![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 77%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
1,563 questions
Thank you for posting your query on Microsoft Q&A, from above description I was able to understand that you got a suspicious exclusion alert from Microsoft defender for cloud. Now you want to know how it got excluded from the scan, validate its location and perform further checks?
Please do correct me if this is not the case by responding in the comments section:
As a first action you must validate locally on the impacted device if the file is added under exclusion manually:
- Check via Get-MpPreference PowerShell to validate the path of the file/process:
Go to Start > Settings > Privacy& Security > Windows Security > Virus & threat protection. Under Virus & threat protection settings, select Manage settings, and then under Exclusions, select Add or remove exclusions to see if file is excluded or not.
- Now navigate to Event Viewer. In the console tree, expand Applications and Services Logs > Microsoft > Windows > Windows Defender. Double-click on Operational to validate when did this change happen:
- Now remove the application path from the file and validate the scan results.
- To understand how the application/file got excluded you need to validate your policies in following portal for exclusion list: MDE portal or Intune.
Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.
Thanks,
Akshay Kaushik