Manage automation folder exclusions
Applies to:
Want to experience Defender for Endpoint? Sign up for a free trial.
Automation folder exclusions allow you to specify folders that the Automated investigation will skip.
You can control the following attributes about the folder that you'd like to be skipped:
Folders: You can specify a folder and its subfolders to be skipped.
Note
At this time, use of wild cards as a way to exclude files under a directory is not yet supported.
Extensions of the files: You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.
File names: You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.
Add an automation folder exclusion
Log in to Microsoft Defender XDR using an account with the Security administrator or Global administrator role assigned.
In the navigation pane, select Settings > Endpoints > Rules > Automation folder exclusions.
Click New folder exclusion.
Enter the folder details:
- Folder
- Extensions
- File names
- Description
Click Save.
Note
Live Response commands to collect or examine excluded files will fail with error: "File is excluded". In addition, automated investigations will ignore the excluded items.
Edit an automation folder exclusion
- In the navigation pane, select Settings > Endpoints > Rules > Automation folder exclusions.
- Click Edit on the folder exclusion.
- Update the details of the rule and click Save.
Remove an automation folder exclusion
- In the navigation pane, select Settings > Endpoints > Rules > Automation folder exclusions.
- Click Remove exclusion.
Related articles
- Manage automation allowed/blocked lists
- Manage automation file uploads
- Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for