deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update configure-server-exclusions-microsoft-defender-antivirus.md

Browse Source
This commit is contained in:
Denise Vangel-MSFT
2021-02-10 14:50:36 -08:00
parent 1a5f7784c9
commit f91b532123
1 changed files with 5 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
View File

@ -57,11 +57,8 @@ You can disable the automatic exclusion lists with Group Policy, PowerShell cmdl
### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019 ### Use Group Policy to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**. 1. On your Group Policy management computer, open the [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725752(v=ws.11)). Right-click the Group Policy Object you want to configure, and then click **Edit**.
2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**. 2. In the **Group Policy Management Editor** go to **Computer configuration**, and then click **Administrative templates**.
3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**. 3. Expand the tree to **Windows components** > **Microsoft Defender Antivirus** > **Exclusions**.
4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**. 4. Double-click **Turn off Auto Exclusions**, and set the option to **Enabled**. Then click **OK**.
### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019 ### Use PowerShell cmdlets to disable the auto-exclusions list on Windows Server 2016 and 2019
@ -72,9 +69,10 @@ Use the following cmdlets:
Set-MpPreference -DisableAutoExclusions $true Set-MpPreference -DisableAutoExclusions $true
``` ```
[Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md). To learn more, see the following resources:
[Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/). - [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md).
- [Use PowerShell with Microsoft Defender Antivirus](https://docs.microsoft.com/powershell/module/defender/).
### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019 ### Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016 and Windows Server 2019
@ -101,51 +99,36 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
#### Windows "temp.edb" files #### Windows "temp.edb" files
- `%windir%\SoftwareDistribution\Datastore\*\tmp.edb` - `%windir%\SoftwareDistribution\Datastore\*\tmp.edb`
- `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log` - `%ProgramData%\Microsoft\Search\Data\Applications\Windows\*\*.log`
#### Windows Update files or Automatic Update files #### Windows Update files or Automatic Update files
- `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb` - `%windir%\SoftwareDistribution\Datastore\*\Datastore.edb`
- `%windir%\SoftwareDistribution\Datastore\*\edb.chk` - `%windir%\SoftwareDistribution\Datastore\*\edb.chk`
- `%windir%\SoftwareDistribution\Datastore\*\edb\*.log` - `%windir%\SoftwareDistribution\Datastore\*\edb\*.log`
- `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs` - `%windir%\SoftwareDistribution\Datastore\*\Edb\*.jrs`
- `%windir%\SoftwareDistribution\Datastore\*\Res\*.log` - `%windir%\SoftwareDistribution\Datastore\*\Res\*.log`
#### Windows Security files #### Windows Security files
- `%windir%\Security\database\*.chk` - `%windir%\Security\database\*.chk`
- `%windir%\Security\database\*.edb` - `%windir%\Security\database\*.edb`
- `%windir%\Security\database\*.jrs` - `%windir%\Security\database\*.jrs`
- `%windir%\Security\database\*.log` - `%windir%\Security\database\*.log`
- `%windir%\Security\database\*.sdb` - `%windir%\Security\database\*.sdb`
#### Group Policy files #### Group Policy files
- `%allusersprofile%\NTUser.pol` - `%allusersprofile%\NTUser.pol`
- `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol` - `%SystemRoot%\System32\GroupPolicy\Machine\registry.pol`
- `%SystemRoot%\System32\GroupPolicy\User\registry.pol` - `%SystemRoot%\System32\GroupPolicy\User\registry.pol`
#### WINS files #### WINS files
- `%systemroot%\System32\Wins\*\*.chk` - `%systemroot%\System32\Wins\*\*.chk`
- `%systemroot%\System32\Wins\*\*.log` - `%systemroot%\System32\Wins\*\*.log`
- `%systemroot%\System32\Wins\*\*.mdb` - `%systemroot%\System32\Wins\*\*.mdb`
- `%systemroot%\System32\LogFiles\` - `%systemroot%\System32\LogFiles\`
- `%systemroot%\SysWow64\LogFiles\` - `%systemroot%\SysWow64\LogFiles\`
#### File Replication Service (FRS) exclusions #### File Replication Service (FRS) exclusions
@ -153,9 +136,7 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
- Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory` - Files in the File Replication Service (FRS) working folder. The FRS working folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Working Directory`
- `%windir%\Ntfrs\jet\sys\*\edb.chk` - `%windir%\Ntfrs\jet\sys\*\edb.chk`
- `%windir%\Ntfrs\jet\*\Ntfrs.jdb` - `%windir%\Ntfrs\jet\*\Ntfrs.jdb`
- `%windir%\Ntfrs\jet\log\*\*.log` - `%windir%\Ntfrs\jet\log\*\*.log`
- FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory` - FRS Database log files. The FRS Database log file folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ntfrs\Parameters\DB Log File Directory`
@ -176,33 +157,21 @@ This section lists the default exclusions for all Windows Server 2016 and 2019 r
> For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions). > For custom locations, see [Opt out of automatic exclusions](#opt-out-of-automatic-exclusions).
- `%systemdrive%\System Volume Information\DFSR\$db_normal$` - `%systemdrive%\System Volume Information\DFSR\$db_normal$`
- `%systemdrive%\System Volume Information\DFSR\FileIDTable_*` - `%systemdrive%\System Volume Information\DFSR\FileIDTable_*`
- `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*` - `%systemdrive%\System Volume Information\DFSR\SimilarityTable_*`
- `%systemdrive%\System Volume Information\DFSR\*.XML` - `%systemdrive%\System Volume Information\DFSR\*.XML`
- `%systemdrive%\System Volume Information\DFSR\$db_dirty$` - `%systemdrive%\System Volume Information\DFSR\$db_dirty$`
- `%systemdrive%\System Volume Information\DFSR\$db_clean$` - `%systemdrive%\System Volume Information\DFSR\$db_clean$`
- `%systemdrive%\System Volume Information\DFSR\$db_lostl$` - `%systemdrive%\System Volume Information\DFSR\$db_lostl$`
- `%systemdrive%\System Volume Information\DFSR\Dfsr.db` - `%systemdrive%\System Volume Information\DFSR\Dfsr.db`
- `%systemdrive%\System Volume Information\DFSR\*.frx` - `%systemdrive%\System Volume Information\DFSR\*.frx`
- `%systemdrive%\System Volume Information\DFSR\*.log` - `%systemdrive%\System Volume Information\DFSR\*.log`
- `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs` - `%systemdrive%\System Volume Information\DFSR\Fsr*.jrs`
- `%systemdrive%\System Volume Information\DFSR\Tmp.edb` - `%systemdrive%\System Volume Information\DFSR\Tmp.edb`
#### Process exclusions #### Process exclusions
- `%systemroot%\System32\dfsr.exe` - `%systemroot%\System32\dfsr.exe`
- `%systemroot%\System32\dfsrs.exe` - `%systemroot%\System32\dfsrs.exe`
#### Hyper-V exclusions #### Hyper-V exclusions
@ -216,19 +185,12 @@ The following table lists the file type exclusions, folder exclusions, and proce
#### SYSVOL files #### SYSVOL files
- `%systemroot%\Sysvol\Domain\Policies*\ADM*.adm` - `%systemroot%\Sysvol\Domain\Policies*\ADM*.adm`
- `%systemroot%\Sysvol\Domain\Policies\PolicyDefinition*.admx` - `%systemroot%\Sysvol\Domain\Policies\PolicyDefinition*.admx`
- `%systemroot%\Sysvol\Domain\Policies\PolicyDefinition*.adml` - `%systemroot%\Sysvol\Domain\Policies\PolicyDefinition*.adml`
- `%systemroot%\Sysvol\Domain\Policies\Registry.pol` - `%systemroot%\Sysvol\Domain\Policies\Registry.pol`
- `%systemroot%\Sysvol\Domain\Policies*\Machine\Applications*.aas` - `%systemroot%\Sysvol\Domain\Policies*\Machine\Applications*.aas`
- `%systemroot%\Sysvol\Domain\Policies*\Machine\Microsoft\Windows NT\SecEdit*.inf` - `%systemroot%\Sysvol\Domain\Policies*\Machine\Microsoft\Windows NT\SecEdit*.inf`
- `%systemroot%\Sysvol\Domain\Policies*\Machine\Microsoft\Windows NT\Audit*.csv` - `%systemroot%\Sysvol\Domain\Policies*\Machine\Microsoft\Windows NT\Audit*.csv`
- `%systemroot%\Sysvol\Domain\Policies*\Machine\Scripts\Scripts.ini` - `%systemroot%\Sysvol\Domain\Policies*\Machine\Scripts\Scripts.ini`
### Active Directory exclusions ### Active Directory exclusions
@ -240,7 +202,6 @@ This section lists the exclusions that are delivered automatically when you inst
The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File` The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database File`
- `%windir%\Ntds\ntds.dit` - `%windir%\Ntds\ntds.dit`
- `%windir%\Ntds\ntds.pat` - `%windir%\Ntds\ntds.pat`
#### The AD DS transaction log files #### The AD DS transaction log files
@ -248,13 +209,9 @@ The database files are specified in the registry key `HKEY_LOCAL_MACHINE\System\
The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path` The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\Database Log Files Path`
- `%windir%\Ntds\EDB*.log` - `%windir%\Ntds\EDB*.log`
- `%windir%\Ntds\Res*.log` - `%windir%\Ntds\Res*.log`
- `%windir%\Ntds\Edb*.jrs` - `%windir%\Ntds\Edb*.jrs`
- `%windir%\Ntds\Ntds*.pat` - `%windir%\Ntds\Ntds*.pat`
- `%windir%\Ntds\TEMP.edb` - `%windir%\Ntds\TEMP.edb`
#### The NTDS working folder #### The NTDS working folder
@ -262,13 +219,11 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\
This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory` This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\DSA Working Directory`
- `%windir%\Ntds\Temp.edb` - `%windir%\Ntds\Temp.edb`
- `%windir%\Ntds\Edb.chk` - `%windir%\Ntds\Edb.chk`
#### Process exclusions for AD DS and AD DS-related support files #### Process exclusions for AD DS and AD DS-related support files
- `%systemroot%\System32\ntfrs.exe` - `%systemroot%\System32\ntfrs.exe`
- `%systemroot%\System32\lsass.exe` - `%systemroot%\System32\lsass.exe`
### DHCP Server exclusions ### DHCP Server exclusions
@ -276,13 +231,9 @@ This folder is specified in the registry key `HKEY_LOCAL_MACHINE\System\CurrentC
This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters` This section lists the exclusions that are delivered automatically when you install the DHCP Server role. The DHCP Server file locations are specified by the *DatabasePath*, *DhcpLogFilePath*, and *BackupDatabasePath* parameters in the registry key `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DHCPServer\Parameters`
- `%systemroot%\System32\DHCP\*\*.mdb` - `%systemroot%\System32\DHCP\*\*.mdb`
- `%systemroot%\System32\DHCP\*\*.pat` - `%systemroot%\System32\DHCP\*\*.pat`
- `%systemroot%\System32\DHCP\*\*.log` - `%systemroot%\System32\DHCP\*\*.log`
- `%systemroot%\System32\DHCP\*\*.chk` - `%systemroot%\System32\DHCP\*\*.chk`
- `%systemroot%\System32\DHCP\*\*.edb` - `%systemroot%\System32\DHCP\*\*.edb`
### DNS Server exclusions ### DNS Server exclusions
@ -292,11 +243,8 @@ This section lists the file and folder exclusions and the process exclusions tha
#### File and folder exclusions for the DNS Server role #### File and folder exclusions for the DNS Server role
- `%systemroot%\System32\Dns\*\*.log` - `%systemroot%\System32\Dns\*\*.log`
- `%systemroot%\System32\Dns\*\*.dns` - `%systemroot%\System32\Dns\*\*.dns`
- `%systemroot%\System32\Dns\*\*.scc` - `%systemroot%\System32\Dns\*\*.scc`
- `%systemroot%\System32\Dns\*\BOOT` - `%systemroot%\System32\Dns\*\BOOT`
#### Process exclusions for the DNS Server role #### Process exclusions for the DNS Server role
@ -308,9 +256,7 @@ This section lists the file and folder exclusions and the process exclusions tha
This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role. This section lists the file and folder exclusions that are delivered automatically when you install the File and Storage Services role. The exclusions listed below do not include exclusions for the Clustering role.
- `%SystemDrive%\ClusterStorage` - `%SystemDrive%\ClusterStorage`
- `%clusterserviceaccount%\Local Settings\Temp` - `%clusterserviceaccount%\Local Settings\Temp`
- `%SystemDrive%\mscs` - `%SystemDrive%\mscs`
### Print Server exclusions ### Print Server exclusions
@ -320,7 +266,6 @@ This section lists the file type exclusions, folder exclusions, and the process
#### File type exclusions #### File type exclusions
- `*.shd` - `*.shd`
- `*.spl` - `*.spl`
#### Folder exclusions #### Folder exclusions
@ -340,32 +285,28 @@ This section lists the folder exclusions and the process exclusions that are del
#### Folder exclusions #### Folder exclusions
- `%SystemRoot%\IIS Temporary Compressed Files` - `%SystemRoot%\IIS Temporary Compressed Files`
- `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files` - `%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files`
- `%SystemDrive%\inetpub\temp\ASP Compiled Templates` - `%SystemDrive%\inetpub\temp\ASP Compiled Templates`
- `%systemDrive%\inetpub\logs` - `%systemDrive%\inetpub\logs`
- `%systemDrive%\inetpub\wwwroot` - `%systemDrive%\inetpub\wwwroot`
#### Process exclusions #### Process exclusions
- `%SystemRoot%\system32\inetsrv\w3wp.exe` - `%SystemRoot%\system32\inetsrv\w3wp.exe`
- `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe` - `%SystemRoot%\SysWOW64\inetsrv\w3wp.exe`
- `%SystemDrive%\PHP5433\php-cgi.exe` - `%SystemDrive%\PHP5433\php-cgi.exe`
#### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder #### Turning off scanning of files in the Sysvol\Sysvol folder or the SYSVOL_DFSR\Sysvol folder
The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default: The current location of the `Sysvol\Sysvol` or `SYSVOL_DFSR\Sysvol` folder and all the subfolders is the file system reparse target of the replica set root. The `Sysvol\Sysvol` and `SYSVOL_DFSR\Sysvol` folders use the following locations by default:
- `%systemroot%\Sysvol\Domain` - `%systemroot%\Sysvol\Domain`
- `%systemroot%\Sysvol_DFSR\Domain` - `%systemroot%\Sysvol_DFSR\Domain`
The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters` The path to the currently active `SYSVOL` is referenced by the NETLOGON share and can be determined by the SysVol value name in the following subkey: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters`
Exclude the following files from this folder and all its subfolders: Exclude the following files from this folder and all its subfolders:
- `*.adm` - `*.adm`
- `*.admx` - `*.admx`
- `*.adml` - `*.adml`
@ -382,11 +323,8 @@ Exclude the following files from this folder and all its subfolders:
This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup` This section lists the folder exclusions that are delivered automatically when you install the Windows Server Update Services (WSUS) role. The WSUS folder is specified in the registry key `HKEY_LOCAL_MACHINE\Software\Microsoft\Update Services\Server\Setup`
- `%systemroot%\WSUS\WSUSContent` - `%systemroot%\WSUS\WSUSContent`
- `%systemroot%\WSUS\UpdateServicesDBFiles` - `%systemroot%\WSUS\UpdateServicesDBFiles`
- `%systemroot%\SoftwareDistribution\Datastore` - `%systemroot%\SoftwareDistribution\Datastore`
- `%systemroot%\SoftwareDistribution\Download` - `%systemroot%\SoftwareDistribution\Download`
## See also ## See also