Edit

Configure custom exclusions for Microsoft Defender Antivirus

  • Article

Applies to:

Platforms

  • Windows

In general, you shouldn't need to define exclusions for Microsoft Defender Antivirus. However, if necessary, you can exclude files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. These types of exclusions are known as custom exclusions. This article describes how to define custom exclusions for Microsoft Defender Antivirus with Microsoft Intune and includes links to other resources for more information.

Custom exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring. Exclusions for process-opened files only apply to real-time protection.

Tip

For a detailed overview of suppressions, submissions, and exclusions across Microsoft Defender Antivirus and Defender for Endpoint, see Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus.

Configure and validate exclusions

Caution

Use Microsoft Defender Antivirus extensions sparingly. Make sure to review the information in Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus.

If you're using Microsoft Intune to manage Microsoft Defender Antivirus or Microsoft Defender for Endpoint, use the following procedures to define exclusions:

If you're using another tool, such as Configuration Manager or Group Policy, or you want more detailed information about custom exclusions, see these articles:

Manage antivirus exclusions in Intune (for existing policies)

  1. In the Microsoft Intune admin center, choose Endpoint security > Antivirus, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to Create a new antivirus policy with exclusions in Intune.)

  2. Choose Properties, and next to Configuration settings, choose Edit.

  3. Expand Microsoft Defender Antivirus Exclusions and then specify your exclusions.

    • Excluded Extensions are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list must be separated with a | character. For example, lib|obj. For more information, see ExcludedExtensions.
    • Excluded Paths are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a | character. For example, C:\Example|C:\Example1. For more information, see ExcludedPaths.
    • Excluded Processes are exclusions for files that are opened by certain processes. Separate each file type in the list with a | character. For example, C:\Example. exe|C:\Example1.exe. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see ExcludedProcesses.

  4. Choose Review + save, and then choose Save.

Create a new antivirus policy with exclusions in Intune

  1. In the Microsoft Intune admin center, choose Endpoint security > Antivirus > + Create Policy.

  2. Select a platform (such as Windows 10, Windows 11, and Windows Server).

  3. For Profile, select Microsoft Defender Antivirus exclusions, and then choose Create.

  4. On the Create profile step, specify a name and description for the profile, and then choose Next.

  5. On the Configuration settings tab, specify your antivirus exclusions, and then choose Next.

    • Excluded Extensions are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list with a | character. For example, lib|obj. For more information, see ExcludedExtensions.
    • Excluded Paths are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a | character. For example, C:\Example|C:\Example1. For more information, see ExcludedPaths.
    • Excluded Processes are exclusions for files that are opened by certain processes. Separate each file type in the list with a | character. For example, C:\Example. exe|C:\Example1.exe. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see ExcludedProcesses.

  6. On the Scope tags tab, if you're using scope tags in your organization, specify scope tags for the policy you're creating. (See Scope tags.)

  7. On the Assignments tab, specify the users and groups to whom your policy should be applied, and then choose Next. (If you need help with assignments, see Assign user and device profiles in Microsoft Intune.)

  8. On the Review + create tab, review the settings, and then choose Create.

Important points about exclusions

Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you're confident aren't malicious.

Exclusions directly affect the ability for Microsoft Defender Antivirus to block, remediate, or inspect events related to the files, folders, or processes that are added to the exclusion list. Custom exclusions can affect features that are directly dependent on the antivirus engine (such as protection against malware, file IOCs, and certificate IOCs). Process exclusions also affect network protection and attack surface reduction rules. Specifically, a process exclusion on any platform causes network protection and ASR to be unable to inspect traffic or enforce rules for that specific process.

Keep the following points in mind when you're defining exclusions:

  • Exclusions are technically a protection gap. Consider all your options when defining exclusions. See Submissions, suppressions, and exclusions.

  • Review exclusions periodically. Recheck and re-enforce mitigations as part of your review process.

  • Ideally, avoid defining exclusions in an attempt to be proactive. For example, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues, such as those pertaining to performance or application compatibility that exclusions could mitigate.

  • Review and audit changes to your list of exclusions. Your security team should preserve context around why a certain exclusion was added to avoid confusion later on. Your security team should be able to provide specific answers to questions about why exclusions exist.

Audit antivirus exclusions on Exchange systems

Microsoft Exchange has supported integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange (see Running Windows antivirus software on Exchange servers). It's highly recommended to install these updates and make sure that AMSI is working properly. See Microsoft Defender Antivirus security intelligence and product updates.

Many organizations exclude the Exchange directories from antivirus scans for performance reasons. Microsoft recommends auditing Microsoft Defender Antivirus exclusions on Exchange systems and assessing whether exclusions can be removed without impacting performance in your environment to ensure the highest level of protection. Exclusions can be managed by using Group Policy, PowerShell, or systems management tools like Microsoft Intune.

To audit Microsoft Defender Antivirus exclusions on an Exchange Server, run the Get-MpPreference command from an elevated PowerShell prompt. (See Get-MpPreference.)

If exclusions can't be removed for the Exchange processes and folders, keep in mind that running a quick scan in Microsoft Defender Antivirus scans the Exchange directories and files, regardless of exclusions.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.