Using exclusions safely
Learn to use exclusions safely.
Exclusions may significantly reduce your protection. Only use them if you understand the risks.
If you're adding exclusions from threat protection, or you've seen warnings about your exclusions in Account Health Check, read these guidelines to stay safe.
Be careful when you set up exclusions. All exclusions can increase the risk to your systems.
Make your exclusions as specific as possible. It's risky to generalize an exclusion to cover more files and folders than you need to. For details, see How to make exclusions specific.
Try to use policies to set exclusions that target only specific users or devices, rather than global exclusions.
Check that you need all your exclusions. You might no longer need exclusions that were used to fix an issue or comply with a third-party vendor's recommendations. Remove any unnecessary exclusions.
Don't exclude folders where malware is often found, such as system files or startup folders.
Follow our links to learn more about using exclusions safely and effectively on your operating system:
How to make exclusions specific
These examples show you how best to use exclusions to deal with common issues.
An app is incorrectly detected as malware
Suppose you have a app, such as
c:\app\app.exe, that is incorrectly detected as malicious.
Don’t use a file exclusion. Exclude the app by using its SHA, if available. In the Events list, find a detection event for that app, click Details and then Allow. By default this uses the SHA. See Stop detecting an application.
Now, even if the app is replaced by a malicious file with the same name and location, or modified to have malicious content, we can still detect the malware.
An app is slow when it writes to or reads from a folder
Suppose you have an application, such as
c:\appfolder\app.exe, that has performance issues when it reads from or writes to a specific location, such as
Don't use a folder exclusion. Use a process exclusion for the full path of the app. See Process exclusions (Windows).
The only protection you’ve removed is scanning of the files the app writes. If the app is compromised, other protection, such as runtime protection, can still detect malicious files. If malware gets onto the device another way, we can still detect it in the