Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=scanning-exclusions-Windows

Windows scanning exclusions

When you set up global scanning exclusions, we exclude these applications and folders from scanning for all your users and their devices.

If you want to exclude files or folders only for some users or devices, you can do this using an Endpoint Threat Protection policy. See Threat Protection Policy.

If you want to exclude files or folders from scanning only for some servers, you can do this using a Server Threat Protection policy. See Server Threat Protection Policy.

Adding exclusions reduces your protection, so we recommend that you use policies to target users and devices where the exclusion is necessary rather than using this global option.

This video takes you through setting up exclusions.

Using scanning exclusions safely

If you're adding exclusions, or you've seen warnings about your exclusions in Account Health Check, see Using exclusions safely.

Warning

Scanning exclusions may significantly reduce your protection. Only use them if you understand the risks.

Make your exclusions as specific as possible. It's risky to generalize the exclusion to cover more files and folders than you need to.

If you set up a scanning exclusion for C: it excludes all of your C drive. We recommend that you don't set up an exclusion for a whole drive. Exclude specific files or folders instead.

Suppose you need to exclude C:\Program Files\Software\app.exe. Excluding *.exe excludes your app but also all other .exe files. Now malware with an .exe extension won’t be blocked. Use the full file path instead.

Don't exclude folders where malware is most often located. These folders include the following:

  • C:\Windows\
  • C:\ProgramData\
  • C:\Users\<Username>\
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\

We recommend that you don't exclude these folders from scanning because this reduces your protection significantly.

Network shares

You can add specific scanning exclusions for network shares. Note that your exclusions usually apply to network shares by default unless they're drive-specific.

You can add an exclusion for a network drive using the following format:

\\<REMOTESERVER>\<SHARENAME>\

Wildcards

You can use wildcards when you set up scanning exclusions. Make your wildcards as specific as possible. It's risky to generalize the exclusion to cover more files and folders that you need to.

You can use the wildcards shown in this table.

Token Matches
* (Star) Zero or more of any character except \ or /
** (Star Star)

Zero or more characters including \ and /, when bracketed by \ or / characters or used at the start or end of an exclusion.

Any other use of a ** is treated as a single * and matches zero or more characters excluding \ and /.

For example:

  • c:\foo\**\bar matches: c:\foo\bar, c:\foo\more\bar, c:\foo\even\more\bar
  • c:\foo\** matches c:\foo\more\bar
\ (Backslash)

Either \ or /

Be careful if you use this wildcard to set up exclusions as it reduces your protection.

For example, if you set up an exclusion using just this wildcard it excludes everything in every folder from the root of the drive down.

We recommend that you don't use this wildcard by itself.
/ (Forward slash)

Either / or \

Be careful if you use this wildcard to set up exclusions as it reduces your protection.

For example, if you set up an exclusion using just this wildcard it excludes everything in every folder from the root of the drive down.

We recommend that you don't use this wildcard by itself.
? (Question mark) One single character. If it is at the end of a string it can match zero characters.
. (Period)

A period OR the empty string at the end of a filename, if the pattern ends in a period and the filename does not have an extension.

Note that *. matches all files without an extension.

For example: "foo." matches "foo" and "foo".

Example wildcards

Here are some examples of the use of wildcards.

Expression Interpreted as
foo

**\foo

Exclude any file named foo (in any location).
foo\bar

**\foo\bar

Exclude any file named bar in a folder named foo (in any location).
*.txt

**\*.txt

Exclude all files named *.txt (in any location).
C:\foo\

C:\foo\

All files and folders underneath C:\foo, including C:\foo itself.
C:\foo\*.txt

C:\foo\*.txt

All files or folders contained in C:\foo named *.txt.

Variables for exclusions

You can use variables when you set up scanning exclusions. Make your variables as specific as possible. It's risky to generalize the exclusion to cover more files and folders that you need to.

Be careful if you use the following variables to set up exclusions as they decrease your protection.

  • %programdata%: This excludes C:\ProgramData\ from scanning.
  • %USERPROFILE%: This excludes C:\Users\**\ from scanning.
  • %temp%: This excludes C:\Users\**\AppData\Local\Temp\ from scanning.
  • %appdata%: This excludes C:\Users\**\AppData\Roaming\ from scanning.
  • %windir%: This excludes C:\Windows\ from scanning.
  • %windir%\System32\: This excludes C:\Windows\System32\ from scanning.
  • %windir%\Syswow64\: This excludes C:\Windows\Syswow64\ from scanning.
  • %windir%\Temp\: This excludes C:\Windows\Temp\ from scanning.

The table below shows variables and examples of the locations they correspond to on each operating system.

Variable

Windows 7 and later

Windows Server 2008 and later
%allusersprofile% C:\ProgramData
%appdata%

C:\Users\*\AppData\Roaming

Be careful if you use this variable to set up exclusions as it reduces your protection.
%commonprogramfiles% C:\Program Files\Common Files
%commonprogramfiles(x86)% C:\Program Files (x86)\Common Files
%localappdata% C:\Users\*\AppData\Local
%programdata%

C:\ProgramData

Be careful if you use this variable to set up exclusions as it reduces your protection.
%programfiles%

C:\Program Files

Be careful if you use this variable to set up exclusions as it reduces your protection.
%programfiles(x86)%

C:\Program Files (x86)

Be careful if you use this variable to set up exclusions as it reduces your protection.
%temp% or %tmp%

C:\Users\*\AppData\Local\Temp

Be careful if you use this variable to set up exclusions as it reduces your protection.
%userprofile% C:\Users\*
%windir%

C:\Windows

Be careful if you use this variable to set up exclusions as it reduces your protection.