Edit

Exclusions to avoid in Microsoft Defender Antivirus and Defender for Endpoint

Important

Add exclusions with caution. Exclusions for Microsoft Defender Antivirus and Defender for Endpoint reduce protection for devices.

You can define exclusions for items you don't want Microsoft Defender Antivirus or Microsoft Defender for Endpoint on macOS or Linux to scan. However, excluded items might contain threats that make your device vulnerable. Exclusions also reduce protection for features that depend on the antivirus engine, such as malware protection and file and certificate indicators of compromise (IOCs). Process exclusions also prevent Microsoft Defender for Endpoint network protection and attack surface reduction (ASR) rules from inspecting traffic or enforcing rules for the excluded processes. Before you create any exclusions, review the Important points about exclusions and the broader guidance in Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus.

Don't exclude the files, file types, folders, or processes described in this article, even if you trust that the items aren't malicious. This guidance applies to Microsoft Defender Antivirus and Defender for Endpoint on Windows, macOS, and Linux.

Folders you shouldn't exclude

Attackers can abuse some folders, so don't exclude the following folders from scans:

  • Windows:

    • %systemdrive%

    • C:, C:\, or C:\*

    • %ProgramFiles%\Java or C:\Program Files\Java

    • Program folders for installed apps. For example, %ProgramFiles%\Contoso\, C:\Program Files\Contoso\, %ProgramFiles(x86)%\Contoso\, or C:\Program Files (x86)\Contoso\

    • C:\Temp, C:\Temp\, or C:\Temp\*

    • C:\Users\ or C:\Users\*

    • C:\Users\<UserProfileName>\AppData\Local\Temp\ or C:\Users\<UserProfileName>\AppData\LocalLow\Temp\

      Note

      You should exclude the following folders when you use file-level antivirus protection in SharePoint:

      C:\Users\ServiceAccount\AppData\Local\Temp or C:\Users\Default\AppData\Local\Temp.

    • %Windir%\Prefetch, C:\Windows\Prefetch, C:\Windows\Prefetch\, or C:\Windows\Prefetch\*

    • %Windir%\System32\Spool or C:\Windows\System32\Spool

    • C:\Windows\System32\CatRoot2

    • %Windir%\Temp, C:\Windows\Temp, C:\Windows\Temp\, or C:\Windows\Temp\*

  • Linux and macOS:

    • /
    • /bin or /sbin
    • /usr/lib

File extensions you shouldn't exclude

Attackers can abuse some file types, so don't exclude the following file extensions from scans:

  • .7z
  • .bat
  • .bin
  • .cab
  • .cmd
  • .com
  • .cpl
  • .dll
  • .exe
  • .fla
  • .gif
  • .gz
  • .hta
  • .inf
  • .jar
  • .java
  • .job
  • .jpeg
  • .jpg
  • .js
  • .ko or .ko.gz
  • .msi
  • .ocx
  • .png
  • .ps1
  • .py
  • .rar
  • .reg
  • .scr
  • .sys
  • .tar
  • .tmp
  • .url
  • .vbe
  • .vbs
  • .wsf
  • .zip

Note

You can choose to exclude file types (for example, .gif, .jpg, .jpeg, or .png) if your organization uses modern, up-to-date software with strict update policies to handle vulnerabilities.

Processes you shouldn't exclude

Attackers can abuse some processes, so don't exclude the following processes from scans:

  • Windows:

    • AcroRd32.exe
    • addinprocess.exe
    • addinprocess32.exe
    • addinutil.exe
    • bash.exe
    • bginfo.exe
    • bitsadmin.exe
    • cdb.exe
    • cmd.exe
    • cscript.exe
    • csi.exe
    • dbghost.exe
    • dbgsvc.exe
    • dnx.exe
    • dotnet.exe
    • excel.exe
    • fsi.exe
    • fsiAnyCpu.exe
    • iexplore.exe
    • java.exe
    • kd.exe
    • lxssmanager.dll
    • msbuild.exe
    • mshta.exe
    • ntkd.exe
    • ntsd.exe
    • outlook.exe
    • powerpnt.exe
    • powershell.exe
    • psexec.exe
    • rcsi.exe
    • schtasks.exe
    • svchost.exe
    • system.management.automation.dll
    • windbg.exe
    • winword.exe
    • wmic.exe
    • wscript.exe
    • wuauclt.exe
  • Linux and macOS:

    • bash
    • java
    • python and python3
    • sh
    • zsh

Don't exclude file names without a full path

When you exclude a file, specify its fully qualified path so that you exclude only the file you intend. A name-only exclusion behaves differently depending on the platform, but specifying the full path is the safer choice in every case:

  • Microsoft Defender Antivirus on Windows: A file exclusion is matched as a path. A bare file name like Filename.exe isn't a reliable file exclusion and doesn't dependably exclude the file. Use a fully qualified path, such as C:\Program Files\Contoso\Filename.exe. To exclude a file by name in more than one location, use a wildcard path instead. For more information, see File and folder exclusions and Wildcards in file and folder exclusions.
  • Microsoft Defender for Endpoint on macOS and Linux: macOS and Linux provide a file-name exclusion option in addition to full-path exclusions. To make sure you exclude only the file you intend, and not another file that happens to share the name, specify the full path, such as /usr/local/bin/contoso-app.

Don't use one exclusion list for multiple server workloads

Don't use a single exclusion list to define exclusions for multiple server workloads. Instead, split the exclusions into multiple lists for different apps or services.

For example, use a different exclusion list for Internet Information Services (IIS) than the exclusion list for SQL Server.

On Windows Server, Microsoft Defender Antivirus applies many role-based exclusions automatically, so check which exclusions already apply before you create custom lists. For more information, see Microsoft Defender Antivirus exclusions on Windows Server.

On Linux servers, identify the specific processes and paths that each workload needs excluded instead of reusing one list. For more information, see Configure and validate exclusions for Microsoft Defender for Endpoint on Linux and Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux.

Don't use environment variables that resolve to unexpected system locations

Because the antivirus service runs in the system context, Microsoft Defender Antivirus resolves environment variables in exclusions by using the system (LocalSystem) account. Many variables resolve to the same path in both contexts, but some don't. For example, %TEMP% resolves to C:\Windows\TEMP rather than C:\Users\<username>\AppData\Local\Temp, so an exclusion that uses %TEMP% doesn't include the location you might expect.

Before you use an environment variable in an exclusion, confirm the location it resolves to under the system account. For more information, see System environment variables.

See also