Edit

Configure exclusions for files opened by processes

You can exclude files that are opened by specific processes from Microsoft Defender Antivirus scans. These types of exclusions are for files that are opened by processes and not the processes themselves. To exclude a process, add a file exclusion (see Configure and validate exclusions based on file extension and folder location).

See Important points about exclusions and review the information in Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus before defining your exclusion lists.

This section explains how to configure process exclusions for files opened by specified processes.

Prerequisites

Supported operating systems

Process exclusions as described in this article are supported on the following operating systems:

  • Windows

Permissions

Configuring and reviewing process exclusions with PowerShell or WMI requires an elevated PowerShell window (opened by selecting Run as administrator).

Examples of process exclusions

The following table shows common process exclusion patterns and what each one matches.

Exclusion Example
Any file opened by any process with a specific file name test.exe excludes files opened by:
  • c:\sample\test.exe
  • d:\internal\files\test.exe
Any file opened by any process under a specific folder c:\test\sample\* excludes files opened by:
  • c:\test\sample\test.exe
  • c:\test\sample\test2.exe
  • c:\test\sample\utility.exe
Any file opened by a specific process in a specific folder c:\test\process.exe exclude files opened by c:\test\process.exe only.

When you add a process to the process exclusion list, Microsoft Defender Antivirus doesn't scan files opened by that process, no matter where the files are located. The process itself, however, is scanned unless it's added to the file exclusion list.

The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or on-demand scans.

Changes made with Group Policy to the exclusion lists will show in the lists in the Windows Security app. However, changes made in the Windows Security app will not show in the Group Policy lists.

You can add, remove, and review the lists for exclusions in Group Policy, Microsoft Configuration Manager, Microsoft Intune, and with the Windows Security app, and you can use wildcards to further customize the lists.

You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing your lists.

By default, local changes made to the lists (by users with administrator privileges; changes made with PowerShell and WMI) are merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists take precedence if there are conflicts.

You can configure how locally and globally defined exclusions lists are merged to allow local changes to override managed deployment settings.

Note

Network Protection and attack surface reduction (ASR) rules are directly affected by process exclusions on all platforms. A process exclusion on any OS (Windows, macOS, or Linux) means that Network Protection and ASR rules can't inspect traffic or enforce rules for that specific process.

Image name vs full path for process exclusions

Two different types of process exclusions might be set. A process might be excluded by image name, or by full path. The image name is simply the file name of the process, without the path.

For example, given the process MyProcess.exe running from C:\MyFolder\ the full path to this process would be C:\MyFolder\MyProcess.exe and the image name is MyProcess.exe.

Image name exclusions are much more broad - an exclusion on MyProcess.exe excludes any processes with this image name, regardless of the path they're run from. So for example, if the process MyProcess.exe is excluded by image name, it will also be excluded if it's run from C:\MyOtherFolder, from removable media, et cetera. As such it's recommended that whenever possible, the full path is used.

Use wildcards in the process exclusion list

The use of wildcards in the process exclusion list is different from their use in other exclusion lists. When the process exclusion is defined as an image name only, wildcard usage isn't allowed. However when a full path is used, wildcards are supported and the wildcard matching behavior for full-path process exclusions follows the rules described in the "Use wildcards in the file name and folder path or extension exclusion lists" section of Configure and validate exclusions based on file name, extension, and folder location

The use of environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the process exclusion list is also supported. Details about supported environment-variable syntax and a full list of supported environment variables are described in the "System environment variables" section of Configure and validate exclusions based on file name, extension, and folder location.

The following table describes how the wildcards can be used in the process exclusion list, when a path is supplied:

Wildcard Example use Example matches
* (asterisk)

Replaces any number of characters.
C:\MyFolder\* Any file opened by C:\MyFolder\MyProcess.exe or C:\MyFolder\AnotherProcess.exe
C:\*\*\MyProcess.exe Any file opened by C:\MyFolder1\MyFolder2\MyProcess.exe or C:\MyFolder3\MyFolder4\MyProcess.exe
C:\*\MyFolder\My*.exe Any file opened by C:\MyOtherFolder\MyFolder\MyProcess.exe or C:\AnotherFolder\MyFolder\MyOtherProcess.exe
'?' (question mark)

Replaces one character.
C:\MyFolder\MyProcess??.exe Any file opened by C:\MyFolder\MyProcess42.exe or C:\MyFolder\MyProcessAA.exe or C:\MyFolder\MyProcessF5.exe
Environment Variables %ALLUSERSPROFILE%\MyFolder\MyProcess.exe Any file opened by C:\ProgramData\MyFolder\MyProcess.exe

Contextual Process Exclusions

A process exclusion might also be defined via a Contextual exclusion allowing, for example, a specific file to be excluded only if it's opened by a specific process.

Configure the list of exclusions for files opened by specified processes

Use one of the following methods to configure exclusions for files opened by specified processes.

Use Microsoft Intune to exclude files that have been opened by specified processes from scans

For more information, see Configure device restriction settings in Microsoft Intune and Microsoft Defender Antivirus device restriction settings for Windows 10 in Intune.

Use Microsoft Configuration Manager to exclude files that have been opened by specified processes from scans

See How to create and deploy anti-malware policies: Exclusion settings for details on configuring Microsoft Configuration Manager (current branch).

Use Group Policy to exclude files that have been opened by specified processes from scans

Perform the following steps to configure process-based exclusions by using Group Policy:

  1. On your Group Policy management computer, open the Group Policy Management Console. Right-click the Group Policy Object you want to configure and select Edit.

  2. In the Group Policy Management Editor, go to Computer configuration and select Administrative templates.

  3. Expand the tree to Windows components > Microsoft Defender Antivirus > Exclusions.

  4. Double-click Process Exclusions and add the exclusions:

    1. Set the option to Enabled.
    2. Under the Options section, select Show....
    3. Enter each process on its own line under the Value name column. See the example table for the different types of process exclusions. Enter 0 in the Value column for all processes.
  5. Select OK.

Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans

Using PowerShell to add or remove exclusions for files that are opened by processes requires using a combination of three cmdlets with the -ExclusionProcess parameter. The cmdlets are all in the Defender module.

Use the following syntax to add a process exclusion so that files opened by the specified process are excluded from Microsoft Defender Antivirus scans:

<cmdlet> -ExclusionProcess "<item>"

The following are allowed as the <cmdlet>:

Configuration action PowerShell cmdlet
Create or overwrite the list Set-MpPreference
Add to the list Add-MpPreference
Remove items from the list Remove-MpPreference

Important

If you create a list, with either Set-MpPreference or Add-MpPreference, using the Set-MpPreference, cmdlet overwrites the existing list.

The following example adds a process exclusion for c:\internal\test.exe, so that Microsoft Defender Antivirus skips scanning any file opened by that process:

Add-MpPreference -ExclusionProcess "c:\internal\test.exe"

For more information on how to use PowerShell with Microsoft Defender Antivirus, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Microsoft Defender Antivirus cmdlets.

Use Windows Management Instrumentation (WMI) to exclude files that have been opened by specified processes from scans

Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following property. The ExclusionProcess property is the WMI property name you use to manage process exclusions programmatically:

ExclusionProcess

The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference, Add-MpPreference, and Remove-MpPreference.

For more information and allowed parameters, see Windows Defender WMIv2 APIs.

Use the Windows Security app to exclude files that have been opened by specified processes from scans

Follow the instructions for adding process exclusions in the Windows Security app.

Review the list of exclusions

You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, Microsoft Configuration Manager, Intune, or the Windows Security app.

Validate the exclusion list by using MpCmdRun

To check exclusions with the MpCmdRun command-line tool, see Verify whether a specified path is excluded using MpCmdRun.

Review the list of exclusions by using PowerShell

Run the following commands in an elevated PowerShell window (a PowerShell window you opened by selecting Run as administrator). This script retrieves all currently configured Microsoft Defender Antivirus exclusions and lists them by type (extension, path, and process) so you can verify your configuration:

$p=Get-MpPreference; @(
  $p.ExclusionExtension | ForEach-Object {[pscustomobject]@{Type='ExclusionExtension'; Value=$_}}
  $p.ExclusionPath      | ForEach-Object {[pscustomobject]@{Type='ExclusionPath';      Value=$_}}
  $p.ExclusionProcess   | ForEach-Object {[pscustomobject]@{Type='ExclusionProcess';   Value=$_}}
)

For more information on how to use PowerShell with Microsoft Defender Antivirus, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Microsoft Defender Antivirus cmdlets.

The following articles provide additional information about configuring exclusions in Microsoft Defender Antivirus: