Update common-exclusion-mistakes-microsoft-defender-antivirus.md

2025-05-15 23:07:23 +00:00 · 2021-01-12 12:23:39 -08:00 · 2021-01-12 12:23:39 -08:00 · c27c8d6750
commit c27c8d6750
parent 754169d423
1 changed files with 11 additions and 109 deletions
--- a/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/common-exclusion-mistakes-microsoft-defender-antivirus.md
@ -26,128 +26,30 @@ This article describes some common mistake that you should avoid when defining e
 Before defining your exclusion lists, see [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions).
 ## Excluding certain trusted items
 Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. Refer to the following section for items that you should not exclude from scanning.
-**Do not add exclusions for the following folder locations:**
+Certain files, file types, folders, or processes should not be excluded from scanning even though you trust them to be not malicious. 
- %systemdrive%
+Do not define exclusions for the folder locations, file extensions, and processes that are listed in the following table:
 - C:
 - C:\
 - C:\*
 - %ProgramFiles%\Java
 - C:\Program Files\Java
 - %ProgramFiles%\Contoso\
 - C:\Program Files\Contoso\
 - %ProgramFiles(x86)%\Contoso\
 - C:\Program Files (x86)\Contoso\
 - C:\Temp
 - C:\Temp\
 - C:\Temp\*
 - C:\Users\
 - C:\Users\*
 - C:\Users\<UserProfileName>\AppData\Local\Temp\
 - C:\Users\<UserProfileName>\AppData\LocalLow\Temp\
 - C:\Users\<UserProfileName>\AppData\Roaming\Temp\
 - %Windir%\Prefetch
 - C:\Windows\Prefetch
 - C:\Windows\Prefetch\
 - C:\Windows\Prefetch\*
 - %Windir%\System32\Spool
 - C:\Windows\System32\Spool
 - C:\Windows\System32\CatRoot2
 - %Windir%\Temp
 - C:\Windows\Temp
 - C:\Windows\Temp\
 - C:\Windows\Temp\*
-**Do not add exclusions for the following file extensions:**  
+| Folder locations | File extensions | Processes |
- `.7zip`
+|:--|:--|:--|
- `.bat`
+| `%systemdrive%` <br/> `C:`<br/> `C:\` <br/> `C:\*` <br/> `%ProgramFiles%\Java` <br/> `C:\Program Files\Java` <br/> `%ProgramFiles%\Contoso\` <br/> `C:\Program Files\Contoso\` <br/> `%ProgramFiles(x86)%\Contoso\` <br/> `C:\Program Files (x86)\Contoso\` <br/> `C:\Temp` <br/> `C:\Temp\` <br/> `C:\Temp\*` <br/> `C:\Users\` <br/> `C:\Users\*` <br/> `C:\Users\<UserProfileName>\AppData\Local\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\LocalLow\Temp\` <br/> `C:\Users\<UserProfileName>\AppData\Roaming\Temp\` <br/> `%Windir%\Prefetch` <br/> `C:\Windows\Prefetch` <br/> `C:\Windows\Prefetch\` <br/> `C:\Windows\Prefetch\*` <br/> `%Windir%\System32\Spool` <br/> `C:\Windows\System32\Spool` <br/> `C:\Windows\System32\CatRoot2` <br/> `%Windir%\Temp` <br/> `C:\Windows\Temp` <br/> `C:\Windows\Temp\` <br/> `C:\Windows\Temp\*` | `.7zip` <br/> `.bat` <br/> `.bin` <br/> `.cab` <br/> `.cmd` <br/> `.com` <br/> `.cpl` <br/> `.dll` <br/> `.exe` <br/> `.fla` <br/> `.gif` <br/> `.gz` <br/> `.hta` <br/> `.inf` <br/> `.java` <br/> `.jar` <br/> `.job` <br/> `.jpeg` <br/> `.jpg` <br/> `.js` <br/> `.ko` <br/> `.ko.gz` <br/> `.msi` <br/> `.ocx` <br/> `.png` <br/> `.ps1` <br/> `.py` <br/> `.rar` <br/> `.reg` <br/> `.scr` <br/> `.sys` <br/> `.tar` <br/> `.tmp` <br/> `.url` <br/> `.vbe` <br/> `.vbs` <br/> `.wsf` <br/> `.zip` | `AcroRd32.exe` <br/> `bitsadmin.exe` <br/> `excel.exe` <br/> `iexplore.exe` <br/> `java.exe` <br/> `outlook.exe` <br/> `psexec.exe` <br/> `powerpnt.exe` <br/> `powershell.exe` <br/> `schtasks.exe`  <br/> `svchost.exe` <br/>`wmic.exe` <br/> `winword.exe` <br/> `wuauclt.exe` <br/> `addinprocess.exe` <br/> `addinprocess32.exe` <br/> `addinutil.exe` <br/> `bash.exe` <br/> `bginfo.exe`[1] <br/>`cdb.exe` <br/> `csi.exe` <br/> `dbghost.exe` <br/> `dbgsvc.exe` <br/> `dnx.exe` <br/> `fsi.exe` <br/> `fsiAnyCpu.exe` <br/> `kd.exe` <br/> `ntkd.exe` <br/> `lxssmanager.dll` <br/> `msbuild.exe`[2] <br/> `mshta.exe` <br/> `ntsd.exe` <br/> `rcsi.exe` <br/> `system.management.automation.dll` <br/> `windbg.exe` |
 - `.bin`
 - `.cab`
 - `.cmd`
 - `.com`
 - `.cpl`
 - `.dll`
 - `.exe`
 - `.fla`
 - `.gif`
 - `.gz`
 - `.hta`
 - `.inf`
 - `.java`
 - `.jar`
 - `.job`
 - `.jpeg`
 - `.jpg`
 - `.js`
 - `.ko`
 - `.ko.gz`
 - `.msi`
 - `.ocx`
 - `.png`
 - `.ps1`
 - `.py`
 - `.rar`
 - `.reg`
 - `.scr`
 - `.sys`
 - `.tar`
 - `.tmp`
 - `.url`
 - `.vbe`
 - `.vbs`
 - `.wsf`
 - `.zip`
 >[!NOTE]
-> You can chose to exclude file types, such as .gif, .jpg, .jpeg, .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
+> You can chose to exclude file types, such as `.gif`, `.jpg`, `.jpeg`, or `.png` if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
 **Do not add exclusions for the following processes:**  
 - AcroRd32.exe
 - bitsadmin.exe
 - excel.exe
 - iexplore.exe
 - java.exe
 - outlook.exe
 - psexec.exe
 - powerpnt.exe
 - powershell.exe
 - schtasks.exe
 - svchost.exe
 - wmic.exe
 - winword.exe
 - wuauclt.exe
 - addinprocess.exe
 - addinprocess32.exe
 - addinutil.exe
 - bash.exe
 - bginfo.exe[1]
 - cdb.exe
 - csi.exe
 - dbghost.exe
 - dbgsvc.exe
 - dnx.exe
 - fsi.exe
 - fsiAnyCpu.exe
 - kd.exe
 - ntkd.exe
 - lxssmanager.dll
 - msbuild.exe[2]
 - mshta.exe
 - ntsd.exe
 - rcsi.exe
 - system.management.automation.dll
 - windbg.exe
 ## Using just the file name in the exclusion list
-A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude **Filename.exe** from scanning, use the complete path to the file, such as **C:\program files\contoso\Filename.exe**.
+
 A malware may have the same name as that of the file that you trust and want to exclude from scanning. Therefore, to avoid excluding a potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude `Filename.exe` from scanning, use the complete path to the file, such as `C:\program files\contoso\Filename.exe`.
 ## Using a single exclusion list for multiple server workloads
 Do not use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
 ## Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
 Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, do not use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under [System environment variables](configure-extension-file-exclusions-microsoft-defender-antivirus.md#system-environment-variables) for a complete list of system environment variables.
 See [Use wildcards in the file name and folder path or extension exclusion lists](configure-extension-file-exclusions-microsoft-defender-antivirus.md#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists) for information on how to use wildcards in exclusion lists.
 ## Related articles