diff --git a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md index 242dec94f1..9217a21aa0 100644 --- a/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-advanced-scan-types-windows-defender-antivirus.md @@ -52,7 +52,7 @@ Description | GP location and setting | Default setting (if not configured) | Po See [Email scanning limitations](#ref1)) below | Scan > Turn on e-mail scanning | Disabled | `-DisableEmailScanning` Scan [reparse points](https://msdn.microsoft.com/library/windows/desktop/aa365503.aspx) | Scan > Turn on reparse point scanning | Disabled | `-DisableRestorePoint` Scan mapped network drives | Scan > Run full scan on mapped network drives | Disabled | `-DisableScanningMappedNetworkDrivesForFullScan` - Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-exclusions-windows-defender-antivirus.md) will take precendence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` + Scan archive files (such as .zip or .rar files). The [extensions exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md) will take precendence over this setting. | Scan > Scan archive files | Enabled | `-DisableArchiveScanning` Scan files on the network | Scan > Scan network files | Disabled | `-DisableScanningNetworkFiles` Scan packed executables | Scan > Scan packed executables | Enabled | Not available Scan removable drives during full scans only | Scan > Scan removable drives | Disabled | `-DisableRemovableDriveScanning` diff --git a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md index bffc7f3297..bed4fbf9c1 100644 --- a/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md +++ b/windows/keep-secure/configure-exclusions-windows-defender-antivirus.md @@ -33,342 +33,20 @@ author: iaanw - Microsoft Intune - Windows Defender Security Center -You can exclude certain files, folders, processes, and process-modified files from being scanned by Windows Defender AV. The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). +You can exclude certain files, folders, processes, and process-modified files from being scanned by Windows Defender Antivirus. -Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools). +Exclusions can be useful to avoid incorrect detections on files or software that are unique or customized to your organization. -You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), although you will need to use several different cmdlets. +>[!WARNING] +>Defining exclusions lowers the protection offered by Windows Defender AV. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious. -By default, local changes made to the lists (by users with administrator privileges) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, Intune, PowerShell, or WMI. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to disable this setting. +## In this section -PowerShell can be used to [validate that your exclusion lists are working as expected](#validate). +Topic | Description +---|--- +[Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) | Exclude files from Windows Defender AV scans based on their file extension, file name, or location +[Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) | You can exclude files from scans that have been opened by a specific process +[Configure exclusions in Windows Defender AV on Windows Servery](configure-server-exclusions-windows-defender-antivirus.md) | Windows Server 2016 includes automatic exclusions, based on the defined Server Role. You can also add custom exclusions - -## Types of exclusions - -There are three exclusion lists that you can configure: -- Extension exclusions list -- File and folder exclusions list -- Files opened by defined processes list - -The following table shows some of the typical scenarios and which list would need to be configured. - -Exclusion | Examples | Exclusion list ----|---|--- -Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions -Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions -Any file with a specific file name | The file "sample.test", anywhere on the machine | File and folder exclusions -A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions -A specific process | The executable file c:\test\process.exe | File and folder exclusions list -Any file opened by a specific process | Any file opened by the process c:\test\open.exe, even if the file that is opened is located in d:\folder43 | Process-opened exclusions - - -This means the exclusion lists have the following characteristics: -- If you exclude a file, the exclusion will apply to all versions of that file, regardless of where the file is located. -- Folder exclusions will apply to all files and folders under that folder. -- File extensions will apply to any file name with the defined extension, regardless of where the file is located. -- Any file opened by the defined process will be excluded, regardless of where the file is located. The process itself will **not** be excluded. - - - - -## Use Group Policy to configure exclusion lists - -**Use Group Policy to configure file extension exclusions:** - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. - - -6. Double-click the **Extension Exclusions** setting and add the exclusions: - - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...** - 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column for all processes. - -7. Click **OK**. - -![The Group Policy setting for file exclusions](images/defender/wdav-extension-exclusions.png) - -**Use Group Policy to exclude specified files or folders from scans:** - ->[!NOTE] ->The exclusion will apply to any file with the defined file name - regardless of its location. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. - - -6. Double-click the **Path Exclusions** setting and add the exclusions: - - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...** - 3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes. - -7. Click **OK**. - -![The Group Policy setting for folder exclusions](images/defender/wdav-path-exclusions.png) - -**Use Group Policy to exclude files that have been used or modified by specified processes from scans:** - ->[!NOTE] ->You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process (regardless of where they are or what they are named) will be excluded. If you need to exclude the process itself, [exclude it as a file](#exclude-paths-files). ->You can only exclude files modified by processes if the process is an executable. - - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. - - -6. Double-click the **Process Exclusions** setting and add the exclusions: - - 1. Set the option to **Enabled**. - 2. Under the **Options** section, click **Show...** - 3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extension. The process must be an executable. Enter **0** in the **Value** column for all processes. - -7. Click **OK**. - -![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) - - -## Use PowerShell cmdlets and WMI to configure exclusion lists - -Excluding and reviewing file extensions, paths and files (including processes), and files opened by processes with PowerShell requires using a combination of four cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). - -There are three exclusion lists: -- ExclusionExtension -- ExclusionPath -- ExclusionProcess - -You can modify each of the lists with the following cmdlets: -- Set-MpPreference to create or overwrite the defined list -- Add-MpPreference to add new items to the defined list -- Remove-MpPreference to remove or delete items from the defined list -- Get-MpPreference to review the items in the list, either all at once with all other Windows Defender AV settings, or individually for each of the lists - ->[!IMPORTANT] ->If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. - -The following matrix provides sample commands based on what you want to exclude, and whether you want to create a list, add to the list, or remove items from the list. - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Configuration actionType of exclusionPowerShell command
Create or overwrite a listFile extensions that should be excluded from scans -Set-MpPreference -ExclusionExtension ".extension1, .extension2, .extension3"
Files (including processes) and paths that should be excluded from scans -Set-MpPreference -ExclusionPath "c:\example, d:\test\process.exe, c:\test\file.bat"
Files opened by the specified processes (executables) -Set-MpPreference -ExclusionProcess "c:\example\test.exe"
Add to a listFile extensions that should be excluded from scans -Add-MpPreference -ExclusionExtension ".extension4, .extension5"
Files (including processes) and paths that should be excluded from scans -Add-MpPreference -ExclusionPath "d:\test, d:\example\file.png"
Files opened by specified processes (executables) -Add-MpPreference -ExclusionProcess "f:\test\sample.exe"
Remove items from a listFile extensions that should be excluded from scans -Remove-MpPreference -ExclusionExtension ".extension1, .extension4, .extension5"
Files (including processes) and paths that should be excluded from scans -Remove-MpPreference -ExclusionPath "c:\example, d:\example\file.png"
Files opened by specified processes (executables) -Remove-MpPreference -ExclusionProcess "c:\example\test.exe"
- -### Review the exclusion lists with PowerShell - -You can retrieve the items in any of the lists in two ways: -- Retrieve the status of all Windows Defender AV preferences. Each of the three lists will be displayed on separate lines, but the items within the list will be combined into the same line. -- Write the status of all preferences to a variable, and only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. - -In both instances the items are sorted alphabetically. - -The following sequence of code examples helps to show how this works. - -1. Create an example list of extensions that should be excluded from scans: - ```PowerShell - PS C:\> Set-MpPreference -ExclusionExtension ".test1, .test2" - ``` - -2. Add some additional extensions: - - ```PowerShell - PS C:\> Add-MpPreference -ExclusionExtension ".test40, test50" - ``` - -3. Add another set of extensions: - - ```PowerShell - PS C:\> Add-MpPreference -ExclusionExtension ".secondadd1, .secondadd2" - ``` - -4. Review the list as a combined list: - ```PowerShell - PS C:\> Get-MpPreference - ``` - - ![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) - - -5. Use a variable to store and retrieve only the exclusions list: - - ```PowerShell - PS C:\> $WDAVprefs = Get-MpPreference - PS C:\> $WDAVprefs.ExclusionExtension - ``` - - ![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) - - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -### Use Windows Management Instruction (WMI) to configure file extension exclusions - -Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: - -```WMI -ExclusionExtension -ExclusionPath -ExclusionProcess -``` - -The use of **Set**, **Add**, and **Remove** are analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. - -See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) - - -## Use System Center Configuration Manager, Intune, or the Windows Defender Security Center app to configure exclusion lists - - -**Use Configuration Manager to configure file extension exclusions:** - -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). - - -**Use Microsoft Intune to configure file extension exclusions:** - - -See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. - - -**Use the Windows Defender Security app to add exclusions to Windows Defender AV:** - -See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. - - - - ## Configure auto exclusions lists for Windows Server deployments - -If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role. - -These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). - -You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other sections in this topic. - -You can also disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI. - -**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:** - -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. - -3. In the **Group Policy Management Editor** go to **Computer configuration**. - -4. Click **Policies** then **Administrative templates**. - -5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. - -6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**. - -**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:** - -Use the following cmdlets: - -```PowerShell -Set-MpPreference -DisableAutoExclusions -``` - -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. - -**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:** - -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: - -```WMI -DisableAutoExclusions -``` - -See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) - -## Use wildcards in exclusion lists - -You can use the asterisk **\***, question mark **?**, or environment variables (such as %APPDATA%) as wildcards when defining items in the exclusion lists. - -You cannot use a wildcard in place of a drive letter. - - -The following table describes how the wildcards can be used and provides some examples. - -Wildcard | Use | Example use | Example matches ----|---|---|--- -**\*** (asterisk) | Replaces any number of chararacters | | -**?** (question mark) | Replaces a single character | | -Environment variables | The defined variable will be populated as a path when the exclusion is evaluated | | - - - -## Validate exclusions lists with the EICAR test file - -You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. - -In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path. - -```PowerShell -Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" -``` - -If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html). - -You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet, replace *c:\test.txt* with a file that conforms to the rule you are validating: - -```PowerShell -$client = new-object System.Net.WebClient -$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") -``` - - -## Related topics - -- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md new file mode 100644 index 0000000000..9a81b2214f --- /dev/null +++ b/windows/keep-secure/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -0,0 +1,278 @@ +--- +title: Configure and validate exclusions based on extension, name, or location +description: Exclude files from Windows Defender AV scans based on their file extension, file name, or location. +keywords: exclusions, files, extension, file type, folder name, file name, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure and validate exclusions based on file name, extension, and folder location + + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Windows Management Instrumentation (WMI) +- System Center Configuration Manager +- Microsoft Intune +- Windows Defender Security Center + +You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists. + +This topic describes how to configure exclusion lists for the following: + +Exclusion | Examples | Exclusion list +---|---|--- +Any file with a specific extension | All files with the .test extension, anywhere on the machine | Extension exclusions +Any file under a specific folder | All files under the c:\test\sample folder | File and folder exclusions +Any file with a specific file name | The file "sample.test", anywhere on the machine | File and folder exclusions +A specific file in a specific folder | The file c:\sample\sample.test only | File and folder exclusions +A specific process | The executable file c:\test\process.exe | File and folder exclusions list + +This means the exclusion lists have the following characteristics: +- If you exclude a file, the exclusion will apply to all versions of that file, regardless of where the file is located. +- Folder exclusions will apply to all files and folders under that folder. +- File extensions will apply to any file name with the defined extension, regardless of where the file is located. + + +To exclude files opened by a specific process, see the [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) topic. + + +The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). + +Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. + +You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. + +You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) and [validating](#validate) your lists. + + +By default, local changes made to the lists (by users with administrator privileges) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, Intune, PowerShell, or WMI. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to disable this setting. + + + + + + +## Configure the list of exclusions based on file or folder name or file extension + + +**Use Group Policy to configure file name, folder, or file extension exclusions:** + +>[!NOTE] +>The exclusion will apply to any file with the defined file name - regardless of its location. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded. + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + + +6. Double-click the **Path Exclusions** setting and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...** + 3. Enter each path or file on its own line under the **Value name** column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter **0** in the **Value** column for all processes. + +7. Click **OK**. + +![The Group Policy setting for file and folder exclusions](images/defender/wdav-extension-exclusions.png) + +8. Double-click the **Extension Exclusions** setting and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...** + 3. Enter each file extension on its own line under the **Value name** column. Enter **0** in the **Value** column for all processes. + + +9. Click **OK**. + +![The Group Policy setting for extension exclusions](images/defender/wdav-path-exclusions.png) + + + +**Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:** + +Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). + +The format for the cmdlets is: + +```PowerShell + - ", , " +``` + +The following are allowed as the \: + +Configuration action | PowerShell cmdlet +---|--- +Create or overwrite the list | `Set-MpPreference` +Add to the list | `Add-MpPreference` +Remove items from the list | `Remove-MpPreference` + +The following are allowed as the \: + +Exclusion type | PowerShell parameter +---|--- +All files with a specified file extension | `-ExclusionExtension` +All files under a folder (including files in subdirectories) | `-ExclusionPath` + + +>[!IMPORTANT] +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. + + +For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the **.test**, **.sample**, or **.ignore** file extension: + +```PowerShell +Add-MpPreference -ExclusionExtension ".test, .sample, .ignore" +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + +**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:** + +Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +ExclusionExtension +ExclusionPath +``` + +The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +**Use Configuration Manager to configure file name, folder, or file extension exclusions:** + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). + + +**Use Microsoft Intune to configure file name, folder, or file extension exclusions:** + + +See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. + + +**Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:** + +See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + + + + +## Use wildcards in the file name and folder path or extension exclusion lists + +You can use the asterisk **\***, question mark **?**, or environment variables (such as %APPDATA%) as wildcards when defining items in the file name or folder path exclusion list. + +You cannot use a wildcard in place of a drive letter. + + +The following table describes how the wildcards can be used and provides some examples. + +Wildcard | Use | Example use | Example matches +---|---|---|--- +**\*** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\my\*.zip
  • C:\somepath\\\*\Data
|
  • C:\MyData\my-archived-files-43.zip
  • Any file in C:\somepath\folder1\folder2\Data
+**?** (question mark) | Replaces a single character |
  • C:\MyData\my\?.zip
  • C:\somepath\\\?\Data
|
  • C:\MyData\my1.zip
  • Any file in C:\somepath\P\Data
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles
  • %APPDATA%\Data\file.png
|
  • C:\ProgramData\CustomLogFiles\Folder1\file1.txt
  • C:\Users\username\AppData\Roaming\Data\file.png
+ + + + + +### Review the list of exclusions + +You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). + +If you use PowerShell, you can retrieve the list in two ways: + +- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. + +**Review the list of exclusions alongside all other Windows Defender AV preferences:** + +Use the following cmdlet: + +```PowerShell +Get-MpPreference +``` + +In the following example, the items contained in the `ExclusionExtension` list are highlighted: + + +![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + +**Retrieve a specific exclusions list:** + +Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: + +```PowerShell +$WDAVprefs = Get-MpPreference +$WDAVprefs.ExclusionExtension +$WDAVprefs.ExclusionPath +``` + +In the following example, the list is split into new lines for each use of the `Add-MpPreference` cmdlet: + +![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) + + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + + + + + +## Validate exclusions lists with the EICAR test file + +You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. + +In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path. + +```PowerShell +Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" +``` + +If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html). + +You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: + +```PowerShell +$client = new-object System.Net.WebClient +$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") +``` + + + +## Related topics + +- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Configure exclusions in Windows Defender AV on Windows Servery](configure-server-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md new file mode 100644 index 0000000000..fb9259cd91 --- /dev/null +++ b/windows/keep-secure/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -0,0 +1,459 @@ +--- +title: Configure and valudate exclusions for files opened by specific processes +description: You can exclude files from scans if they have been opened by a specific process. +keywords: process, exclusion, files, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure and validate exclusions for files opened by processes + +**Applies to:** + +- Windows 10 + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Windows Management Instrumentation (WMI) +- System Center Configuration Manager +- Microsoft Intune +- Windows Defender Security Center + +You can exclude files that have been opened by specific processes from being scanned by Windows Defender AV. + +For example, you may need to exclude any file that is opened by the process *c:\internal\test.exe*. + +You achieve this by adding the location and name of the process to the process exclusion list. When you add a process to the process exclusion list, Windows Defender AV will not scan files opened by that process, no matter where the files are located. The process itself, however, will be scanned unless it has also been added to the [file exclusion list](configure-extension-file-exclusions-windows-defender-antivirus.md). + +CThe exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). + +Changes made via Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. + +You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. + +You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) and [validating](#validate) your lists. + + +By default, local changes made to the lists (by users with administrator privileges) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, Intune, PowerShell, or WMI. The Group Policy lists will take precedence in the case of conflicts. You can [configure how locally and globally defined exclusions lists are merged](configure-local-policy-overrides-windows-defender-antivirus.md#merge-lists) to disable this setting. + +## Configure the list of exclusions for files opened by specified processes + + + +**Use Group Policy to exclude files that have been used or modified by specified processes from scans:** + +>[!NOTE] +>You can exclude files that are opened by specified processes from being scanned. The specified process won't be excluded - but any files that are opened by that process (regardless of where they are or what they are named) will be excluded. If you need to exclude the process itself, [exclude it as a file](#exclude-paths-files). +>You can only exclude files modified by processes if the process is an executable. + + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + + +6. Double-click the **Process Exclusions** setting and add the exclusions: + + 1. Set the option to **Enabled**. + 2. Under the **Options** section, click **Show...** + 3. Enter each process on its own line under the **Value name** column. Ensure you enter a fully qualified path to the process, including the drive letter, folder path, filename, and extension. The process must be an executable. Enter **0** in the **Value** column for all processes. + +7. Click **OK**. + +![The Group Policy setting for specifying process exclusions](images/defender/wdav-process-exclusions.png) + + + +**Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:** + +Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets with the `-ExclusionProcess' parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). + +The format for the cmdlets is: + +```PowerShell + -ExclusionProcess ", , " +``` + +The following are allowed as the \: + +Configuration action | PowerShell cmdlet +---|--- +Create or overwrite the list | `Set-MpPreference` +Add to the list | `Add-MpPreference` +Remove items from the list | `Remove-MpPreference` + + +>[!IMPORTANT] +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. + + +For example, the following code snippet would cause Windows Defender AV scans to exclude any file that is opened by the defined processes. This exclusion will apply to any file that is opened by the processes that are in the specified folder: + +```PowerShell +Add-MpPreference -ExclusionProcess "c:\internal\test.exe, d:\org\ui\compile43-h.exe" +``` + +For example, files opened by the process *c:\outside\test.exe* will not be excluded. This is the because the opening process is located in a different folder ("outside" instead of "internal"), even though the process's file name is the same. + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + +**Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:** + +Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +ExclusionProcess +``` + +The use of **Set**, **Add**, and **Remove** is analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +**Use Configuration Manager to configure file name, folder, or file extension exclusions:** + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). + + +**Use Microsoft Intune to configure file name, folder, or file extension exclusions:** + + +See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. + + +**Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:** + +See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + + + + +## Use wildcards in the file name and folder path or extension exclusion lists + +The use of wildcards in the process exclusion list is different from their use in other exclusion lists. + +In particular, you cannot use the question mark **?** wilcard, and the asterisk **\*** wildcard can only be used at the end of a complete path. You can still use environment variables (such as %APPDATA%) as wildcards when defining items in the process exclusion list. + +The following table describes how the wildcards can be used in the process exclusion list: + +Wildcard | Use | Example use | Example matches +---|---|---|--- +**\*** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\*
|
  • Any file opened by C:\MyData\file.exe
+**?** (question mark) | Not available | \- | \- +Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles\file.exe
  • %APPDATA%\Data\file.exe
|
  • Any file opened by C:\ProgramData\CustomLogFiles\file.exe
  • Any file opened by C:\Users\username\AppData\Roaming\Data\file.exe
+ + + + + +### Review the list of exclusions + +You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). + +If you use PowerShell, you can retrieve the list in two ways: + +- Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. +- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. + +**Review the list of exclusions alongside all other Windows Defender AV preferences:** + +Use the following cmdlet: + +```PowerShell +Get-MpPreference +``` + + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + +**Retrieve a specific exclusions list:** + +Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: + +```PowerShell +$WDAVprefs = Get-MpPreference +$WDAVprefs.ExclusionProcess +``` + + + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + + + + + + +## Validate exclusions lists with the EICAR test file + +You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. + +In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path. + +```PowerShell +Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" +``` + +If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html). + +You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet; replace *c:\test.txt* with a file that conforms to the rule you are validating: + +```PowerShell +$client = new-object System.Net.WebClient +$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") +``` + + + + + + + + +## Use PowerShell cmdlets and WMI to configure exclusion lists + +Excluding and reviewing file extensions, paths and files (including processes), and files opened by processes with PowerShell requires using a combination of four cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). + +There are three exclusion lists: +- ExclusionExtension +- ExclusionPath +- ExclusionProcess + +You can modify each of the lists with the following cmdlets: +- Set-MpPreference to create or overwrite the defined list +- Add-MpPreference to add new items to the defined list +- Remove-MpPreference to remove or delete items from the defined list +- Get-MpPreference to review the items in the list, either all at once with all other Windows Defender AV settings, or individually for each of the lists + +>[!IMPORTANT] +>If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again will overwrite the existing list. + +The following matrix provides sample commands based on what you want to exclude, and whether you want to create a list, add to the list, or remove items from the list. + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Configuration actionType of exclusionPowerShell command
Create or overwrite a listFile extensions that should be excluded from scans +Set-MpPreference -ExclusionExtension ".extension1, .extension2, .extension3"
Files (including processes) and paths that should be excluded from scans +Set-MpPreference -ExclusionPath "c:\example, d:\test\process.exe, c:\test\file.bat"
Files opened by the specified processes (executables) +Set-MpPreference -ExclusionProcess "c:\example\test.exe"
Add to a listFile extensions that should be excluded from scans +Add-MpPreference -ExclusionExtension ".extension4, .extension5"
Files (including processes) and paths that should be excluded from scans +Add-MpPreference -ExclusionPath "d:\test, d:\example\file.png"
Files opened by specified processes (executables) +Add-MpPreference -ExclusionProcess "f:\test\sample.exe"
Remove items from a listFile extensions that should be excluded from scans +Remove-MpPreference -ExclusionExtension ".extension1, .extension4, .extension5"
Files (including processes) and paths that should be excluded from scans +Remove-MpPreference -ExclusionPath "c:\example, d:\example\file.png"
Files opened by specified processes (executables) +Remove-MpPreference -ExclusionProcess "c:\example\test.exe"
+ +### Review the exclusion lists with PowerShell + +You can retrieve the items in any of the lists in two ways: +- Retrieve the status of all Windows Defender AV preferences. Each of the three lists will be displayed on separate lines, but the items within the list will be combined into the same line. +- Write the status of all preferences to a variable, and only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. + +In both instances the items are sorted alphabetically. + +The following sequence of code examples helps to show how this works. + +1. Create an example list of extensions that should be excluded from scans: + ```PowerShell + PS C:\> Set-MpPreference -ExclusionExtension ".test1, .test2" + ``` + +2. Add some additional extensions: + + ```PowerShell + PS C:\> Add-MpPreference -ExclusionExtension ".test40, test50" + ``` + +3. Add another set of extensions: + + ```PowerShell + PS C:\> Add-MpPreference -ExclusionExtension ".secondadd1, .secondadd2" + ``` + +4. Review the list as a combined list: + ```PowerShell + PS C:\> Get-MpPreference + ``` + + ![PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences](images/defender/wdav-powershell-get-exclusions-all.png) + + +5. Use a variable to store and retrieve only the exclusions list: + + ```PowerShell + PS C:\> $WDAVprefs = Get-MpPreference + PS C:\> $WDAVprefs.ExclusionExtension + ``` + + ![PowerShell output showing only the entries in the exclusion list](images/defender/wdav-powershell-get-exclusions-variable.png) + + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +### Use Windows Management Instruction (WMI) to configure file extension exclusions + +Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +ExclusionExtension +ExclusionPath +ExclusionProcess +``` + +The use of **Set**, **Add**, and **Remove** are analogous to their counterparts in PowerShell: `Set-MpPreference`, `Add-MpPreference`, and `Remove-MpPreference`. + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +## Use System Center Configuration Manager, Intune, or the Windows Defender Security Center app to configure exclusion lists + + +**Use Configuration Manager to configure file extension exclusions:** + +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). + + +**Use Microsoft Intune to configure file extension exclusions:** + + +See [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) and [Windows Defender policy settings in Windows 10](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#windows-defender-1) for more details. + + +**Use the Windows Defender Security app to add exclusions to Windows Defender AV:** + +See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. + + + + ## Configure auto exclusions lists for Windows Server deployments + +If you are using Windows Defender AV to protect Windows Server endpoints or machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role. + +These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). + +You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other sections in this topic. + +You can also disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI. + +**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + +6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**. + +**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -DisableAutoExclusions +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +DisableAutoExclusions +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + +## Use wildcards in exclusion lists + +You can use the asterisk **\***, question mark **?**, or environment variables (such as %APPDATA%) as wildcards when defining items in the exclusion lists. + +You cannot use a wildcard in place of a drive letter. + + +The following table describes how the wildcards can be used and provides some examples. + +Wildcard | Use | Example use | Example matches +---|---|---|--- +**\*** (asterisk) | Replaces any number of chararacters |
  • C:\MyData\my\*.zip
  • C:\somepath\\\*\Data
  • .t\*t
|
  • C:\MyData\my-archived-files-43.zip
  • C:\somepath\folder1\folder2\Data
  • .test
+**?** (question mark) | Replaces a single character |
  • C:\MyData\my\*.zip
  • C:\somepath\\\*\Data
  • .t\*t
|
  • C:\MyData\my1.zip
  • C:\somepath\P\Data
  • .txt
+Environment variables | The defined variable will be populated as a path when the exclusion is evaluated |
  • %ALLUSERSPROFILE%\CustomLogFiles
  • %APPDATA%\Data\file.png
|
  • C:\ProgramData\CustomLogFiles\Folder1\file1.txt
  • C:\Users\username\AppData\Roaming\Data\file.png
+ + + +## Validate exclusions lists with the EICAR test file + +You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file. + +In the following PowerShell snippet, replace *test.txt* with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace *test.txt* with *test.testing*. If you are testing a path, ensure you run the cmdlet within that path. + +```PowerShell +Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt" +``` + +If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR testfile website](http://www.eicar.org/86-0-Intended-use.html). + +You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the `Invoke-WebRequest` cmdlet, replace *c:\test.txt* with a file that conforms to the rule you are validating: + +```PowerShell +$client = new-object System.Net.WebClient +$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt") +``` + + +## Related topics + +- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure exclusions in Windows Defender AV on Windows Servery](configure-server-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md b/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md new file mode 100644 index 0000000000..c293dd3358 --- /dev/null +++ b/windows/keep-secure/configure-server-exclusions-windows-defender-antivirus.md @@ -0,0 +1,84 @@ +--- +title: Automatic and customized exclusions for Windows Defender AV on Windows Server 2016 +description: Windows Server 2016 includes automatic exclusions, based on Server Role. You can also add custom exclusions. +keywords: exclusions, server, auto-exclusions, automatic, custom, scans +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: medium +author: iaanw +--- + +# Configure exclusions in Windows Defender AV on Windows Server 2016 + + +**Applies to:** + +- Windows Server 2016 + +**Audience** + +- Enterprise security administrators + + +**Manageability available with** + +- Group Policy +- PowerShell +- Windows Management Instrumentation (WMI) + +If you are using Windows Defender Antivirus to protect Windows Server 2016 machines, you are [automatically enrolled in certain exclusions](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender), as defined by your specified Windows Server Role. + +These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). + +You can still add or remove custom exclusions (in addition to the Server Role-defined auto exclusions) as described in the other exclusion-related topics: +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) + + +You can disable the auto-exclusions lists with Group Policy, PowerShell cmdlets, and WMI. + +**Use Group Policy to disable the auto-exclusions list on Windows Server 2016:** + +1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +3. In the **Group Policy Management Editor** go to **Computer configuration**. + +4. Click **Policies** then **Administrative templates**. + +5. Expand the tree to **Windows components > Windows Defender Antivirus > Exclusions**. + +6. Double-click the **Turn off Auto Exclusions** setting and set the option to **Enabled**. Click **OK**. + +**Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016:** + +Use the following cmdlets: + +```PowerShell +Set-MpPreference -DisableAutoExclusions +``` + +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. + +**Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:** + +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: + +```WMI +DisableAutoExclusions +``` + +See the following for more information and allowed parameters: +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) + + +## Related topics + +- [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md) +- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md) +- [Customize, initiate, and review the results of Windows Defender AV scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) \ No newline at end of file diff --git a/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md b/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md index 9c5a224709..3510bcb390 100644 --- a/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/keep-secure/windows-defender-antivirus-on-windows-server-2016.md @@ -40,7 +40,7 @@ See [Windows Defender Overview for Windows Server](https://technet.microsoft.com While the functionality, configuration, and management is largely the same for Windows Defender AV either on Windows 10 or Windows Server 2016, there are a few key differences: -- In Windows Server 2016, [automatic exclusions](configure-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role. +- In Windows Server 2016, [automatic exclusions](configure-server-exclusions-windows-defender-antivirus.md) are applied based on your defined Server Role. - In Windows Server 2016, [Windows Defender AV will not disable itself if you are running another antivirus product](windows-defender-antivirus-on-windows-server-2016.md#sysreq).