Windows scanning exclusions
When you set up global scanning exclusions, we exclude these applications and folders from scanning for all your users and their devices.
If you want to exclude files or folders only for some users or devices, you can do this using an Endpoint Threat Protection policy. See Threat Protection Policy.
If you want to exclude files or folders from scanning only for some servers, you can do this using a Server Threat Protection policy. See Server Threat Protection Policy.
Adding exclusions reduces your protection, so we recommend that you use policies to target users and devices where the exclusion is necessary rather than using this global option.
This video takes you through setting up exclusions.
Using scanning exclusions safely
If you're adding exclusions, or you've seen warnings about your exclusions in Account Health Check, see Using exclusions safely.
Warning
Scanning exclusions may significantly reduce your protection. Only use them if you understand the risks.
Make your exclusions as specific as possible. It's risky to generalize the exclusion to cover more files and folders than you need to.
If you set up a scanning exclusion for C:
it excludes all of your C drive. We recommend that you don't set up an exclusion for a whole drive. Exclude specific files or folders instead.
Suppose you need to exclude C:\Program Files\Software\app.exe
. Excluding *.exe
excludes your app but also all other .exe
files. Now malware with an .exe
extension won’t be blocked. Use the full file path instead.
Don't exclude folders where malware is most often located. These folders include the following:
C:\Windows\
C:\ProgramData\
C:\Users\<Username>\
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\
We recommend that you don't exclude these folders from scanning because this reduces your protection significantly.
Network shares
You can add specific scanning exclusions for network shares. Note that your exclusions usually apply to network shares by default unless they're drive-specific.
You can add an exclusion for a network drive using the following format:
\\<REMOTESERVER>\<SHARENAME>\
Wildcards
You can use wildcards when you set up scanning exclusions. Make your wildcards as specific as possible. It's risky to generalize the exclusion to cover more files and folders that you need to.
You can use the wildcards shown in this table.
Token | Matches |
---|---|
* (Star) | Zero or more of any character except \ or / |
** (Star Star) | Zero or more characters including Any other use of a For example:
|
\ (Backslash) | Either Be careful if you use this wildcard to set up exclusions as it reduces your protection. For example, if you set up an exclusion using just this wildcard it excludes everything in every folder from the root of the drive down. We recommend that you don't use this wildcard by itself. |
/ (Forward slash) | Either Be careful if you use this wildcard to set up exclusions as it reduces your protection. For example, if you set up an exclusion using just this wildcard it excludes everything in every folder from the root of the drive down. We recommend that you don't use this wildcard by itself. |
? (Question mark) | One single character. If it is at the end of a string it can match zero characters. |
. (Period) | A period OR the empty string at the end of a filename, if the pattern ends in a period and the filename does not have an extension. Note that For example: |
Example wildcards
Here are some examples of the use of wildcards.
Expression | Interpreted as |
---|---|
foo |
Exclude any file named |
foo\bar |
Exclude any file named |
*.txt |
Exclude all files named |
C:\foo\ |
All files and folders underneath |
C:\foo\*.txt |
All files or folders contained in |
Variables for exclusions
You can use variables when you set up scanning exclusions. Make your variables as specific as possible. It's risky to generalize the exclusion to cover more files and folders that you need to.
Be careful if you use the following variables to set up exclusions as they decrease your protection.
%programdata%
: This excludesC:\ProgramData\
from scanning.%USERPROFILE%
: This excludesC:\Users\**\
from scanning.%temp%
: This excludesC:\Users\**\AppData\Local\Temp\
from scanning.%appdata%
: This excludesC:\Users\**\AppData\Roaming\
from scanning.%windir%
: This excludesC:\Windows\
from scanning.%windir%\System32\
: This excludesC:\Windows\System32\
from scanning.%windir%\Syswow64\
: This excludesC:\Windows\Syswow64\
from scanning.%windir%\Temp\
: This excludesC:\Windows\Temp\
from scanning.
The table below shows variables and examples of the locations they correspond to on each operating system.
Variable | Windows 7 and later Windows Server 2008 and later |
---|---|
%allusersprofile% | C:\ProgramData |
%appdata% |
Be careful if you use this variable to set up exclusions as it reduces your protection. |
%commonprogramfiles% | C:\Program Files\Common Files |
%commonprogramfiles(x86)% | C:\Program Files (x86)\Common Files |
%localappdata% | C:\Users\*\AppData\Local |
%programdata% |
Be careful if you use this variable to set up exclusions as it reduces your protection. |
%programfiles% |
Be careful if you use this variable to set up exclusions as it reduces your protection. |
%programfiles(x86)% |
Be careful if you use this variable to set up exclusions as it reduces your protection. |
%temp% or %tmp% |
Be careful if you use this variable to set up exclusions as it reduces your protection. |
%userprofile% | C:\Users\* |
%windir% |
Be careful if you use this variable to set up exclusions as it reduces your protection. |