Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
In general, you shouldn't need to define exclusions for Microsoft Defender Antivirus. However, you can exclude files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. File, folder, process, and process-opened-file exclusions are known as custom exclusions. This article describes how to use Microsoft Intune to define custom exclusions for Microsoft Defender Antivirus in Microsoft Windows.
Custom exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring. Exclusions for process-opened files apply only to real-time protection.
Tip
- For a detailed overview of suppressions, submissions, and exclusions across Microsoft Defender Antivirus and Defender for Endpoint, see Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
- If you use another method to distribute exclusions to Microsoft Defender Antivirus on Windows devices (for example, Microsoft Configuration Manager or Group Policy), or you want more information about custom exclusions, see these articles:
- The following methods are available to protect exclusions configured on devices:
- Tamper protection for antivirus exclusions.
- HideExclusionsFromLocalAdmins:
- Doesn't remove existing exclusions from the device.
- Exclusions aren't visible in Get-MpPreference or Registry Editor.
- HideExclusionsFromLocalUsers: Implicitly enabled if HideExclusionsFromLocalAdmins is enabled.
- Excluded files can still generate anti-virus alerts in the Microsoft Defender portal. For example, excluded files can trigger behavioral or heuristic detections.
- Even when Antivirus exclusions are configured, Microsoft Defender Antivirus performs a minimal evaluation to determine whether the exclusion applies. This evaluation does not involve a full content scan. If the exclusion criteria are met, the scan is skipped for the specified file, folder, or process.
Prerequisites
Supported operating systems
Custom exclusions as described in this article are supported on the following operating systems:
- Windows
Important points about exclusions
Keep the following points in mind before you define exclusions.
-
Caution
Use exclusions sparingly. Exclusions are technically a protection gap that lowers Microsoft Defender Antivirus protection. Consider all options when you define exclusions. For more information, see Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
Exclusions can directly affect whether Microsoft Defender Antivirus can block, remediate, or inspect events related to excluded files, folders, or processes.
- Custom exclusion can affect features that depend on the antivirus engine. For example:
- Malware protection.
- File IOCs.
- Certificate IOCs.
- Process exclusions on any platform prevent network protection and attack surface reduction (ASR) rules from inspecting traffic or enforcing rules for excluded processes.
- Custom exclusion can affect features that depend on the antivirus engine. For example:
Periodically review and audit exclusions. Recheck and re-enforce mitigations as part of your review process. To avoid confusion, your security team should preserve context around why a certain exclusion was required.
Use exclusions only for specific issues (for example, performance or app compatibility). Don't exclude something just because you think it might be a problem in the future.
Create Microsoft Defender antivirus exclusion policies in Intune
To create a new AV policy in Microsoft Intune using the Microsoft Defender Antivirus Exclusions profile, see Create an endpoint security policy (opens in a new tab in the Intune documentation). When creating the policy, use these settings:
Policy type: Antivirus
Platform: Windows
Profile: Microsoft Defender Antivirus exclusions
Configuration settings: Configure the ExcludedExtensions, ExcludedPaths, and ExcludedProcesses. To add an exclusion, select Add and enter the value in the box that appears. Repeat these steps to add more exclusions as necessary.
Tip
The Microsoft Defender Antivirus service runs in the system context using the LocalSystem account. Therefore, environment variables like
%USERPROFILE%are expanded using the LocalSystem profile rather than the signed-in user's profile, which means they resolve to different paths than you might expect. For more information, see System environment variables.Don't use user environment variables as wildcards in folder and process exclusions in Microsoft Defender Antivirus. Only use the following types of environment variables as wildcards:
System environment variables.
Environment variables that apply to processes running as the NT AUTHORITY\SYSTEM account.
For more information, see Use wildcards in the file name and folder path or extension exclusion lists.
For more information about Microsoft Defender Antivirus profiles in Microsoft Intune, see Antivirus policy for endpoint security.
Modify exclusions in Microsoft Defender antivirus exclusion policies in Intune
To modify an existing AV policy in Microsoft Intune that uses the Microsoft Defender Antivirus Exclusions profile, see Modify existing policies (opens in a new tab in the Intune documentation). When modifying the policy, use these settings:
Manage: Antivirus
Configuration settings: Add or remove exclusions.
- To add an exclusion, select Add, and then enter the value in the box that appears. Repeat this step as many times as necessary.
- To remove an exclusion or an empty box, select the check box next to the entry, and then select Remove.
- To import a .csv file of new exclusions, select Import.
- To export the existing exclusions to a .csv file of, select Export.
For more information about Microsoft Defender Antivirus profiles in Microsoft Intune, see Antivirus policy for endpoint security.
Antivirus exclusions on Exchange servers
Microsoft Exchange Server 2016 or later supports integration with the anti-malware Scan Interface (AMSI). For more information, see Exchange Server AMSI integration.
Many organizations exclude Exchange Server folders from antivirus scans for performance reasons. Microsoft recommends auditing Microsoft Defender Antivirus exclusions on Exchange servers and assessing whether you can remove exclusions without affecting performance. You can manage exclusions using Group Policy, PowerShell, or systems management tools like Microsoft Intune.
To audit Microsoft Defender Antivirus exclusions on an Exchange Server, run the Get-MpPreference cmdlet from an elevated PowerShell prompt.
If you can't remove exclusions for the Exchange processes and folders, remember that a quick scan in Microsoft Defender Antivirus scans the Exchange directories and files, regardless of exclusions.
Related articles
- Microsoft Defender Antivirus exclusions on Windows Server 2016 and later
- Common mistakes to avoid when defining exclusions
- Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
- Configure and validate exclusions for Microsoft Defender for Endpoint on macOS