Exclusions for Managed Microsoft Defender

Team: Huntress Managed Microsoft Defender (EDR)
Product: Managed Defender
Environment: Windows
Summary: Managed Defender exclusions can be set on the account, organization, or agent level. These exclusions can be paths, extensions or processes. Huntress will highlight non-recommended exclusions in the UI. 

Creating Managed Microsoft Defender Exclusions

Exclusions should be set at the agent level. Creating exclusions at the Organization or Account level increases the attack surface of all hosts in that scope, which can make it easier for a threat actor to bypass Defender and deploy malicious code.

However, specific exclusions can be set on the agent, organization, or account level depending on inheritance settings. You should refrain from entering exclusions at the Account level unless absolutely necessary.

Please ensure to only add one exclusion per line when adding multiple entries. 

• Path exclusions - type out the path you want to exclude (i.e., C:\ProgramName\Databasefolder) 
• Extension exclusions - type the extension name of extensions you'd like to exclude from scanning (ie. .txt, .docx, etc. <-- don't exclude these)
• Process exclusions - type the full path of programs you'd like to exclude (i.e., C:\tester.exe)

The Huntress Managed Managed Microsoft Defender Dashboard supports wildcards.

For more information on Path/Extension exclusions, please see Configure and validate exclusions based on extension, name, or location - Microsoft Defender for Endpoint.

Microsoft has a list of common exclusion mistakes, please see Common mistakes to avoid when defining exclusions - Microsoft Defender for Endpoint.

In addition to Microsoft’s list of common mistakes, Huntress will also highlight non-recommended exclusions as they’re entered into the exclusion UI, based on latest threat research.

Agent-level Exclusions:

1. Navigate to the agent in the Huntress portal you wish to set exclusions for
2. Choose the "Antivirus" tab on the left hand side
3. Choose the "Policy Status" option towards the middle of the page
4. Choose the "Configure" button on the right hand side
5. Choose the "Exclusions" tab
6. Add your desired exclusions

Organizational-level Exclusions:

1. Navigate to the organization in the Huntress portal you wish to set exclusions for
2. Choose the "Managed Antivirus" tab on the left hand side under EDR
3. Choose the "Configure" button on the right hand side
4. Choose the "Exclusions" tab
5. Add your desired exclusions
6. Hit Save in the bottom right

Account-level Exclusions:

1. Navigate to your Huntress account
2. Choose the "Managed Antivirus" tab on the left hand side under EDR
3. Choose the "Configure" button on the right hand side
4. Choose the "Exclusions" tab
5. Add your desired exclusions
6. Hit Save in the bottom right