Seda brauserit enam ei toetata.
Uusimate funktsioonide, turbevärskenduste ja tehnilise toe kasutamiseks võtke kasutusele Microsoft Edge.
Microsoft Defender for Endpoint and Defender for Business includes a wide range of capabilities to prevent, detect, investigate, and respond to advanced cyberthreats. Microsoft preconfigures the product to perform well on the operating system that it's installed. No other changes should be needed. Despite preconfigured settings, sometimes unexpected behaviors occur. Here are some examples:
Creating an exclusion is one possible approach for addressing these types of issues. But often there are other steps you can take. In addition to providing an overview of indicators and exclusions, this article includes Alternatives to creating exclusions and allow indicators.
Märkus
Creating an indicator or an exclusion should only be considered after thoroughly understanding the root cause of the unexpected behavior.
| Example scenario | Steps to consider |
|---|---|
| False positive: An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. | 1. Review and classify alerts that were generated as a result of the detected entity. 2. Suppress an alert for a known entity. 3. Review remediation actions that were taken for the detected entity. 4. Submit the false positive to Microsoft for analysis. 5. Define an indicator or an exclusion for the entity (only if necessary). |
| Performance issues such as one of the following issues: - A system is having high CPU usage or other performance issues. - A system is having memory leak issues. - An app is slow to load on devices. - An app is slow to open a file on devices. |
1. Collect diagnostic data for Microsoft Defender Antivirus. 2. If you're using a non-Microsoft antivirus solution, Check with the vendor for known issues with antivirus products. 3. Review performance logs (see Troubleshoot Microsoft Defender Antivirus performance issues with WPRUI) to determine the estimated performance impact. For performance-specific issues related to Microsoft Defender Antivirus, use the Performance analyzer for Microsoft Defender Antivirus. 4. Define an exclusion for Microsoft Defender Antivirus (if necessary). 5. Create an indicator for Defender for Endpoint (only if necessary). |
| Compatibility issues with non-Microsoft antivirus products. Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution. |
1. If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, set Microsoft Defender Antivirus to passive mode. 2. If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see Make the switch to Defender for Endpoint. This guidance includes: - Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution; - Exclusions you might need to define for Microsoft Defender Antivirus; and - Troubleshooting information (just in case something goes wrong while migrating). |
| Compatibility with applications. Example: Applications are crashing or experiencing unexpected behaviors after a device is onboarded to Microsoft Defender for Endpoint. |
See Address unwanted behaviors in Microsoft Defender for Endpoint with exclusions, indicators, and other techniques. |
Creating an exclusion or an allow indicator creates a protection gap. These techniques should only be used after determining the root cause of the issue. Until that determination is made, consider these alternatives:
If you have a file that you think is wrongly detected as malware (a false positive), or a file that you suspect might be malware even though it wasn't detected (a false negative), you can submit the file to Microsoft for analysis. Your submission is scanned immediately, and will then be reviewed by Microsoft security analysts. You're able to check the status of your submission on the submission history page.
Submitting files for analysis helps reduce false positives and false negatives for all customers. To learn more, see the following articles:
If you're getting alerts in the Microsoft Defender portal for tools or processes that you know aren't actually a threat, you can suppress those alerts. To suppress an alert, you create a suppression rule, and specify what actions to take for that on other, identical alerts. You can create suppression rules for a specific alert on a single device, or for all alerts that have the same title across your organization.
To learn more, see the following articles:
There are several different types of exclusions to consider. Some types of exclusions affect multiple capabilities in Defender for Endpoint, whereas other types are specific to Microsoft Defender Antivirus.
For information about indicators, see Overview of indicators in Microsoft Defender for Endpoint.
Microsoft Defender for Endpoint allows you to configure custom exclusions to optimize performance and avoid false positives. The types of exclusions you can set vary by Defender for Endpoint capabilities and by operating systems.
The following table summarizes types of custom exclusions that you can define. Note the scope for each exclusion type.
| Exclusion types | Scope | Use cases |
|---|---|---|
| Custom Defender for Endpoint exclusions | Antivirus Attack surface reduction rules Defender for Endpoint Network Protection |
A file, folder, or process is identified as malicious, even though it's not a threat. An application encounters unexpected performance or application compatibility issue when running with Defender for Endpoint |
| Defender for Endpoint attack surface reduction exclusions | Attack surface reduction rules | An attack surface reduction rule causes unexpected behavior. |
| Defender for Endpoint automation folder exclusions | Automated investigation and response | Automated investigation and remediation take action on a file, extension, or directory that should be done manually. |
| Defender for Endpoint controlled folder access exclusions | Controlled folder access | Controlled folder access blocks an application from accessing a protected folder. |
| Defender for Endpoint File and Certificate Allow Indicators | Antivirus Attack surface reduction rules Controlled folder access |
A file or process signed by a certificate is identified as malicious even through it's not. |
| Defender for Endpoint Domain/URL and IP address Indicators | Network Protection SmartScreen Web Content Filtering |
SmartScreen reports a false positive. You want to override a Web Content Filtering block on a specific site. |
Märkus
Network protection is directly impacted by process exclusions on all platforms. A process exclusion on any OS (Windows, MacOS, Linux) results in preventing Network Protection from inspecting traffic or enforcing rules for that specific process.
For macOS, you can define exclusions that apply to on-demand scans, real-time protection, and monitoring. The supported exclusion types include:
For more information, see Configure and validate exclusions for Microsoft Defender for Endpoint on macOS.
On Linux, you can configure both antivirus and global exclusions.
For more information, see Configure and validate exclusions for Microsoft Defender for Endpoint on Linux.
Microsoft Defender Antivirus can be configured to exclude combinations of processes, files, and extensions from scheduled scans, on-demand scans, and real-time protection. See Configure custom exclusions for Microsoft Defender Antivirus.
For more granular control that helps minimize protection gaps, consider using Contextual file and process exclusions.
These exclusion types are preconfigured in Microsoft Defender for Endpoint for Microsoft Defender Antivirus.
| Exclusion types | Configuration | Description |
|---|---|---|
| Automatic Microsoft Defender Antivirus exclusions | Automatic | Automatic Exclusions for server roles and features in Windows Server. When you install a role on Windows Server 2016 or later, Microsoft Defender Antivirus includes automatic exclusions for the server role and any files that are added while installing the role. These exclusions are only for active roles on Windows Server 2016 and later. |
| Built-in Microsoft Defender Antivirus exclusions | Automatic | Microsoft Defender Antivirus includes built-in exclusions for operating system files on all versions of Windows. |
Automatic server role exclusions include exclusions for server roles and features in Windows Server 2016 and later. These exclusions aren't scanned by real-time protection but are still subject to quick, full, or on-demand antivirus scans.
Examples include:
Märkus
Automatic exclusions for server roles aren't supported on Windows Server 2012 R2. For servers running Windows Server 2012 R2 with the Active Directory Domain Services (AD DS) server role installed, exclusions for domain controllers must be specified manually. See Active Directory exclusions.
For more information, see Automatic server role exclusions.
Built-in antivirus exclusions include certain operating system files that are excluded by Microsoft Defender Antivirus on all versions of Windows (including Windows 10, Windows 11, and Windows Server).
Examples include:
%windir%\SoftwareDistribution\Datastore\*\Datastore.edb%allusersprofile%\NTUser.polThe list of built-in exclusions in Windows is kept up to date as the threat landscape changes. To learn more about these exclusions, see Microsoft Defender Antivirus exclusions on Windows Server: Built-in exclusions.
Attack surface reduction rules (also known as ASR rules) target certain software behaviors, such as:
Sometimes, legitimate applications exhibit software behaviors that could be blocked by attack surface reduction rules. If that's occurring in your organization, you can define exclusions for certain files and folders. Such exclusions are applied to all attack surface reduction rules. See Enable attack surface reduction rules.
Märkus
Attack surface reduction rules honor process exclusions, but not all attack surface reduction rules honor Microsoft Defender Antivirus exclusions. See Attack surface reduction rules reference - Microsoft Defender Antivirus exclusions and ASR rules.
Automation folder exclusions apply to automated investigation and remediation in Defender for Endpoint, which is designed to examine alerts and take immediate action to resolve detected breaches. As alerts are triggered, and an automated investigation runs, a verdict (Malicious, Suspicious, or No threats found) is reached for each piece of evidence investigated. Depending on the automation level and other security settings, remediation actions can occur automatically or only upon approval by your security operations team.
You can specify folders, file extensions in a specific directory, and file names to be excluded from automated investigation and remediation capabilities. Such automation folder exclusions apply to all devices onboarded to Defender for Endpoint. These exclusions are still subject to antivirus scans.
For more information, see Manage automation folder exclusions.
Controlled folder access monitors apps for activities that are detected as malicious and protects the contents of certain (protected) folders on Windows devices. Controlled folder access allows only trusted apps to access protected folders, such as common system folders (including boot sectors) and other folders that you specify. You can allow certain apps or signed executables to access protected folders by defining exclusions.
For more information, See Customize controlled folder access.
When Microsoft Defender Antivirus detects a potential threat while running a scan, it attempts to remediate or remove the detected threat. You can define custom remediation actions to configure how Microsoft Defender Antivirus should address certain threats, whether a restore point should be created before remediating, and when threats should be removed.
For more information, see Configure remediation actions for Microsoft Defender Antivirus detections.
Most organizations have several different types of exclusions and indicators to determine whether users should be able to access and use a file or process. Exclusions and indicators are processed in a particular order so that policy conflicts are handled systematically.
Here's how it works:
If a detected file/process isn't allowed by Windows Defender Application Control and AppLocker, it's blocked. Otherwise, it proceeds to Microsoft Defender Antivirus.
If the detected file/process isn't part of an exclusion for Microsoft Defender Antivirus, it's blocked. Otherwise, Defender for Endpoint checks for a custom indicator for the file/process.
If the detected file/process has a Block or Warn indicator, that action is taken. Otherwise, the file/process is allowed, and proceeds to evaluation by attack surface reduction rules, controlled folder access, and SmartScreen protection.
If the detected file/process isn't blocked by attack surface reduction rules, controlled folder access, or SmartScreen protection, it proceeds to Microsoft Defender Antivirus.
If the detected file/process isn't allowed by Microsoft Defender Antivirus, it's checked for an action based on its threat ID.
In cases where Defender for Endpoint indicators conflict, here's what to expect:
If there are conflicting file indicators, the indicator that uses the most secure hash is applied. For example, SHA256 takes precedence over SHA-1, which takes precedence over MD5.
If there are conflicting URL indicators, the more strict indicator is used. For Microsoft Defender SmartScreen, an indicator that uses the longest URL path is applied. For example, www.dom.ain/admin/ takes precedence over www.dom.ain. (Network protection applies to domains, rather than subpages within a domain.)
If there are similar indicators for a file or process that have different actions, the indicator that is scoped to a specific device group takes precedence over an indicator that targets all devices.
Automated investigation and remediation capabilities in Defender for Endpoint first determine a verdict for each piece of evidence, and then take an action depending on Defender for Endpoint indicators. Thus, a file/process could get a verdict of "good" (which means no threats were found) and still be blocked if there's an indicator with that action. Similarly, an entity could get a verdict of "bad" (which means it's determined to be malicious) and still be allowed if there's an indicator with that action.
For more information, see automated investigation and remediation and indicators.
If your organization is using other server workloads, such as Exchange Server, SharePoint Server, or SQL Server, keep in mind that only built-in server roles (that could be prerequisites for software you install later) on Windows Server are excluded by automatic server role exclusions feature (and only when using their default installation location). You'll likely need to define antivirus exclusions for these other workloads, or for all workloads if you disable automatic exclusions.
Here are some examples of technical documentation to identify and implement the exclusions you need:
Depending on what you're using, you might need to refer to the documentation for that server workload.
Näpunäide
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
Koolitus
Moodul
Configure for alerts and detections in Microsoft Defender for Endpoint - Training
Configure for alerts and detections in Microsoft Defender for Endpoint
Sertimine
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
Dokumentatsioon
Managing exclusions reference - Microsoft Defender for Endpoint
This article describes various ways to manage exclusions for Defender for Endpoint and Microsoft Defender Antivirus
Exclude files from Microsoft Defender Antivirus scans based on their file extension, file name, or location.
Manage automation folder exclusions - Microsoft Defender for Endpoint
Add automation folder exclusions to control the files that are excluded from an automated investigation.