Submissions, suppressions, and exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus

Applies to:

Platforms

  • Windows

Note

As a Microsoft MVP, Fabian Bader contributed to and provided material feedback for this article.

Microsoft Defender for Endpoint includes a wide range of capabilities to prevent, detect, investigate, and respond to advanced cyberthreats. These capabilities include Next-generation protection (which includes Microsoft Defender Antivirus). As with any endpoint protection or antivirus solution, sometimes files, folders, or processes that aren't actually a threat can be detected as malicious by Defender for Endpoint or Microsoft Defender Antivirus. These entities can be blocked or sent to quarantine, even though they're not really a threat.

This article describes the most common scenarios where this behavior occurs and the capabilites available in Defender for Endpoint and Microsoft Defender Antivirus to safely prevent or address it without impacting your productivity. These actions include:

Caution

Defining exclusions reduces the level of protection offered by Defender for Endpoint and Microsoft Defender Antivirus. Use exclusions as a last resort, and make sure to define only the exclusions that are necessary. Make sure to review your exclusions periodically, and remove the ones you no longer need. See Important points about exclusions and Common mistakes to avoid.

Submissions, suppressions, and exclusions

When you're dealing with false positives, or known entities that are generating alerts, you don't necessarily need to add an exclusion. Sometimes classifying and suppressing an alert is enough. We recommend submitting false positives (and false negatives) to Microsoft for analysis as well. The following table describes some scenarios and what steps to take with respect to file submissions, alert suppressions, and exclusions.

Scenario Steps to consider
False positive: An entity, such as a file or a process, was detected and identified as malicious, even though the entity isn't a threat. 1. Review and classify alerts that were generated as a result of the detected entity.
2. Suppress an alert for a known entity.
3. Review remediation actions that were taken for the detected entity.
4. Submit the false positive to Microsoft for analysis.
5. Define an exclusion for the entity (only if necessary).
Performance issues such as one of the following issues:
- A system is having high CPU usage or other performance issues.
- A system is having memory leak issues.
- An app is slow to load on devices.
- An app is slow to open a file on devices.
1. Collect diagnostic data for Microsoft Defender Antivirus.
2. If you're using a non-Microsoft antivirus solution, check with the vendor for any needed exclusions.
3. Analyze the Microsoft Protection Log to see the estimated performance impact.
4. Define an exclusion for Microsoft Defender Antivirus (if necessary).
5. Create an indicator for Defender for Endpoint (only if necessary).
Compatibility issues with non-Microsoft antivirus products.
Example: Defender for Endpoint relies on security intelligence updates for devices, whether they're running Microsoft Defender Antivirus or a non-Microsoft antivirus solution.
1. If you're using a non-Microsoft antivirus product as your primary antivirus/antimalware solution, set Microsoft Defender Antivirus to passive mode.
2. If you're switching from a non-Microsoft antivirus/antimalware solution to Defender for Endpoint, see Make the switch to Defender for Endpoint. This guidance includes:
- Exclusions you might need to define for the non-Microsoft antivirus/antimalware solution;
- Exclusions you might need to define for Microsoft Defender Antivirus; and
- Troubleshooting information (just in case something goes wrong while migrating).

Important

An "allow" indicator is the strongest type of exclusion you can define in Defender for Endpoint. Make sure to use indicators sparingly (only when necessary), and review all exclusions periodically.

Submitting files for analysis

If you have a file that you think is wrongly detected as malware (a false positive), or a file that you suspect might be malware even though it wasn't detected (a false negative), you can submit the file to Microsoft for analysis. Your submission is scanned immediately, and will then be reviewed by Microsoft security analysts. You're able to check the status of your submission on the submission history page.

Submitting files for analysis helps reduce false positives and false negatives for all customers. To learn more, see the following articles:

Suppressing alerts

If you're getting alerts in the Microsoft Defender portal for tools or processes that you know aren't actually a threat, you can suppress those alerts. To suppress an alert, you create a suppression rule, and specify what actions to take for that on other, identical alerts. You can create suppression rules for a specific alert on a single device, or for all alerts that have the same title across your organization.

To learn more, see the following articles:

Using exclusions and indicators

Sometimes, the term exclusions is used to refer to exceptions that apply across Defender for Endpoint and Microsoft Defender Antivirus. A more accurate way to describe these exceptions is as follows:

For more information, see Exclusions overview.

See also

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.