Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Endpoint and Defender for Business include a wide range of capabilities to prevent, detect, investigate, and respond to advanced cyberthreats. Microsoft preconfigures the product to perform well on the operating system where it's installed. In most cases, no other changes are needed.
Despite preconfigured settings, sometimes unexpected behavior occurs. For example:
- False positives: Files, folders, or processes that aren't threats are detected as malicious by Defender for Endpoint or Microsoft Defender Antivirus. These entities are blocked or sent to quarantine, even though they're not a threat.
- Performance issues: Systems experience unexpected performance issues when running with Defender for Endpoint or Microsoft Defender Antivirus.
- Application compatibility issues: Applications experience unexpected behavior when running with Defender for Endpoint or Microsoft Defender Antivirus.
The following sections describe the types of exclusions available in Defender for Endpoint and Microsoft Defender Antivirus, along with when to use each one. For a summary of which management tools you can use to configure each exclusion type, see Exclusions reference for Microsoft Defender for Endpoint.
Note
Creating exclusions or indicators is one possible approach for addressing issues with Defender for Endpoint or Microsoft Defender Antivirus, but often there are other steps you can take first.
Types of exclusions
There are several types of exclusions to consider. Some types of exclusions affect multiple capabilities in Defender for Endpoint, whereas other types are specific to Microsoft Defender Antivirus.
For information about indicators, which are a related but separate mechanism for allowing or blocking specific files, IP addresses, URLs, and certificates, see Overview of indicators in Microsoft Defender for Endpoint.
The following tables summarize the types of exclusions you can define, grouped by whether they're available on all platforms or on Windows only. Note the scope for each exclusion type.
Cross-platform exclusions: These exclusions are available on Windows, macOS, and Linux devices.
Exclusion type Scope Use cases Custom exclusions Antivirus
Attack surface reduction (ASR) rules
Network ProtectionA file, folder, or process is identified as malicious, even though it's not a threat.
An application encounters unexpected performance or application compatibility issues when running with Defender for Endpoint.
In Windows, some ASR rules honor Microsoft Defender Antivirus file and folder (path) exclusions.File and certificate allow indicators Antivirus
ASR rules
Controlled folder access (CFA)A file or process signed by a certificate is identified as malicious even though it's not. Domain/URL and IP address indicators Network Protection
SmartScreen
Web Content FilteringSmartScreen reports a false positive.
You want to override a Web Content Filtering block on a specific site.Windows-only exclusions: These exclusions are available on Windows devices only.
Exclusion type Scope Use cases Preconfigured antivirus exclusions Antivirus Microsoft Defender Antivirus automatically excludes some operating system files and Windows Server roles, so you don't have to define these exclusions yourself. ASR rule exclusions ASR rules An ASR rule causes unexpected behavior. Automation folder exclusions Automated investigation and response Automated investigation and remediation takes an action on a file, extension, or directory that should be handled manually. CFA exclusions CFA CFA blocks an application from accessing a protected folder.
Note
Process exclusions directly affect network protection on all platforms and ASR rules in Windows. A process exclusion on any operating system (Windows, macOS, or Linux) prevents network protection from inspecting traffic or enforcing rules for that specific process.
Preconfigured antivirus exclusions
You don't have to define these exclusion types, but it's helpful to know what they are and how they work. Microsoft Defender Antivirus preconfigures the following exclusion types:
- Built-in Microsoft Defender Antivirus exclusions:
- Microsoft Defender Antivirus includes built-in exclusions for operating system files on all supported client and server versions of Windows. The list is kept up to date as the threat landscape changes. For more information, see Built-in exclusions.
- On supported versions of Windows Server, more built-in exclusions apply to server features such as Windows Internet Name Service (WINS) and File Replication Service (FRS). For more information, see Built-in exclusions on Windows Server.
Automatic Microsoft Defender Antivirus exclusions: Automatic exclusions for server roles and features in Windows Server 2016 or later (for example, File Replication Service, Hyper-V, SYSVOL, Active Directory, and DNS Server). When you install a role, Microsoft Defender Antivirus includes automatic exclusions for the server role and any files that are added while installing the role.
These exclusions aren't scanned by real-time protection but are still subject to quick, full, or custom antivirus scans.
For more information, see Automatic server role exclusions.
Automatic exclusions apply only to built-in Windows Server roles. If you run other server workloads, such as Exchange Server, SharePoint Server, or SQL Server, you likely need to define custom antivirus exclusions for them. For more information, see the following articles:
- Running Windows antivirus software on Exchange Server
- Folders to exclude from antivirus scans on SharePoint Server
- Configure antivirus software to work with SQL Server
You can also refer to the software publisher's documentation.
Custom exclusions
Microsoft Defender for Endpoint and Microsoft Defender Antivirus let you configure custom exclusions to optimize performance and avoid false positives. The custom exclusions you can define vary by operating system.
macOS: You can define exclusions that apply to antivirus scanning only (on-demand scans, real-time protection, and monitoring). These exclusions don't apply to endpoint detection and response (EDR), so excluded files can still trigger EDR alerts and other detections. The supported exclusion types include:
- File extension exclusions: Exclude all files with a specific extension.
- File exclusions: Exclude a specific file identified by its full path.
- Folder exclusions: Exclude all files under a specified folder recursively.
- Process exclusions: Exclude a specific process and all files opened by it.
For more information, see Configure and validate exclusions for Microsoft Defender for Endpoint on macOS.
Linux: You can configure exclusions as antivirus exclusions (applied to real-time protection, on-demand scans, and behavior monitoring, while keeping EDR visibility) or as global exclusions (applied at the sensor level, muting both antivirus detections and EDR alerts). The supported exclusion types include:
- File extension exclusions: Exclude all files with a specific extension (not available for global exclusions).
- File exclusions: Exclude a specific file identified by its full path.
- Folder exclusions: Exclude all files under a specified folder recursively.
- Process exclusions: Exclude a specific process (by full path or file name) and all files opened by it.
For more information, see Configure and validate exclusions for Microsoft Defender for Endpoint on Linux.
Windows: You can configure Microsoft Defender Antivirus to exclude combinations of processes, files, folders (paths), and extensions from scheduled scans, on-demand scans, real-time protection, and potentially unwanted app (PUA) detections. These exclusions apply to antivirus scanning only. They don't apply to EDR, so excluded files can still trigger EDR alerts. To exclude files for all Defender for Endpoint capabilities, use custom indicators. The supported exclusion types include:
- File and folder exclusions: Exclude a specific file or everything in a folder. Also known as path exclusions.
- File extension exclusions: Exclude any file that has a specific extension, regardless of location.
- Process exclusions: Exclude all files that a specific process opens.
- Contextual exclusions: Narrow a path exclusion so that it applies only in a specific context, such as only when a specific process opens the file.
For more information, see Exclusions in Microsoft Defender Antivirus.
Attack surface reduction rule exclusions
Attack surface reduction (ASR) rules block risky software behavior, but some legitimate apps engage in this risky behavior (for example, launching executable files that download and run other files). Some ASR rules honor Microsoft Defender Antivirus exclusions. ASR rules also support global ASR rule exclusions and per-ASR rule exclusions.
For more information, see File and folder exclusions for ASR rules.
Automation folder exclusions
Automation folder exclusions apply to automated investigation and remediation in Microsoft Defender for Endpoint Plan 2, which examines alerts and takes immediate action to resolve detected breaches. When an alert triggers an automated investigation, the investigation reaches a verdict (Malicious, Suspicious, or No threats found) for each piece of evidence. Depending on the automation level and other security settings, remediation actions occur automatically or after your security operations team approves them.
For more information, see Manage automation folder exclusions.
Controlled folder access exclusions
Controlled folder access (CFA) protects your data by blocking untrusted apps from changing files in protected folders on Windows devices. By default, CFA protects common system folders, and you can add other folders. If CFA blocks an app that you trust, you can define an exclusion to allow the app to modify files in protected folders.
For more information, see Configure controlled folder access.
Custom remediation actions
When Microsoft Defender Antivirus detects a potential threat while running a scan, it attempts to remediate or remove the detected threat. You can define custom remediation actions to configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed.
For more information, see Configure remediation actions for Microsoft Defender Antivirus detections.
How exclusions and indicators are evaluated
Most organizations have several types of exclusions and indicators to determine whether users should be able to access and use a file or process. On Windows devices, these exclusions and indicators are processed in a particular order so that policy conflicts are handled systematically.
Here's how it works. Evaluation stops at the first condition that applies:
- If the file isn't allowed by Windows Defender Application Control and AppLocker enforce mode policies, it's blocked.
- Otherwise, if the file is allowed by a Microsoft Defender Antivirus exclusion, it's allowed.
- Otherwise, if the file has a block or warn file indicator, it's blocked or warned.
- Otherwise, if the file is blocked by SmartScreen, it's blocked.
- Otherwise, if the file is allowed by an allow file indicator, it's allowed.
- Otherwise, if the file is blocked by attack surface reduction rules, controlled folder access, or antivirus protection, it's blocked.
- Otherwise, the file is allowed.
How policy conflicts are handled
In cases where Defender for Endpoint indicators conflict, here's what to expect:
If there are conflicting file indicators, the indicator that uses the most secure hash is applied. For example, SHA256 takes precedence over SHA-1, which takes precedence over MD5.
If there are conflicting URL indicators, the more specific indicator is used.
- For Microsoft Defender SmartScreen, an indicator that uses the longest URL path is applied. For example,
www.contoso.com/admin/takes precedence overwww.contoso.com. - Network protection primarily enforces at the domain level, although it can block specific URL paths in some scenarios.
- For Microsoft Defender SmartScreen, an indicator that uses the longest URL path is applied. For example,
If there are similar indicators for a file or process that have different actions, the indicator that is scoped to a specific device group takes precedence over an indicator that targets all devices.
How automated investigation and remediation works
Automated investigation and remediation capabilities in Defender for Endpoint first determine a verdict for each piece of evidence, and then take an action depending on Defender for Endpoint indicators. As a result, a file or process could get a verdict of "good" (which means no threats were found) and still be blocked if there's an indicator with that action. Similarly, an entity could get a verdict of "bad" (which means it's determined to be malicious) and still be allowed if there's an indicator with that action.
For more information, see Automated investigation and remediation engine.
Alternatives and steps to consider before you create an exclusion
Creating an exclusion or an allow indicator creates a protection gap. Use these techniques only after you determine the root cause of the issue. Until then, consider alternatives such as submitting a file to Microsoft for analysis or suppressing an alert.
The following list describes common scenarios and the steps to consider before creating an exclusion or allow indicator.
False positive: An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. Steps to consider:
- Review and classify alerts that were generated as a result of the detected entity.
- Suppress an alert for a known entity.
- Review remediation actions that were taken for the detected entity.
- Submit the false positive to Microsoft for analysis.
- Define an indicator or an exclusion for the entity (only if necessary).
Performance issues. For example:
- A system has high CPU usage or other performance issues.
- A system has memory leak issues.
- An app is slow to load on devices.
- An app is slow to open a file on devices.
Steps to consider:
- Collect diagnostic data for Microsoft Defender Antivirus.
- If you're using a non-Microsoft antivirus solution, check with the vendor for known issues with antivirus products.
- Review performance logs (see Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI) to determine the estimated performance impact. For performance-specific issues related to Microsoft Defender Antivirus, use the Performance analyzer for Microsoft Defender Antivirus.
- Define an exclusion for Microsoft Defender Antivirus (if necessary).
- Create an indicator for Defender for Endpoint (only if necessary).
Compatibility issues with non-Microsoft antivirus products. For example, Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. Steps to consider:
- If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, set Microsoft Defender Antivirus to passive mode.
- If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see Make the switch to Defender for Endpoint. This guidance includes Exclusions you might need to define for Microsoft Defender Antivirus and Troubleshooting information (just in case something goes wrong while migrating).
Compatibility with applications. For example, applications are crashing or experiencing unexpected behaviors after a device is onboarded to Microsoft Defender for Endpoint. See Address unwanted behaviors in Microsoft Defender for Endpoint with exclusions, indicators, and other techniques.
Submit files for analysis
If you have a file that you think is wrongly detected as malware (a false positive), or a file that you suspect might be malware even though it wasn't detected (a false negative), you can submit the file to Microsoft for analysis. Your submission is scanned immediately and then reviewed by Microsoft security analysts. You can check the status of your submission on the submission history page.
Submitting files for analysis helps reduce false positives and false negatives for all customers. For more information, see the following articles:
- Submit files for analysis
- Submit files in the Microsoft Defender portal (Defender for Endpoint Plan 2 or Microsoft Defender XDR only)
Suppress alerts
If you're getting alerts in the Microsoft Defender portal for tools or processes that you know aren't actually a threat, you can suppress those alerts.
To suppress an alert, you create a suppression rule and specify what actions to take for that alert on other identical alerts. You can create suppression rules for a specific alert on a single device, or for all alerts that have the same title in your organization.
For more information, see the following articles:
- Suppress alerts
- Tech Community Blog: Introducing the new alert suppression experience (for Defender for Endpoint)