Excluding files, folders, and file types from scans

Applies To: Forefront Client Security

By default, Client Security scans all files, folders, and file types for malware. There are no exclusions in a new policy. You can exclude specific files, folders, and file types from scanning. When you edit or create a policy, use the Advanced tab to configure exclusions.

Important

It is recommended that you set exclusions carefully. Exclusions set without forethought might lead to undetected malware, such as a virus present in an excluded file type or a worm in an excluded folder.

If you enable the Prompt users when unclassified software is detected option, it is strongly recommended that you exclude from scans applications that are legitimate in your organization and which Client Security detects as unclassified software. For more information, see Controlling the end-user experience.

If scans of a large data file degrade the performance of a computer to an unacceptable level, consider excluding the file from scans.

Client computers receiving a policy with scan exclusions do not enforce the exclusions until the agent restarts.

To exclude files and folders from malware scans

  1. In the Client Security console, create or edit a policy. For details about how to create or edit a policy, see Creating, editing, copying, and deleting policies.

  2. In the New Policy or Edit Policy dialog box, click the Advanced tab.

  3. Under Exclusions from malware scans and immediately to the right of the File and folder paths box, click Add. The Exclude Path dialog box appears.

  4. Enter the full path to a file or folder you want to exclude. Note the following:

    • File and folder exclusions are enforced only at the exact locations you specify in the policy. If the file or folder you specify exists in a different location on a client computer than the location you specified in the policy, the file or folder is not excluded from scans on the client computer.

    • You can use environment variables, such as %SYSTEMDRIVE%, to specify paths. For example:

      %SYSTEMDRIVE%\cdb.exe

      If the variable does not exist on a client computer, Client Security cannot correctly enforce the exclusion.

    • Client Security does not scan the subfolders of an excluded folder.

    Click OK, and then click OK to close the Exclude Path dialog box.

  5. Continue adding exclusions, as needed.

  6. After you finish creating or editing the policy, click OK.

  7. To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.

To exclude file types from malware scans

  1. In the Client Security console, create or edit a policy. For details about how to create or edit a policy, see Creating, editing, copying, and deleting policies.

  2. In the New Policy or Edit Policy dialog box, click the Advanced tab.

  3. Under Exclusions from malware scans and immediately to the right of the Extensions box, click Add. The Exclude Extension dialog box appears.

  4. Type the extension of the file type you want to exclude, and then click OK.

  5. Continue adding file type exclusions, as needed.

  6. After you finish creating or editing the policy, click OK.

  7. To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.

To remove exclusions from malware scans

  1. In the Client Security console, create or edit a policy. For details about how to create or edit a policy, see Creating, editing, copying, and deleting policies.

  2. In the New Policy or Edit Policy dialog box, click the Advanced tab.

  3. Under Exclusions from malware scans, in either the File and folder paths box or the Extensions box, select the exclusion you want to remove.

  4. Immediately to the right of the box containing the selected exclusion, click Remove.

  5. Continue removing file type exclusions, as needed.

  6. After you finish creating or editing the policy, click OK.

  7. To apply the policy to client computers, you must deploy the policy. For information about deploying a policy, see Deploying and undeploying policies.