\Program Files (x86)\Contoso\` <br/> `C:\Temp` <br/> `C:\Temp\` <br/> `C:\Temp\*` <br/> `C:\Users\` <br/> `C:\Users\*` <br/> `C:\Users\<UserProfileName>\AppData\Local\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\LocalLow\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\Roaming\Temp\` <br/> `%Windir%\Prefetch` <br/> `C:\Windows\Prefetch` <br/> `C:\Windows\Prefetch\` <br/> `C:\Windows\Prefetch\*` <br/> `%Windir%\System32\Spool` <br/> `C:\Windows\System32\Spool` <br/> `C:\Windows\System32\CatRoot2` <br/> `%Windir%\Temp` <br/> `C:\Windows\Temp` <br/> `C:\Windows\Temp\` <br/> `C:\Windows\Temp\*` | `.7zip` <br/> `.bat` <br/> `.bin` <br/> `.cab` <br/> `.cmd` <br/> `.com` <br/> `.cpl` <br/> `.dll` <br/> `.exe` <br/> `.fla` <br/> `.gif` <br/> `.gz` <br/> `.hta` <br/> `.inf` <br/> `.java` <br/> `.jar` <br/> `.job` <br/> `.jpeg` <br/> `.jpg` <br/> `.js` <br/> `.ko` <br/> `.ko.gz` <br/> `.msi` <br/> `.ocx` <br/> `.png` <br/> `.ps1` <br/> `.py` <br/> `.rar` <br/> `.reg` <br/> `.scr` <br/> `.sys` <br/> `.tar` <br/> `.tmp` <br/> `.url` <br/> `.vbe` <br/> `.vbs` <br/> `.wsf` <br/> `.zip` | `AcroRd32.exe` <br/> `bitsadmin.exe` <br/> `excel.exe` <br/> `iexplore.exe` <br/> `java.exe` <br/> `outlook.exe` <br/> `psexec.exe` <br/> `powerpnt.exe` <br/> `powershell.exe` <br/> `schtasks.exe` <br/> `svchost.exe` <br/>`wmic.exe` <br/> `winword.exe` <br/> `wuauclt.exe` <br/> `addinprocess.exe` <br/> `addinprocess32.exe` <br/> `addinutil.exe` <br/> `bash.exe` <br/> `bginfo.exe`[1] <br/>`cdb.exe` <br/> `csi.exe` <br/> `dbghost.exe` <br/> `dbgsvc.exe` <br/> `dnx.exe` <br/> `fsi.exe` <br/> `fsiAnyCpu.exe` <br/> `kd.exe` <br/> `ntkd.exe` <br/> `lxssmanager.dll` <br/> `msbuild.exe`[2] <br/> `mshta.exe` <br/> `ntsd.exe` <br/> `rcsi.exe` <br/> `system.management.automation.dll` <br/> `windbg.exe` |
>[!NOTE]
> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
**Do not add exclusions for the following processes:**
- AcroRd32.exe
- bitsadmin.exe
- excel.exe
- iexplore.exe
- java.exe
- outlook.exe
- psexec.exe
- powerpnt.exe
- powershell.exe
- schtasks.exe
- svchost.exe
- wmic.exe
- winword.exe
- wuauclt.exe
- addinprocess.exe
- addinprocess32.exe
- addinutil.exe
- bash.exe
- bginfo.exe[1]
- cdb.exe
- csi.exe
- dbghost.exe
- dbgsvc.exe
- dnx.exe
- fsi.exe
- fsiAnyCpu.exe
- kd.exe
- ntkd.exe
- lxssmanager.dll
- msbuild.exe[2]
- mshta.exe
- ntsd.exe
- rcsi.exe
- system.management.automation.dll
- windbg.exe
> You can chose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
## Using just the file name in the exclusion list
A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**.
A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`.
## Using a single exclusion list for multiple server workloads
Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
## Related articles

4
windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
View File

@ -10,7 +10,6 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 03/12/2020
ms.reviewer:
manager: dansimp
---
@ -41,8 +40,11 @@ Defining exclusions lowers the protection offered by Microsoft Defender Antiviru
The following is a list of recommendations that you should keep in mind when defining exclusions:
- Exclusions are technically a protection gap—always consider additional mitigations when defining exclusions. Additional mitigations could be as simple as making sure the excluded location has the appropriate access-control lists (ACLs), audit policy, is processed by an up-to-date software, etc.
- Review the exclusions periodically. Re-check and re-enforce the mitigations as part of the review process.
- Ideally, avoid defining proactive exclusions. For instance, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues—mostly around performance, or sometimes around application compatibility that exclusions could mitigate.
- Audit the exclusion list changes. The security admin should preserve enough context around why a certain exclusion was added. You should be able to provide answer with specific reasoning as to why a certain path was excluded.
## Related articles

426
windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
View File

@ -12,7 +12,6 @@ ms.author: deniseb
ms.custom: nextgen
ms.reviewer:
manager: dansimp
ms.date: 10/21/2020
---
# Configure and validate exclusions based on file extension and folder location
@ -29,40 +28,37 @@ ms.date: 10/21/2020
## Exclusion lists
You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes a number of automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
You can exclude certain files from Microsoft Defender Antivirus scans by modifying exclusion lists. **Generally, you shouldn't need to apply exclusions**. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
> [!NOTE]
> Automatic exclusions apply only to Windows Server 2016 and above. These exclusions are not visible in the Windows Security app and in PowerShell.
This article describes how to configure exclusion lists for the files and folders. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
Exclusion | Examples | Exclusion list
---|---|---
Any file with a specific extension | All files with the specified extension, anywhere on the machine.<br/>Valid syntax: `.test` and `test` | Extension exclusions
Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions
A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions
A specific process | The executable file `c:\test\process.exe` | File and folder exclusions
| Exclusion | Examples | Exclusion list |
|:---|:---|:---|
|Any file with a specific extension | All files with the specified extension, anywhere on the machine.<br/>Valid syntax: `.test` and `test` | Extension exclusions |
|Any file under a specific folder | All files under the `c:\test\sample` folder | File and folder exclusions |
| A specific file in a specific folder | The file `c:\sample\sample.test` only | File and folder exclusions |
| A specific process | The executable file `c:\test\process.exe` | File and folder exclusions |
Exclusion lists have the following characteristics:
- Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point. Reparse point subfolders must be excluded separately.
- File extensions apply to any file name with the defined extension if a path or folder is not defined.
>[!IMPORTANT]
>Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
>
>You cannot exclude mapped network drives. You must specify the actual network path.
>
>Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
> [!IMPORTANT]
> - Using wildcards such as the asterisk (\*) will alter how the exclusion rules are interpreted. See the [Use wildcards in the file name and folder path or extension exclusion lists](#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) section for important information about how wildcards work.
> - You cannot exclude mapped network drives. You must specify the actual network path.
> - Folders that are reparse points that are created after the Microsoft Defender Antivirus service starts and that have been added to the exclusion list will not be included. You must restart the service (by restarting Windows) for new reparse points to be recognized as a valid exclusion target.
To exclude files opened by a specific process, see [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md).
The exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [real-time protection](configure-real-time-protection-microsoft-defender-antivirus.md).
>[!IMPORTANT]
>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
>
>Changes made in the Windows Security app **will not show** in the Group Policy lists.
> [!IMPORTANT]
> Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> Changes made in the Windows Security app **will not show** in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence when there are conflicts.
@ -85,32 +81,30 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
>[!NOTE]
>If you specify a fully qualified path to a file, then only that file is excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder are excluded.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
2. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**.
3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Exclusions**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
4. Double-click the **Path Exclusions** setting and add the exclusions.
4. Open the **Path Exclusions** setting for editing, and add your exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Specify each folder on its own line under the **Value name** column.
- If you are specifying a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column.
5. Click **OK**.
5. Choose **OK**.
![The Group Policy setting for file and folder exclusions](images/defender/wdav-path-exclusions.png)
6. Double-click the **Extension Exclusions** setting and add the exclusions.
6. Open the **Extension Exclusions** setting for editing and add your exclusions.
- Set the option to **Enabled**.
- Under the **Options** section, click **Show...**.
- Under the **Options** section, select **Show...**.
- Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column.
7. Click **OK**.
![The Group Policy setting for extension exclusions](images/defender/wdav-extension-exclusions.png)
7. Choose **OK**.
<a id="ps"></a>
@ -126,21 +120,21 @@ The format for the cmdlets is as follows:
The following are allowed as the `<cmdlet>`:
Configuration action | PowerShell cmdlet
---|---
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove item from the list | `Remove-MpPreference`
| Configuration action | PowerShell cmdlet |
|:---|:---|
|Create or overwrite the list | `Set-MpPreference` |
|Add to the list | `Add-MpPreference` |
|Remove item from the list | `Remove-MpPreference` |
The following are allowed as the `<exclusion list>`:
Exclusion type | PowerShell parameter
---|---
All files with a specified file extension | `-ExclusionExtension`
All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath`
| Exclusion type | PowerShell parameter |
|:---|:---|
| All files with a specified file extension | `-ExclusionExtension` |
| All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` |
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
> [!IMPORTANT]
> If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Microsoft Defender AV scans to exclude any file with the `.test` file extension:
@ -175,29 +169,26 @@ See [Add exclusions in the Windows Security app](microsoft-defender-security-cen
You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way in which these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
>[!IMPORTANT]
>There are key limitations and usage scenarios for these wildcards:
>
>- Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
>- You cannot use a wildcard in place of a drive letter.
>- An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
> [!IMPORTANT]
> There are key limitations and usage scenarios for these wildcards:
> - Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
> - You cannot use a wildcard in place of a drive letter.
> - An asterisk `*` in a folder exclusion stands in place for a single folder. Use multiple instances of `\*\` to indicate multiple nested folders with unspecified names.
The following table describes how the wildcards can be used and provides some examples.
|Wildcard |Examples |
|---------|---------|
|:---------|:---------|
|`*` (asterisk) <br/><br/>In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included. | `C:\MyData\*.txt` would include `C:\MyData\notes.txt`<br/><br/>`C:\somepath\*\Data` would include any file in `C:\somepath\Archives\Data and its subfolders` and `C:\somepath\Authorized\Data and its subfolders` <br/><br/>`C:\Serv\*\*\Backup` would include any file in `C:\Serv\Primary\Denied\Backup and its subfolders` and `C:\Serv\Secondary\Allowed\Backup and its subfolders` |
|`?` (question mark) <br/><br/>In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/>In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included. |`C:\MyData\my?` would include `C:\MyData\my1.zip` <br/><br/>`C:\somepath\?\Data` would include any file in `C:\somepath\P\Data` and its subfolders <br/><br/>`C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders |
|Environment variables <br/><br/>The defined variable is populated as a path when the exclusion is evaluated. |`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt` |
>[!IMPORTANT]
>If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
>
>For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
>
>This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
> [!IMPORTANT]
> If you mix a file exclusion argument with a folder exclusion argument, the rules will stop at the file argument match in the matched folder, and will not look for file matches in any subfolders.
> For example, you can exclude all files that start with "date" in the folders `c:\data\final\marked` and `c:\data\review\marked` by using the rule argument `c:\data\*\marked\date*`.
> This argument, however, will not match any files in subfolders under `c:\data\final\marked` or `c:\data\review\marked`.
<a id="review"></a>
@ -205,273 +196,68 @@ The following table describes how the wildcards can be used and provides some ex
The following table lists and describes the system account environment variables.
<table border="0" cellspacing="0" cellpadding="20">
<thead>
<tr>
<th valign="top">System environment variables</th>
<th valign="top">Will redirect to:</th>
</tr>
</thead><tbody>
<tr>
<td valign="top">%APPDATA%</td>
<td valign="top">C:\Users\UserName.DomainName\AppData\Roaming</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Internet Explorer\Quick Launch</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Windows\Start Menu</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu</td>
</tr>
<tr>
<td valign="top">%APPDATA%\Microsoft\Windows\Start Menu\Programs</td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA% </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local</td>
</tr>
<tr>
<td valign="top">%ProgramData%</td>
<td valign="top">C:\ProgramData</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%</td>
<td valign="top">C:\Program Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Common Files </td>
<td valign="top">C:\Program Files\Common Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Windows Sidebar\Gadgets </td>
<td valign="top">C:\Program Files\Windows Sidebar\Gadgets</td>
</tr>
<tr>
<td valign="top">%ProgramFiles%\Common Files</td>
<td valign="top">C:\Program Files\Common Files</td>
</tr>
<tr>
<td valign="top">%ProgramFiles(x86)% </td>
<td valign="top">C:\Program Files (x86)</td>
</tr>
<tr>
<td valign="top">%ProgramFiles(x86)%\Common Files </td>
<td valign="top">C:\Program Files (x86)\Common Files</td>
</tr>
<tr>
<td valign="top">%SystemDrive%</td>
<td valign="top">C:</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Program Files</td>
<td valign="top">C:\Program Files</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Program Files (x86) </td>
<td valign="top">C:\Program Files (x86)</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Users </td>
<td valign="top">C:\Users</td>
</tr>
<tr>
<td valign="top">%SystemDrive%\Users\Public</td>
<td valign="top">C:\Users\Public</td>
</tr>
<tr>
<td valign="top">%SystemRoot%</td>
<td valign="top"> C:\Windows</td>
</tr>
<tr>
<td valign="top">%windir%</td>
<td valign="top">C:\Windows</td>
</tr>
<tr>
<td valign="top">%windir%\Fonts</td>
<td valign="top">C:\Windows\Fonts</td>
</tr>
<tr>
<td valign="top">%windir%\Resources </td>
<td valign="top">C:\Windows\Resources</td>
</tr>
<tr>
<td valign="top">%windir%\resources\0409</td>
<td valign="top">C:\Windows\resources\0409</td>
</tr>
<tr>
<td valign="top">%windir%\system32</td>
<td valign="top">C:\Windows\System32</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%</td>
<td valign="top">C:\ProgramData</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Application Data</td>
<td valign="top">C:\ProgramData\Application Data</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents</td>
<td valign="top">C:\ProgramData\Documents</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Music\Sample Music</td>
<td valign="top">
<p>C:\ProgramData\Documents\My Music\Sample Music</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Music </td>
<td valign="top">C:\ProgramData\Documents\My Music</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Pictures </td>
<td valign="top">
<p>C:\ProgramData\Documents\My Pictures
</p>
</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures </td>
<td valign="top">C:\ProgramData\Documents\My Pictures\Sample Pictures</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Documents\My Videos </td>
<td valign="top">C:\ProgramData\Documents\My Videos</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\DeviceMetadataStore</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\GameExplorer</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Ringtones</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs </td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools</td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Microsoft\Windows\Templates </td>
<td valign="top">C:\ProgramData\Microsoft\Windows\Templates</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu </td>
<td valign="top">C:\ProgramData\Start Menu</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu\Programs </td>
<td valign="top">C:\ProgramData\Start Menu\Programs</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools </td>
<td valign="top">C:\ProgramData\Start Menu\Programs\Administrative Tools</td>
</tr>
<tr>
<td valign="top">%ALLUSERSPROFILE%\Templates </td>
<td valign="top">C:\ProgramData\Templates</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates</td>
</tr>
<tr>
<td valign="top">%LOCALAPPDATA%\Microsoft\Windows\History </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History</td>
</tr>
<tr>
<td valign="top">
<p>
%PUBLIC% </p>
</td>
<td valign="top">C:\Users\Public</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\AccountPictures </td>
<td valign="top">C:\Users\Public\AccountPictures</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Desktop </td>
<td valign="top">C:\Users\Public\Desktop</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Documents </td>
<td valign="top">C:\Users\Public\Documents</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Downloads </td>
<td valign="top">C:\Users\Public\Downloads</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Music\Sample Music </td>
<td valign="top">
<p>C:\Users\Public\Music\Sample Music</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Music\Sample Playlists </td>
<td valign="top">
<p>C:\Users\Public\Music\Sample Playlists</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Pictures\Sample Pictures </td>
<td valign="top">C:\Users\Public\Pictures\Sample Pictures</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\RecordedTV.library-ms</td>
<td valign="top">C:\Users\Public\RecordedTV.library-ms</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Videos</td>
<td valign="top">C:\Users\Public\Videos</td>
</tr>
<tr>
<td valign="top">%PUBLIC%\Videos\Sample Videos</td>
<td valign="top">
<p>C:\Users\Public\Videos\Sample Videos</p>
<p>.</p>
</td>
</tr>
<tr>
<td valign="top">%USERPROFILE% </td>
<td valign="top">C:\Windows\System32\config\systemprofile</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\Local </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Local</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\LocalLow </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\LocalLow</td>
</tr>
<tr>
<td valign="top">%USERPROFILE%\AppData\Roaming </td>
<td valign="top">C:\Windows\System32\config\systemprofile\AppData\Roaming</td>
</tr>
</tbody>
</table>
| This system environment variable... | Redirects to this |
|:--|:--|
| `%APPDATA%`| `C:\Users\UserName.DomainName\AppData\Roaming` |
| `%APPDATA%\Microsoft\Internet Explorer\Quick Launch` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch` |
| `%APPDATA%\Microsoft\Windows\Start Menu` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu` |
| `%APPDATA%\Microsoft\Windows\Start Menu\Programs` | `C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\Programs` |
| `%LOCALAPPDATA%` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
| `%ProgramData%` | `C:\ProgramData` |
| `%ProgramFiles%` | `C:\Program Files` |
| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
| `%ProgramFiles%\Windows Sidebar\Gadgets` | `C:\Program Files\Windows Sidebar\Gadgets` |
| `%ProgramFiles%\Common Files` | `C:\Program Files\Common Files` |
| `%ProgramFiles(x86)%` | `C:\Program Files (x86)` |
| `%ProgramFiles(x86)%\Common Files` | `C:\Program Files (x86)\Common Files` |
| `%SystemDrive%` | `C:` |
| `%SystemDrive%\Program Files` | `C:\Program Files` |
| `%SystemDrive%\Program Files (x86)` | `C:\Program Files (x86)` |
| `%SystemDrive%\Users` | `C:\Users` |
| `%SystemDrive%\Users\Public` | `C:\Users\Public` |
| `%SystemRoot%` | `C:\Windows` |
| `%windir%` | `C:\Windows` |
| `%windir%\Fonts` | `C:\Windows\Fonts` |
| `%windir%\Resources` | `C:\Windows\Resources` |
| `%windir%\resources\0409` | `C:\Windows\resources\0409` |
| `%windir%\system32` | `C:\Windows\System32` |
| `%ALLUSERSPROFILE%` | `C:\ProgramData` |
| `%ALLUSERSPROFILE%\Application Data` | `C:\ProgramData\Application Data` |
| `%ALLUSERSPROFILE%\Documents` | `C:\ProgramData\Documents` |
| `%ALLUSERSPROFILE%\Documents\My Music\Sample Music` | `C:\ProgramData\Documents\My Music\Sample Music` |
| `%ALLUSERSPROFILE%\Documents\My Music` | `C:\ProgramData\Documents\My Music` |
| `%ALLUSERSPROFILE%\Documents\My Pictures` | `C:\ProgramData\Documents\My Pictures` |
| `%ALLUSERSPROFILE%\Documents\My Pictures\Sample Pictures` | `C:\ProgramData\Documents\My Pictures\Sample Pictures` |
| `%ALLUSERSPROFILE%\Documents\My Videos` | `C:\ProgramData\Documents\My Videos` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\DeviceMetadataStore` | `C:\ProgramData\Microsoft\Windows\DeviceMetadataStore` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\GameExplorer` | `C:\ProgramData\Microsoft\Windows\GameExplorer` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Ringtones` | `C:\ProgramData\Microsoft\Windows\Ringtones` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu` | `C:\ProgramData\Microsoft\Windows\Start Menu` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\StartUp` | `C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` |
| `%ALLUSERSPROFILE%\Microsoft\Windows\Templates` | `C:\ProgramData\Microsoft\Windows\Templates` |
| `%ALLUSERSPROFILE%\Start Menu` | `C:\ProgramData\Start Menu` |
| `%ALLUSERSPROFILE%\Start Menu\Programs` | C:\ProgramData\Start Menu\Programs |
| `%ALLUSERSPROFILE%\Start Menu\Programs\Administrative Tools` | `C:\ProgramData\Start Menu\Programs\Administrative Tools` |
| `%ALLUSERSPROFILE%\Templates` | `C:\ProgramData\Templates` |
| `%LOCALAPPDATA%\Microsoft\Windows\ConnectedSearch\Templates` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\ConnectedSearch\Templates` |
| `%LOCALAPPDATA%\Microsoft\Windows\History` | `C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History` |
| `%PUBLIC%` | `C:\Users\Public` |
| `%PUBLIC%\AccountPictures` | `C:\Users\Public\AccountPictures` |
| `%PUBLIC%\Desktop` | `C:\Users\Public\Desktop` |
| `%PUBLIC%\Documents` | `C:\Users\Public\Documents` |
| `%PUBLIC%\Downloads` | `C:\Users\Public\Downloads` |
| `%PUBLIC%\Music\Sample Music` | `C:\Users\Public\Music\Sample Music` |
| `%PUBLIC%\Music\Sample Playlists` | `C:\Users\Public\Music\Sample Playlists` |
| `%PUBLIC%\Pictures\Sample Pictures` | `C:\Users\Public\Pictures\Sample Pictures` |
| `%PUBLIC%\RecordedTV.library-ms` | `C:\Users\Public\RecordedTV.library-ms` |
| `%PUBLIC%\Videos` | `C:\Users\Public\Videos` |
| `%PUBLIC%\Videos\Sample Videos` | `C:\Users\Public\Videos\Sample Videos` |
| `%USERPROFILE%` | `C:\Windows\System32\config\systemprofile` |
| `%USERPROFILE%\AppData\Local` | `C:\Windows\System32\config\systemprofile\AppData\Local` |
| `%USERPROFILE%\AppData\LocalLow` | `C:\Windows\System32\config\systemprofile\AppData\LocalLow` |
| `%USERPROFILE%\AppData\Roaming` | `C:\Windows\System32\config\systemprofile\AppData\Roaming` |
## Review the list of exclusions
@ -490,7 +276,7 @@ You can retrieve the items in the exclusion list using one of the following meth
If you use PowerShell, you can retrieve the list in two ways:
- Retrieve the status of all Microsoft Defender Antivirus preferences. Each of the lists are displayed on separate lines, but the items within each list are combined into the same line.
- Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line.
- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
### Validate the exclusion list by using MpCmdRun

16
windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
View File

@ -77,8 +77,6 @@ See [How to create and deploy antimalware policies: Exclusion settings](https://
5. Click **OK**.
![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png)
### Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans
Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender).
@ -106,11 +104,11 @@ For example, the following code snippet would cause Microsoft Defender AV scans
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
```
For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender/?view=win10-ps&preserve=true).
For more information on how to use PowerShell with Microsoft Defender Antivirus, see Manage antivirus with PowerShell cmdlets and [Microsoft Defender Antivirus cmdlets](https://docs.microsoft.com/powershell/module/defender).
### Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties:
Use the [**Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://docs.microsoft.com/previous-versions/windows/desktop/legacy/dn455323(v=vs.85)) class for the following properties:
```WMI
ExclusionProcess
@ -118,7 +116,7 @@ ExclusionProcess
The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`.
For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx).
For more information and allowed parameters, see [Windows Defender WMIv2 APIs](https://docs.microsoft.com/previous-versions/windows/desktop/defender/windows-defender-wmiv2-apis-portal).
### Use the Windows Security app to exclude files that have been opened by specified processes from scans
@ -154,8 +152,8 @@ To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://
MpCmdRun.exe -CheckExclusion -path <path>
```
>[!NOTE]
>Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
> [!NOTE]
> Checking exclusions with MpCmdRun requires Microsoft Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later.
### Review the list of exclusions alongside all other Microsoft Defender Antivirus preferences by using PowerShell
@ -166,7 +164,7 @@ Use the following cmdlet:
Get-MpPreference
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.
### Retrieve a specific exclusions list by using PowerShell
@ -177,7 +175,7 @@ $WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionProcess
```
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://docs.microsoft.com/powershell/module/defender) for more information on how to use PowerShell with Microsoft Defender Antivirus.
## Related articles

40
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
View File

@ -204,43 +204,11 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
#### Hyper-V exclusions
This section lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role
The following table lists the file type exclusions, folder exclusions, and process exclusions that are delivered automatically when you install the Hyper-V role.
- File type exclusions:
- `*.vhd`
- `*.vhdx`
- `*.avhd`
- `*.avhdx`
- `*.vsv`
- `*.iso`
- `*.rct`
- `*.vmcx`
- `*.vmrs`
- Folder exclusions:
- `%ProgramData%\Microsoft\Windows\Hyper-V`
- `%ProgramFiles%\Hyper-V`
- `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots`
- `%Public%\Documents\Hyper-V\Virtual Hard Disks`
- Process exclusions:
- `%systemroot%\System32\Vmms.exe`
- `%systemroot%\System32\Vmwp.exe`
|File type exclusions |Folder exclusions | Process exclusions |
|:--|:--|:--|
| `*.vhd` <br/> `*.vhdx` <br/> `*.avhd` <br/> `*.avhdx` <br/> `*.vsv` <br/> `*.iso` <br/> `*.rct` <br/> `*.vmcx` <br/> `*.vmrs` | `%ProgramData%\Microsoft\Windows\Hyper-V` <br/> `%ProgramFiles%\Hyper-V` <br/> `%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots` <br/> `%Public%\Documents\Hyper-V\Virtual Hard Disks` | `%systemroot%\System32\Vmms.exe` <br/> `%systemroot%\System32\Vmwp.exe` |
#### SYSVOL files