deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 20:03:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

extension updates

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire
2017-03-30 14:12:15 -07:00
parent a45661ff00
commit b3efd97c7b
2 changed files with 33 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md
View File

@ -91,7 +91,7 @@ You can [configure how locally and globally defined exclusions lists are merged]
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes.
3. Enter each folder on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes.
7. Click **OK**.
@ -117,7 +117,7 @@ Using PowerShell to add or remove exclusions for files based on the extension, l
The format for the cmdlets is:
```PowerShell
<cmdlet> -<exclusion list> "<item1>, <item2>, <item3>"
<cmdlet> -<exclusion list> "<item>"
```
The following are allowed as the \<cmdlet>:
@ -126,24 +126,24 @@ Configuration action | PowerShell cmdlet
---|---
Create or overwrite the list | `Set-MpPreference`
Add to the list | `Add-MpPreference`
Remove items from the list | `Remove-MpPreference`
Remove item from the list | `Remove-MpPreference`
The following are allowed as the \<exclusion list>:
Exclusion type | PowerShell parameter
---|---
All files with a specified file extension | `-ExclusionExtension`
All files under a folder (including files in subdirectories) | `-ExclusionPath`
All files under a folder (including files in subdirectories), or a specific file | `-ExclusionPath`
>[!IMPORTANT]
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test**, **.sample**, or **.ignore** file extension:
For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test** file extension:
```PowerShell
Add-MpPreference -ExclusionExtension ".test, .sample, .ignore"
Add-MpPreference -ExclusionExtension ".test"
```
See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus.
@ -184,7 +184,10 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende
<a id="wildcards"></a>
## Use wildcards in the file name and folder path or extension exclusion lists
You can use the asterisk **\***, question mark **?**, or environment variables (such as %APPDATA%) as wildcards when defining items in the file name or folder path exclusion list.
You can use the asterisk **\***, question mark **?**, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list.
>[!IMPORTANT]
>Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.
You cannot use a wildcard in place of a drive letter.
@ -193,9 +196,9 @@ The following table describes how the wildcards can be used and provides some ex
Wildcard | Use | Example use | Example matches
---|---|---|---
**\*** (asterisk) | Replaces any number of chararacters | <ul><li>C:\MyData\my\*.zip</li><li>C:\somepath\\\*\Data</li></ul> | <ul><li>C:\MyData\my-archived-files-43.zip</li><li>Any file in C:\somepath\folder1\folder2\Data</li></ul>
***** (asterisk) | Replaces any number of chararacters | <ul><li>C:\MyData\my\*.zip</li><li>C:\somepath\\\*\Data</li></ul> | <ul><li>C:\MyData\my-archived-files-43.zip</li><li>Any file in C:\somepath\folder1\folder2\Data</li></ul>
**?** (question mark) | Replaces a single character | <ul><li>C:\MyData\my\?.zip</li><li>C:\somepath\\\?\Data</li></ul> | <ul><li>C:\MyData\my1.zip</li><li>Any file in C:\somepath\P\Data</li></ul>
Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | <ul><li>%ALLUSERSPROFILE%\CustomLogFiles</li><li>%APPDATA%\Data\file.png</li></ul> | <ul><li>C:\ProgramData\CustomLogFiles\Folder1\file1.txt</li><li>C:\Users\username\AppData\Roaming\Data\file.png</li></ul>
Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | <ul><li>%ALLUSERSPROFILE%\CustomLogFiles</li></ul> | <ul><li>C:\ProgramData\CustomLogFiles\Folder1\file1.txt</li></ul>

36
windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md
View File

@ -34,11 +34,19 @@ author: iaanw
You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV.
For example, you may need to exclude any file that is opened by the process *c:\internal\test.exe*.
You achieve this by adding the location and name of the process to the process exclusion list. When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
This topic describes how to configure exclusion lists for the following:
The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md).
<a id="examples></a>
Exclusion | Examples | Format
---|---|---
All processes with a specific file name | All processes with the file name *test.exe*, anywhere on the machine | \<process name including .exe extenstion>
All processes under a specific folder | All processes under the *c:\test\sample* folder | \<path including drive letter>\\*
A specific process in a specific folder | The process *c:\test\process.exe* | \<fully qualified path and process name including .exe extension>
When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md).
The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They do not apply to scheduled or on-demand scans.
Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
@ -47,7 +55,10 @@ You can add, remove, and review the lists for exclusions in [Group Policy](#gp),
You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
By default, local changes made to the lists (by users with administrator privileges) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, Intune, PowerShell, or WMI. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to disable this setting.
By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.
You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to allow local changes to override managed deployment settings.
## Configure the list of exclusions for files opened by specified processes
@ -55,11 +66,6 @@ By default, local changes made to the lists (by users with administrator privile
<a id="gp"></a>
**Use Group Policy to exclude files that have been used or modified by specified processes from scans:**
>[!NOTE]
>You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process (regardless of where they are or what they are named) will be excluded. If you need to exclude the process itself, [exclude it as a file](#exclude-paths-files).
>You can only exclude files modified by processes if the process is an executable.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration**.
@ -73,7 +79,7 @@ By default, local changes made to the lists (by users with administrator privile
1. Set the option to **Enabled**.
2. Under the **Options** section, click **Show...**
3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extension. The process must be an executable. Enter **0** in the **Value** column for all processes.
3. Enter each process on its own line under the **Value name** column. See the [example table](#examples) for the different types of process exclusions. Enter **0** in the **Value** column for all processes.
7. Click **OK**.
@ -104,10 +110,10 @@ Remove items from the list | `Remove-MpPreference`
>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list.
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the defined processes. This exclusion will apply to any file that is opened by the processes that are in the specified folder:
For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the defined process:
```PowerShell
Add-MpPreference -ExclusionProcess "c:\internal\test.exe, d:\org\ui\compile43-h.exe"
Add-MpPreference -ExclusionProcess "c:\internal\test.exe"
```
For example, files opened by the process *c:\outside\test.exe* will not be excluded. This is the because the opening process is located in a different folder ("outside" instead of "internal"), even though the process's file name is the same.
@ -151,15 +157,15 @@ See [Add exclusions in the Windows Defender Security Center app](windows-defende
The use of wildcards in the process exclusion list is different from their use in other exclusion lists.
In particular, you cannot use the question mark **?** wilcard, and the asterisk **\*** wildcard can only be used at the end of a complete path. You can still use environment variables (such as %APPDATA%) as wildcards when defining items in the process exclusion list.
In particular, you cannot use the question mark **?** wilcard, and the asterisk **\*** wildcard can only be used at the end of a complete path. You can still use environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list.
The following table describes how the wildcards can be used in the process exclusion list:
Wildcard | Use | Example use | Example matches
---|---|---|---
**\*** (asterisk) | Replaces any number of chararacters | <ul><li>C:\MyData\*</li></ul> | <ul><li>Any file opened by C:\MyData\file.exe</li></ul>
**\*** (asterisk) | Replaces any number of chararacters | <ul><li>C:\MyData\\*</li></ul> | <ul><li>Any file opened by *C:\MyData\file.exe*</li></ul>
**?** (question mark) | Not available | \- | \-
Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | <ul><li>%ALLUSERSPROFILE%\CustomLogFiles\file.exe</li><li>%APPDATA%\Data\file.exe</li></ul> | <ul><li>Any file opened by C:\ProgramData\CustomLogFiles\file.exe</li><li>Any file opened by C:\Users\username\AppData\Roaming\Data\file.exe</li></ul>
Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | <ul><li>%ALLUSERSPROFILE%\CustomLogFiles\file.exe</li></ul> | <ul><li>Any file opened by C:\ProgramData\CustomLogFiles\file.exe</li></ul>