Skip to main content

Exclusions for Managed Microsoft Defender Antivirus

Tyler
  • Updated

Team: Huntress Managed Microsoft Defender (EDR)
Product: Managed Defender
Environment: Windows
Summary: Managed Microsoft Defender Antivirus exclusions can be set on the account, organization, or endpoint (agent) level. These exclusions can be paths, extensions or processes. Huntress will highlight non-recommended exclusions in the UI. 

In This Article

Overview
Best Practices
Normal and Risky Exclusions
Types of Microsoft Defender Exclusions
Using the Managed Antivirus Exclusion Page
     Antivirus Settings
     Managed Exclusions Settings
     Create Exclusions Settings
          Endpoint (Agent)-level Exclusions
          Organization-level Exclusions
          Account-level Exclusions
 

Overview

When software used in your organization conflicts with the Managed Antivirus (Managed AV) service, you can create exclusions to prevent legitimate activity from being flagged as malicious. This article walks you through the steps to create exclusions at the Agent, Organization, and Account levels.

 

Best Practices

The exclusions you enter will take effect based on the inheritance settings. Keep this in mind to prevent unnecessary risk.

  • Be specific and targeted when creating exclusions. 
    • Huntress recommends entering exclusions at the Endpoint (Agent) level to minimize your attack surface, targeting specific software or activity needed for business functions. 
    • Avoid entering exclusions at the Account level unless absolutely necessary.
  • Be wary of generalized exclusion types.
    • Setting exclusions across more devices, or creating exclusions that are non-specific increases the attack surface of all endpoints in that scope, which makes it easier for a threat actor to bypass Defender and deploy malicious code.
    • While wildcards are supported, these should be limited in use as they are not considered specific and may inadvertently stop scanning on necessary files when misconfigured.
  • Consider alternate exclusions options.
    • Adding an extension exclusion or exclusion of an entire directory may be too general. Consider alternatives, like process or path exclusions instead to focus on what should not be scanned. For example, excluding svchost.exe would be risky, but excluding  \Windows\System32\svchost.exe is more targeted and less risky. 

 

Normal and Risky Exclusions

Normal exclusions are generally deemed “safe” to skip during an antivirus scan. These are typically very specific, well defined, and targeted exclusions put in place to ensure business continuity. 

Risky Exclusions are settings that are generally deemed “unsafe” to skip during an antivirus scan as they are more likely to create security gaps that attackers can exploit to hide malicious activity. Huntress recommends removing these if they are not required. 

Huntress will mark Risky Exclusions in the Managed Antivirus Exclusion portal. You will be given the option to “Allow” a risky exclusion if you do not wish to remove it. 

Before creating any exclusions in your antivirus, consider reading more on common exclusions mistakes to avoid.

 

Types of Microsoft Defender Exclusions

Learn how to Configure and validate exclusions based on extension, name, or location.

The Huntress Managed Antivirus Dashboard supports wildcards.

Exclusion Type Description Example Value (Normal Exclusion) Example Value (Risky Exclusion) 
Path exclusions The full directory path to exclude.

Unique or application specific paths such as:

C:\ProgramName\Databasefolder

%PROGRAMFILES%\Huntess\Rio

Commonly targeted or accessed paths like: 

C:\Users\<username>\Documents

C:\Temp

Single directories like C:\ or D:\

 

 
Process exclusions  The full path of a program process to exclude.

Unique or application specific processes such as:

C:\Users\<username>\test\tester.exe

Commonly targeted or accessed processes like: 

C:\Program Files\Microsoft Office\root\OFfice16\WINWORD.exe
Extension exclusions  The extension name of file types you want to exclude from scanning.

Unique or application specific extensions such as:

.desklink

.sqlite3

.ide-wal

Commonly targeted or accessed extensions like: 

.zip

.exe

.dll

.xlsx

 

Using the Managed Antivirus Exclusions Page

You can browse to this page by going to the Huntress Portal, choosing EDR on the left hand navigation, then click Managed Antivirus. From there, choose the header/title for Managed Antivirus Exclusions.

 

From this page, you can manage your Antivirus Settings, Manage Exclusion Settings, as well as Create Exclusions Settings.


 

You can also view any of the Latest Exclusions Activity (changes to Exclusions) in the generated timeline.

 

Antivirus Settings

This page will allow you to update your antivirus settings, specific to the Account or Organization levels, depending on if you are currently viewing the Account page, or a specific Organization page. This page will not modify per endpoint (agent) settings. A detailed list of each setting can be found in our Microsoft Defender Recommended Default Settings page.
 


 

Manage Exclusions Settings

This page will allow you to view your created antivirus exclusions, and remove any exclusions you no longer wish to keep in place. If you view this page at the Account level, it will show you all exclusions for the Account, all Organizations, and all Endpoints (agents). You can also add additional endpoints or organizations to existing exclusions settings from this page by clicking on the 3 buttons under Actions.
 

 

Create Exclusions Settings

This page will allow you to create new exclusions at the Endpoint (Agent), Organization, and Account levels. If you attempt to add a risky exclusion, you will be prompted to approve it and acknowledge the risk of approving the exclusion.

Note that exclusions will generally apply to impacted endpoints within an hour (often faster).


 

Endpoint (Agent)-level Exclusions (Recommended)

Any settings created at this level will be applied to only the selected endpoints. These settings will not automatically apply to any other devices.

  1. Choose the Create Endpoint Exclusion Settings options
  2. Specify the endpoint(s) you wish to apply the setting to.
  3. Choose the exclusion type you wish to create
  4. Set the value of the exclusion you wish to create.
  5. Choose the + symbol if you wish to create additional exclusions, or the - symbol if you wish to remove an exclusion you were previously adding.

Organization-level Exclusions

Any settings created at this level will push down to any endpoints in the designated organization(s) with a policy status of Inherit. 

  1. Choose the Create Organization Exclusion Settings options
  2. Specify the organization(s) you wish to apply the setting to.
  3. Choose the exclusion type you wish to create
  4. Set the value of the exclusion you wish to create.
  5. Choose the + symbol if you wish to create additional exclusions, or the - symbol if you wish to remove an exclusion you were previously adding.

Account-level Exclusions (Not Recommended)

Any settings created at this level will push down to any Organizations with a policy status of Inherit. 

  1. Choose the Create Account Exclusion Settings options
  2. Choose the exclusion type you wish to create
  3. Set the value of the exclusion you wish to create.
  4. Choose the + symbol if you wish to create additional exclusions, or the - symbol if you wish to remove an exclusion you were previously adding.

 


 

Related articles