Configure and validate exclusions based on file extension and folder location

Applies to:

  • Windows 10
  • Windows Server 2016

Audience

  • Enterprise security administrators

Manageability available with

  • Group Policy
  • PowerShell
  • Windows Management Instrumentation (WMI)
  • System Center Configuration Manager
  • Microsoft Intune
  • Windows Defender Security Center

You can exclude certain files from being scanned by Windows Defender AV by modifying exclusion lists.

This topic describes how to configure exclusion lists for the following:

Exclusion Examples Exclusion list
Any file with a specific extension All files with the .test extension, anywhere on the machine Extension exclusions
Any file under a specific folder All files under the c:\test\sample folder File and folder exclusions
A specific file in a specific folder The file c:\sample\sample.test only File and folder exclusions
A specific process The executable file c:\test\process.exe File and folder exclusions

This means the exclusion lists have the following characteristics:

  • Folder exclusions will apply to all files and folders under that folder.
  • File extensions will apply to any file name with the defined extension, regardless of where the file is located.

To exclude files opened by a specific process, see the Configure and validate exclusions for files opened by processes topic.

The exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring.

Changes made via Group Policy to the exclusion lists will show in the lists in the Windows Defender Security Center app. However, changes made in the Windows Defender Security Center app will not show in the Group Policy lists.

You can add, remove, and review the lists for exclusions in Group Policy, System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app, and you can use wildcards to further customize the lists.

You can also use PowerShell cmdlets and WMI to configure the exclusion lists, including reviewing and validating your lists.

By default, local changes made to the lists (by users with administrator privileges; this includes changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in the case of conflicts.

You can configure how locally and globally defined exclusions lists are merged to allow local changes to override managed deployment settings.

Configure the list of exclusions based on folder name or file extension

Use Group Policy to configure folder or file extension exclusions:

Note

If you include a fully qualified path to a file, then only that file will be excluded. If a folder is defined in the exclusion, then all files and subdirectories under that folder will be excluded.

  1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click Edit.

  2. In the Group Policy Management Editor go to Computer configuration.

  3. Click Policies then Administrative templates.

  4. Expand the tree to Windows components > Windows Defender Antivirus > Exclusions.

  5. Double-click the Path Exclusions setting and add the exclusions:

    1. Set the option to Enabled.
    2. Under the Options section, click Show...
    3. Enter each folder on its own line under the Value name column. If you are entering a file, ensure you enter a fully qualified path to the file, including the drive letter, folder path, filename, and extension. Enter 0 in the Value column for all processes.
  6. Click OK.

The Group Policy setting for file and folder exclusions

  1. Double-click the Extension Exclusions setting and add the exclusions:

    1. Set the option to Enabled.
    2. Under the Options section, click Show...
    3. Enter each file extension on its own line under the Value name column. Enter 0 in the Value column for all processes.
  2. Click OK.

The Group Policy setting for extension exclusions

Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:

Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the Defender module.

The format for the cmdlets is:

<cmdlet> -<exclusion list> "<item>"

The following are allowed as the <cmdlet>:

Configuration action PowerShell cmdlet
Create or overwrite the list Set-MpPreference
Add to the list Add-MpPreference
Remove item from the list Remove-MpPreference

The following are allowed as the <exclusion list>:

Exclusion type PowerShell parameter
All files with a specified file extension -ExclusionExtension
All files under a folder (including files in subdirectories), or a specific file -ExclusionPath

Important

If you have created a list, either with Set-MpPreference or Add-MpPreference, using the Set-MpPreference cmdlet again will overwrite the existing list.

For example, the following code snippet would cause Windows Defender AV scans to exclude any file with the .test file extension:

Add-MpPreference -ExclusionExtension ".test"

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.

Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:

Use the Set, Add, and Remove methods of the MSFT_MpPreference class for the following properties:

ExclusionExtension
ExclusionPath

The use of Set, Add, and Remove is analogous to their counterparts in PowerShell: Set-MpPreference, Add-MpPreference, and Remove-MpPreference.

See the following for more information and allowed parameters:

Use Configuration Manager to configure file name, folder, or file extension exclusions:

See How to create and deploy antimalware policies: Exclusion settings for details on configuring System Center Configuration Manager (current branch).

Use Microsoft Intune to configure file name, folder, or file extension exclusions:

See Help secure Windows PCs with Endpoint Protection for Microsoft Intune and Windows Defender policy settings in Windows 10 for more details.

Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:

See Add exclusions in the Windows Defender Security Center app for instructions.

Use wildcards in the file name and folder path or extension exclusion lists

You can use the asterisk *, question mark ?, or environment variables (such as %ALLUSERSPROFILE%) as wildcards when defining items in the file name or folder path exclusion list.

Important

Environment variable usage is limited to machine variables and those applicable to processes running as an NT AUTHORITY\SYSTEM account.

You cannot use a wildcard in place of a drive letter.

The following table describes how the wildcards can be used and provides some examples.

Wildcard Use Example use Example matches
* (asterisk) Replaces any number of characters
  • C:\MyData\my*.zip
  • C:\somepath\*\Data
  • C:\MyData\my-archived-files-43.zip
  • Any file in C:\somepath\folder1\folder2\Data
? (question mark) Replaces a single character
  • C:\MyData\my?.zip
  • C:\somepath\?\Data
  • C:\MyData\my1.zip
  • Any file in C:\somepath\P\Data
Environment variables The defined variable will be populated as a path when the exclusion is evaluated
  • %ALLUSERSPROFILE%\CustomLogFiles
  • C:\ProgramData\CustomLogFiles\Folder1\file1.txt

Review the list of exclusions

You can retrieve the items in the exclusion list with PowerShell, System Center Configuration Manager, Intune, or the Windows Defender Security Center app.

If you use PowerShell, you can retrieve the list in two ways:

  • Retrieve the status of all Windows Defender AV preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line.
  • Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of Add-MpPreference is written to a new line.

Review the list of exclusions alongside all other Windows Defender AV preferences:

Use the following cmdlet:

Get-MpPreference

In the following example, the items contained in the ExclusionExtension list are highlighted:

PowerShell output for Get-MpPreference showing the exclusion list alongside other preferences

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.

Retrieve a specific exclusions list:

Use the following code snippet (enter each line as a separate command); replace WDAVprefs with whatever label you want to name the variable:

$WDAVprefs = Get-MpPreference
$WDAVprefs.ExclusionExtension
$WDAVprefs.ExclusionPath

In the following example, the list is split into new lines for each use of the Add-MpPreference cmdlet:

PowerShell output showing only the entries in the exclusion list

See Use PowerShell cmdlets to configure and run Windows Defender Antivirus and Defender cmdlets for more information on how to use PowerShell with Windows Defender Antivirus.

Validate exclusions lists with the EICAR test file

You can validate that your exclusion lists are working by using PowerShell with either the Invoke-WebRequest cmdlet or the .NET WebClient class to download a test file.

In the following PowerShell snippet, replace test.txt with a file that conforms to your exclusion rules. For example, if you have excluded the .testing extension, replace test.txt with test.testing. If you are testing a path, ensure you run the cmdlet within that path.

Invoke-WebRequest "http://www.eicar.org/download/eicar.com.txt" -OutFile "test.txt"

If Windows Defender AV reports malware, then the rule is not working. If there is no report of malware, and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the EICAR testfile website.

You can also use the following PowerShell code, which calls the .NET WebClient class to download the testfile - as with the Invoke-WebRequest cmdlet; replace c:\test.txt with a file that conforms to the rule you are validating:

$client = new-object System.Net.WebClient
$client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")