From b3efd97c7ba111a0243fc8f6589577ed41c61ce3 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Thu, 30 Mar 2017 14:12:15 -0700 Subject: [PATCH] extension updates --- ...e-exclusions-windows-defender-antivirus.md | 21 ++++++----- ...e-exclusions-windows-defender-antivirus.md | 36 +++++++++++-------- 2 files changed, 33 insertions(+), 24 deletions(-) diff --git a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md index 3010dbe37d..d4baacf3ec 100644 --- a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -91,7 +91,7 @@ You can [configure how locally and globally defined exclusions lists are merged] 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...** - 3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes. + 3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes. 7. Click **OK**. @@ -117,7 +117,7 @@ Using PowerShell to add or remove exclusions for files based on the extension, l The format for the cmdlets is: ```PowerShell - - ", , " + - "" ``` The following are allowed as the \: @@ -126,24 +126,24 @@ Configuration action | PowerShell cmdlet ---|--- Create or overwrite the list | `Set-MpPreference` Add to the list | `Add-MpPreference` -Remove items from the list | `Remove-MpPreference` +Remove item from the list | `Remove-MpPreference` The following are allowed as the \: Exclusion type | PowerShell parameter ---|--- All files with a specified file extension | `-ExclusionExtension` -All files under a folder (including files in subdirectories) | `-ExclusionPath` +All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath` >[!IMPORTANT] >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. -For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test**, **.sample**, or **.ignore** file extension: +For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension: ```PowerShell -Add-MpPreference -ExclusionExtension ".test, .sample, .ignore" +Add-MpPreference -ExclusionExtension ".test" ``` See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. @@ -184,7 +184,10 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende ## Use wildcards in the file name and folder path or extension exclusion lists -You can use the asterisk **\***, question mark **?**, or environment variables (such as %APPDATA%) as wildcards when defining items in the file name or folder path exclusion list. +You can use the asterisk **\***, question mark **?**, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list. + +>[!IMPORTANT] +>Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. You cannot use a wildcard in place of a drive letter. @@ -193,9 +196,9 @@ The following table describes how the wildcards can be used and provides some ex Wildcard | Use | Example use | Example matches ---|---|---|--- -**\*** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\my\*.zip
  • C:\somepath\\\*\Data
|
  • C:\MyData\my-archived-files-43.zip
  • Any file in C:\somepath\folder1\folder2\Data
+***** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\my\*.zip
  • C:\somepath\\\*\Data
|
  • C:\MyData\my-archived-files-43.zip
  • Any file in C:\somepath\folder1\folder2\Data
**?** (question mark) | Replaces a single character |
  • C:\MyData\my\?.zip
  • C:\somepath\\\?\Data
|
  • C:\MyData\my1.zip
  • Any file in C:\somepath\P\Data
-Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles
  • %APPDATA%\Data\file.png
|
  • C:\ProgramData\CustomLogFiles\Folder1\file1.txt
  • C:\Users\username\AppData\Roaming\Data\file.png
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles
|
  • C:\ProgramData\CustomLogFiles\Folder1\file1.txt
diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 86d980313c..d9be336928 100644 --- a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -34,11 +34,19 @@ author: iaanw You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV. -For example, you may need to exclude any file that is opened by the process *c:\internal\test.exe*. -You achieve this by adding the location and name of the process to the process exclusion list. When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). +This topic describes how to configure exclusion lists for the following: -The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). + **Use Group Policy to exclude files that have been used or modified by specified processes from scans:** ->[!NOTE] ->You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process (regardless of where they are or what they are named) will be excluded. If you need to exclude the process itself, [exclude it as a file](#exclude-paths-files). ->You can only exclude files modified by processes if the process is an executable. - - 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration**. @@ -73,7 +79,7 @@ By default, local changes made to the lists (by users with administrator privile 1. Set the option to **Enabled**. 2. Under the **Options** section, click **Show...** - 3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extension. The process must be an executable. Enter **0** in the **Value** column for all processes. + 3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes. 7. Click **OK**. @@ -104,10 +110,10 @@ Remove items from the list | `Remove-MpPreference` >If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. -For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the defined processes. This exclusion will apply to any file that is opened by the processes that are in the specified folder: +For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the defined process: ```PowerShell -Add-MpPreference -ExclusionProcess "c:\internal\test.exe, d:\org\ui\compile43-h.exe" +Add-MpPreference -ExclusionProcess "c:\internal\test.exe" ``` For example, files opened by the process *c:\outside\test.exe* will not be excluded. This is the because the opening process is located in a different folder ("outside" instead of "internal"), even though the process's file name is the same. @@ -151,15 +157,15 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende The use of wildcards in the process exclusion list is different from their use in other exclusion lists. -In particular, you cannot use the question mark **?** wilcard, and the asterisk **\*** wildcard can only be used at the end of a complete path. You can still use environment variables (such as %APPDATA%) as wildcards when defining items in the process exclusion list. +In particular, you cannot use the question mark **?** wilcard, and the asterisk **\*** wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list. The following table describes how the wildcards can be used in the process exclusion list: Wildcard | Use | Example use | Example matches ---|---|---|--- -**\*** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\*
|
  • Any file opened by C:\MyData\file.exe
+**\*** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\\*
|
  • Any file opened by *C:\MyData\file.exe*
**?** (question mark) | Not available | \- | \- -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
  • %APPDATA%\Data\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
  • Any file opened by C:\Users\username\AppData\Roaming\Data\file.exe
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe