Configure and validate exclusions based on file extension and folder location

You can define exclusions for Microsoft Defender Antivirus that apply to scheduled scans, on-demand scans, and always-on, real-time protection and monitoring. Generally, you don't need to apply exclusions. If you need to apply exclusions, then you can choose from the following types:

• Exclusions based on file extensions and folder locations as described in this article.
• Exclusions for files opened by processes

Prerequisites

Supported operating systems

• Windows

Before you begin

See Recommendations for defining exclusions before defining your exclusion lists.

Exclusion lists

To exclude certain files from Microsoft Defender Antivirus scans, modify your exclusion lists. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files. For example:

• Files used in enterprise management.
• Files used in database management.
• Files used in other enterprise scenarios.

The following table lists some examples of exclusions based on file extension and folder location.

Characteristics of exclusion lists

• Folder exclusions apply to all files and folders in that folder, unless the subfolder is a reparse point. You need to exclude reparse point subfolders separately.
• File extensions exclusions apply to any file with that extension if a path or folder isn't also specified.

Important notes about exclusions based on file extensions and folder locations

• Wildcards (for example, *) alter how exclusion rules are interpreted. for important information about how wildcards work, see the Use wildcards in the file name and folder path or extension exclusion lists section in this article.

• Don't exclude mapped network drives. Specify the actual network path.

• Reparse point folders are created after the Microsoft Defender Antivirus service starts. Restart Windows for new reparse points to be recognized as valid exclusion targets.

• Exclusions apply to scheduled scans, on-demand scans, and real-time protection, but not across all Defender for Endpoint capabilities. To define exclusions across Defender for Endpoint, use custom indicators.

• By default, local changes to exclusions by admins (including changes made with PowerShell and Windows Management Instrumentation or WMI) are merged with exclusions deployed by Group Policy, Configuration Manager, or Microsoft Intune. Exclusions by Group Policy take precedence when there are conflicts. Exclusion changes made with Group Policy are visible in the Windows Security app.

  To allow local changes to override managed deployment settings, see Configure how locally and globally defined exclusions lists are merged.

Configure the list of exclusions based on folder name or file extension

You can use the following methods to define exclusions for Microsoft Defender Antivirus.

Use Intune to configure file name, folder, or file extension exclusions

For more information, see the following article:

• Create a Microsoft Defender Antivirus exclusions policy in Microsoft Intune

Use Configuration Manager to configure file name, folder, or file extension exclusions

For more information, see How to create and deploy antimalware policies: Exclusion settings.

Use Group Policy to configure folder or file extension exclusions

1. On your Group Policy management computer, open the Group Policy Management Console, right-click the Group Policy Object you want to configure, and then select Edit.

2. In the Group Policy Management Editor go to Computer configuration, and select Administrative templates.

3. Expand the tree to Windows components > Microsoft Defender Antivirus > Exclusions.

4. Open the Path Exclusions setting for editing, and add your exclusions.

   1. Set the option to Enabled.

   2. Under the Options section, select Show.

   3. Specify each folder on its own line under the Value name column.

   4. If you're specifying a file, ensure that you enter a fully qualified path to the file, including the drive letter, folder path, file name, and extension.

   5. Enter 0 in the Value column.

   6. Choose OK.

   7. Open the Extension Exclusions setting for editing and add your exclusions.

   8. Set the option to Enabled.

   9. Under the Options section, select Show.

   10. Enter each file extension on its own line under the Value name column.

   11. Enter 0 in the Value column.

   12. Choose OK.

Use PowerShell cmdlets to configure file name, folder, or file extension exclusions

Use the following cmdlets in the Defender module to manage exclusions:

• Set-MpPreference: Create or replace the list of exclusions.

  Important

  If you already created a list of exclusions using the Set-MpPreference or Add-MpPreference cmdlets, the next use of Set-MpPreference overwrites the existing list of exclusions with the entries you specify.

• Add-MpPreference: Add entries to the existing list of exclusions.

• Remove-MpPreference: Remove entries from the existing list of exclusions.

Use the following parameters on those cmdlets:

• ExclusionExtension: Exclude files with the specified file extension. Use the following syntax: "Extension1","Extension2"..."ExtensionN".

• ExclusionPath:

  • Exclude the specified file in the specified path.

    or

  • Exclude all files in the specified folder (including files in subfolders).

  Use the following syntax: "Entry1","Entry2",..."EntryN".

This example excludes any file with the .test file extension from Microsoft Defender Antivirus scans:

Add-MpPreference -ExclusionExtension ".test"

For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus.

Use Windows Management Instrumentation (WMI) to configure file name, folder, or file extension exclusions

Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:

• ExclusionExtension
• ExclusionPath

The Set, Add, and Remove methods in the MSFT_MpPreference class are analogous to the Set-MpPreference, Add-MpPreference, and Remove-MpPreference cmdlets in the Defender module in PowerShell.

For more information, see Windows Defender WMIv2 APIs.

Use the Windows Security app to configure file name, folder, or file extension exclusions

For more information, see Add exclusions in the Windows Security app.

Use wildcards in the file name and folder path or extension exclusion lists

You can use the asterisk *, question mark ?, or environment variables (for example, %ALLUSERSPROFILE%) as wildcards for file name or folder path exclusions. You can mix and match *, ?, and environment variables in a single exclusion.

How Microsoft Defender Antivirus interprets wildcards is different from their usual usage in other apps and languages:

• The Microsoft Defender Antivirus service runs in the system context using the LocalSystem account. The service gets information from system environment variables, not user environment variables. Use only the following types of environment variables as wildcards:
  • System environment variables.
  • Environment variables that apply to processes running as the NT AUTHORITY\SYSTEM account.
• You can use a maximum of six wildcards per entry.
• You can't use a wildcard in place of a drive letter.
• An asterisk * in a folder exclusion indicates a single folder. Use multiple instances of \*\ to indicate multiple nested folders with unspecified names.

The following table describes how the wildcards can be used and provides some examples.

System environment variables

The following table lists system account environment variables and their corresponding default locations. Some of these locations are different from the corresponding user account environment variables.

Review the list of exclusions

You can retrieve the items in the exclusion list by using one of the following methods:

• Microsoft Intune
• Microsoft Configuration Manager
• MpCmdRun
• PowerShell
• Windows Security app

Verify whether a specified path is excluded using MpCmdRun

You can use the MpCmdRun.exe command-line tool in Microsoft Defender Antivirus version 4.18.2111-5.0 or later (December 2021) to verify whether specific folder paths or file and folder paths are excluded from scanning by running the following commands in an elevated command prompt (a Command Prompt window you opened by selecting Run as administrator):

(set "_done=" & if exist "%ProgramData%\Microsoft\Windows Defender\Platform\" (for /f "delims=" %d in ('dir "%ProgramData%\Microsoft\Windows Defender\Platform" /ad /b /o:-n 2^>nul') do if not defined _done (cd /d "%ProgramData%\Microsoft\Windows Defender\Platform\%d" & set _done=1)) else (cd /d "%ProgramFiles%\Windows Defender")) >nul 2>&1

MpCmdRun.exe -CheckExclusion -Path <PathAndFile or Path>

For example, the command MpCmdRun.exe -CheckExclusion -Path C:\Data\Test returns the following output:

• Path excluded:

  C:\Data\Test [\Device\HarddiskVolume1\Data\Test] is excluded. Exit code is 0.

• Path not excluded:

  C:\Data\Test [\Device\HarddiskVolume1\Data\Test] is not excluded. Exit code is 1.

Retrieve exclusions using PowerShell

Run the following commands in an elevated PowerShell window:

$p=Get-MpPreference; @(
  $p.ExclusionExtension | ForEach-Object {[pscustomobject]@{Type='ExclusionExtension'; Value=$_}}
  $p.ExclusionPath      | ForEach-Object {[pscustomobject]@{Type='ExclusionPath';      Value=$_}}
)

For more information, see Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus and Defender Antivirus cmdlets.

Validate exclusions lists with the EICAR test file

You can validate your exclusion lists are working by using PowerShell with the Invoke-WebRequest cmdlet or the .NET WebClient class to download a test file.

In the following PowerShell command, replace test.txt with a file that conforms to your exclusion rules. For example, if you're excluding the .testing extension, replace test.txt with test.testing. If you're testing a path, make sure that you run the cmdlet within that path.

Invoke-WebRequest "https://secure.eicar.org/eicar.com.txt" -OutFile "test.txt"

If Microsoft Defender Antivirus reports malware, the rule isn't working. If there's no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the EICAR test file website.

You can also use the following PowerShell commands, which call the .NET WebClient class to download the test file. Replace c:\test.txt with a file that conforms to the rule you're validating:

$client = new-object System.Net.WebClient

$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")

If you don't have internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command:

[io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')

You can also copy the string into a blank text file and try to save it with the file name or in the folder you're trying to exclude.

See also

• Configure and validate exclusions in Microsoft Defender Antivirus scans
• Configure and validate exclusions for files opened by processes
• Configure Microsoft Defender Antivirus exclusions on Windows Server
• Common mistakes to avoid when defining exclusions