Редагувати

Поділитися через


Manage automation folder exclusions

Applies to:

Want to experience Defender for Endpoint? Sign up for a free trial.

Automation folder exclusions allow you to specify folders that the Automated investigation will skip.

You can control the following attributes about the folder that you'd like to be skipped:

  • Folders: You can specify a folder and its subfolders to be skipped.

    Note

    At this time, use of wild cards as a way to exclude files under a directory is not yet supported.

  • Extensions of the files: You can specify the extensions to exclude in a specific directory. The extensions are a way to prevent an attacker from using an excluded folder to hide an exploit. The extensions explicitly define which files to ignore.

  • File names: You can specify the file names that you want to be excluded in a specific directory. The names are a way to prevent an attacker from using an excluded folder to hide an exploit. The names explicitly define which files to ignore.

Important

Microsoft recommends that you use roles with the fewest permissions. This helps improve security for your organization. Global Administrator is a highly privileged role that should be limited to emergency scenarios when you can't use an existing role.

Add an automation folder exclusion

  1. Sign in to the Microsoft Defender portal using an account with the Security administrator or Global administrator role assigned.

  2. In the navigation pane, select Settings > Endpoints > Rules > Automation folder exclusions.

  3. Select New folder exclusion.

  4. Enter the folder details:

    • Folder
    • Extensions
    • File names
    • Description
  5. Select Save.

Note

Live Response commands to collect or examine excluded files will fail with error: "File is excluded". In addition, automated investigations will ignore the excluded items.

Edit an automation folder exclusion

  1. In the navigation pane, select Settings > Endpoints > Rules > Automation folder exclusions.

  2. Select Edit on the folder exclusion.

  3. Update the details of the rule and click Save.

Remove an automation folder exclusion

  1. In the navigation pane, select Settings > Endpoints > Rules > Automation folder exclusions.

  2. Select Remove exclusion.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.