Configure and validate exclusions for Microsoft Defender Antivirus scans

Applies to:

Platforms

  • Windows

You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring. Exclusions for process-opened files only apply to real-time protection.

Configure and validate exclusions

To configure and validate exclusions, see the following:

Recommendations for defining exclusions

Important

Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.

Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. You should always evaluate the risks that are associated with implementing exclusions, and you should only exclude files that you are confident are not malicious.

Keep the following points in mind when you are defining exclusions:

  • Exclusions are technically a protection gap. Consider all your options when defining exclusions. Other options can be as simple as making sure the excluded location has the appropriate access-control lists (ACLs) or setting policies to audit mode at first.

  • Review the exclusions periodically. Recheck and re-enforce mitigations as part of your review process.

  • Ideally, avoid defining exclusions in an effort to be proactive. For example, don't exclude something just because you think it might be a problem in the future. Use exclusions only for specific issues, such as those pertaining to performance or application compatibility that exclusions could mitigate.

  • Review and audit changes to your list of exclusions. Your security team should preserve context around why a certain exclusion was added to avoid confusion later on. Your security team should be able to provide specific answers to questions about why exclusions exist.

Audit Antivirus Exclusions

Exchange has supported integration with the Antimalware Scan Interface (AMSI) since the June 2021 Quarterly Updates for Exchange. It is highly recommended to ensure these updates are installed and AMSI is working using the guidance provided by the Exchange Team as this integration will allow the best ability for Defender Antivirus to detect and block exploitation of Exchange.

Many organizations exclude the Exchange directories from antivirus scans for performance reasons. Microsoft recommendeds to audit AV exclusions on Exchange systems and assess if they can be removed without impacting performance in your environment to ensure the highest level of protection. Exclusions can managed by using Group Policy, PowerShell, or systems management tools like Microsoft Endpoint Configuration Manager.

To audit AV exclusions on an Exchange Server running Defender Antivirus, run the Get-MpPreference command from an elevated PowerShell prompt.

If exclusions cannot be removed for the Exchange processes and folders, running a Quick Scan in Defender Antivirus will scan the Exchange directories and files, regardless of exclusions.

See also