Edit

Manage automation folder exclusions

  • Article

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Automation folder exclusions allow you to specify folders that the Automated investigation will skip.

You can control the following attributes about the folder that you'd like to be skipped:

  • Folders: You can specify a folder and its subfolders to be skipped.

    Note

    At this time, use of wild cards as a way to exclude files under a directory is not yet supported.

  • Extensions of the files: You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.

  • File names: You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.

Add an automation folder exclusion

  1. Log in to Microsoft Defender XDR using an account with the Security administrator or Global administrator role assigned.

  2. In the navigation pane, select Settings > Endpoints > Rules > Automation folder exclusions.

  3. Click New folder exclusion.

  4. Enter the folder details:

    • Folder
    • Extensions
    • File names
    • Description

  5. Click Save.

Note

Live Response commands to collect or examine excluded files will fail with error: "File is excluded". In addition, automated investigations will ignore the excluded items.

Edit an automation folder exclusion

  1. In the navigation pane, select Settings > Endpoints > Rules > Automation folder exclusions.
  2. Click Edit on the folder exclusion.
  3. Update the details of the rule and click Save.

Remove an automation folder exclusion

  1. In the navigation pane, select Settings > Endpoints > Rules > Automation folder exclusions.
  2. Click Remove exclusion.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.