Antimalware Policies folder exclusions and it's subfolder

Cody 321

I'm working on creating an Antimalware Policy, within Configuration Manager. But, I am a little confused with Excluding along with subfolders and its file - see screenshot.

Exclusion settings - X_Folder

From the documentations I've used for my reference:

https://learn.microsoft.com/en-us/mem/configmgr/protect/deploy-use/endpoint-antimalware-policies

Exclusion Settings - It mentioned that I have to list each subfolder such as:

F:\MyFolder\Folder1
F:\MyFolder\Folder2
F:\MyFolder\Folder3

I'm trying to exclude a folder that have multiple subfolders and subfolder within subfolders. That's to many to list. How do I add the top level folder, such as E:\X_Folder, and exclude all the files and it's multiple subfolders?

1 answer

AllenLiu-MSFT 45,531 Reputation points Microsoft Vendor

2024-05-30T03:01:53.0966667+00:00

Hi, @kody

Thank you for posting in Microsoft Q&A forum.

The example is only for mapped network drive, if your E:\ is not a mapped network drive, list E:\X_Folder will exclude all the files and it's multiple subfolders.

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Add comment".
Please sign in to rate this answer.
Cody 321 Reputation points

2024-05-30T13:48:28.5333333+00:00

Thank you, @AllenLiu-MSFT

What is the best way to verify that the the subfolders of E:\X_Folders have been excluded from Defender scanning?

Cody 321 Reputation points

2024-05-30T13:49:34.19+00:00

Thank you, @AllenLiu-MSFT

What the best way to verify that the subfolders of E:\X_Folders have been excluded from Defender?

AllenLiu-MSFT 45,531 Reputation points Microsoft Vendor

2024-05-31T06:01:41.1066667+00:00

Hi,

To verify that the subfolders of E:\X_Folder have been excluded from Defender, you can use the MpCmdRun command-line tool. First, open an elevated Command Prompt and navigate to the Microsoft Defender Antivirus platform directory by running the following commands:

Start, CMD (Run as admin) cd "%programdata%\microsoft\windows defender\platform"

Then, run the following command to check if a specific path is excluded:

MpCmdRun.exe -CheckExclusion -path E:\X_Folder\subfolder

Replace "subfolder" with the name of the subfolder you want to check. If the output shows that the path is excluded, then the subfolders of E:\X_Folder have been excluded from Defender.

References:

https://learn.microsoft.com/en-us/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus#validate-the-exclusion-list-by-using-mpcmdrun

If the answer is the right solution, please click "Accept Answer" and kindly upvote it.

Cody 321 Reputation points

2024-06-03T13:29:39.26+00:00

I'm not getting the desired result with running the MpCmdRun.exe, in admin cmd mode"

Here's the syntax and result:

C:\ProgramData\Microsoft\Windows Defender\platform\4.18.24040.4-0>MpCmdRun.exe -CheckExclusion -path E:\X_Folder\TestFolderX

E:\X_Folder\TestFolderX [\Device\HarddiskVolume6\X_Folder\TestFolderX] is not excluded. Exit code is 1.

I'm assume that just adding E:\X_Folder in the exceptions list isn't enough...?

I'm trying to find any reference to Exit code 1 within the Windows Defender Doc but have not yet found any. I did find that it referenced that "Folder exclusions apply to all files and folders under that folder, unless the subfolder is a reparse point." So, I'm not sure the 'why'.

AllenLiu-MSFT 45,531 Reputation points Microsoft Vendor

2024-06-05T02:35:53.19+00:00

Hi,

Where do you run the MpCmdRun.exe? We should run the MpCmdRun.exe on the client computer that has applied the Antimalware Policy you configured in SCCM.

You may check the Exclusions list on your client computer to see if the folder "E:\X_Folder" is listed? (You may check my picture, in my example, the folder "C:\Temp" is listed in the exclusions list, so the subfolder is excluded when I run the MpCmdRun.exe)

Hope I explained it clearly.

Cody 321 Reputation points

2024-06-05T15:53:12.7733333+00:00

I figured out the issue. It turns out the issue was that the server where the share resides was had a GPO some weird configuration that interfered with defender. Once the GPO was removed, the folder and it's subfolders were excluded from defender.

Thanks for the help,

AllenLiu-MSFT 45,531 Reputation points Microsoft Vendor

2024-06-06T01:24:38.2433333+00:00

Thank you very much for the update and we're glad the problem is solved now.

please don't forget to close up the thread by click
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Antimalware Policies folder exclusions and it's subfolder

1 answer

Your answer