- Article
Applies to:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender Antivirus
Platforms
- Windows
- macOS
- Linux
Important
Add exclusions with caution. Exclusions for Microsoft Defender Antivirus scans reduce the level of protection for devices.
You can define an exclusion list for items that you don't want Microsoft Defender Antivirus to scan. However, excluded items could contain threats that make your device vulnerable. This article describes some common mistakes that you should avoid when defining exclusions.
Tip
Before defining your exclusion lists, see Important points about exclusions and review the detailed information in Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus.
Excluding certain trusted items
Certain files, file types, folders, or processes shouldn't be excluded from scanning even though you trust that they're not malicious. Don't define exclusions for the folder locations, file extensions, and processes that are listed in the following sections:
- Folder locations
- File extensions
- Processes
Folder locations
Important
Certain folders shouldn't be excluded from scans because they can end up being folders where malicious files can get dropped.
In general, don't define exclusions for any of the following folder locations:
%systemdrive%C:,C:\, orC:\*%ProgramFiles%\JavaorC:\Program Files\Java%ProgramFiles%\Contoso\,C:\Program Files\Contoso\,%ProgramFiles(x86)%\Contoso\, orC:\Program Files (x86)\Contoso\C:\Temp,C:\Temp\, orC:\Temp\*C:\Users\orC:\Users\*C:\Users\<UserProfileName>\AppData\Local\Temp\orC:\Users\<UserProfileName>\AppData\LocalLow\Temp\. Note the following important exceptions for SharePoint: Do excludeC:\Users\ServiceAccount\AppData\Local\TemporC:\Users\Default\AppData\Local\Tempwhen you use file-level antivirus protection in SharePoint.%Windir%\Prefetch,C:\Windows\Prefetch,C:\Windows\Prefetch\, orC:\Windows\Prefetch\*%Windir%\System32\SpoolorC:\Windows\System32\SpoolC:\Windows\System32\CatRoot2%Windir%\Temp,C:\Windows\Temp,C:\Windows\Temp\, orC:\Windows\Temp\*
Linux and macOS Platforms
In general, don't define exclusions for the following folder locations:
//binor/sbin/usr/lib
File extensions
Important
Certain file extensions shouldn't be excluded because they can be file types that are used in an attack.
In general, don't define exclusions for the following file extensions:
.7z.bat.bin.cab.cmd.com.cpl.dll.exe.fla.gif.gz.hta.inf.java.jar.job.jpeg.jpg.js.koor.ko.gz.msi.ocx.png.ps1.py.rar.reg.scr.sys.tar.tmp.url.vbe.vbs.wsf.zip
Processes
Important
Certain processes shouldn't be excluded because they get used during attacks.
In general, don't define exclusions for the following processes:
AcroRd32.exeaddinprocess.exeaddinprocess32.exeaddinutil.exebash.exebginfo.exebitsadmin.execdb.execsi.execmd.execscript.exedbghost.exedbgsvc.exednx.exedotnet.exeexcel.exefsi.exefsiAnyCpu.exeiexplore.exejava.exekd.exelxssmanager.dllmsbuild.exemshta.exentkd.exentsd.exeoutlook.exepsexec.exepowerpnt.exepowershell.exercsi.exesvchost.exeschtasks.exesystem.management.automation.dllwindbg.exewinword.exewmic.exewscript.exewuauclt.exe
Note
You can choose to exclude file types, such as .gif, .jpg, .jpeg, or .png if your environment has a modern, up-to-date software with a strict update policy to handle any vulnerabilities.
Linux and macOS Platforms
In general, don't define exclusions for the following processes:
bashjavapythonandpython3shzsh
Using just the file name in the exclusion list
Malware might have the same name as that of a file that you trust and want to exclude from scanning. Therefore, to avoid excluding potential malware from scanning, use a fully qualified path to the file that you want to exclude instead of using just the file name. For example, if you want to exclude Filename.exe from scanning, use the complete path to the file, such as C:\program files\contoso\Filename.exe.
Using a single exclusion list for multiple server workloads
Don't use a single exclusion list to define exclusions for multiple server workloads. Split the exclusions for different application or service workloads into multiple exclusion lists. For example, the exclusion list for your IIS Server workload must be different from the exclusion list for your SQL Server workload.
Using incorrect environment variables as wildcards in the file name and folder path or extension exclusion lists
Microsoft Defender Antivirus Service runs in system context using the LocalSystem account, which means it gets information from the system environment variable, and not from the user environment variable. Use of environment variables as a wildcard in exclusion lists is limited to system variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account. Therefore, don't use user environment variables as wildcards when adding Microsoft Defender Antivirus folder and process exclusions. See the table under System environment variables for a complete list of system environment variables.
See Use wildcards in the file name and folder path or extension exclusion lists for information on how to use wildcards in exclusion lists.
See also
- Exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus
- Configure custom exclusions for Microsoft Defender Antivirus
- Configure and validate exclusions for Microsoft Defender for Endpoint on Linux
- Configure and validate exclusions for Microsoft Defender for Endpoint on macOS
Tip
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.
