May 4, 2025
Blog
Introduction:
Over the past few months, we’ve reviewed dozens of Microsoft Defender configurations, and there’s a recurring theme: overuse of exclusions — folders, file types, even processes that should never be excluded.
Yes, there are legit reasons for defining exclusions (performance, false positives, compatibility), but they should be handled with care. Every exclusion = reduced visibility. Every exclusion = increased risk.
Microsoft just released a very useful update:
“Common mistakes to avoid when defining exclusions” — and it’s a must-read.
Here’s a practical summary + a few insights from the field:
1. Excluding “Trusted” Items
Just because a file or folder seems safe doesn’t mean it should be excluded. Malware often hides in familiar places — and mimics legitimate names.
Avoid excluding these folders (Windows):
%systemdrive%, C:\, C:\Temp\, %Windir%\Temp
%ProgramFiles%\Java, %ProgramFiles%\Contoso\
C:\Users\, C:\Users\<User>\AppData\Local\Temp\
C:\Windows\Prefetch, C:\Windows\System32\Spool, CatRoot2
Avoid excluding these folders (macOS/Linux):
/, /bin, /sbin, /usr/lib
Important:
SharePoint is an exception — when using file-level AV, you should exclude:
C:\Users\ServiceAccount\AppData\Local\Temp
C:\Users\Default\AppData\Local\Temp
2. File Extensions That Should Not Be Excluded
Attackers leverage known extensions to drop payloads or execute scripts.
Yet we often find exclusions for entire file types like .exe or .dll.
Do NOT exclude the following extensions:
.7z, .bat, .bin, .cab, .cmd, .com, .cpl, .dll, .exe, .fla, .gif, .gz, .hta, .inf, .java, .jar, .job, .jpeg, .jpg, .js, .ko, .msi, .ocx, .png, .ps1, .py, .rar, .reg, .scr, .sys, .tar, .tmp, .url, .vbe, .vbs, .wsf, .zip
If you must exclude something like .gif or .jpg, make sure:
Your environment enforces a strict patch/update policy.
The exclusion is scoped to a specific location or process — not system-wide.
3. High-Risk Processes You Should Never Exclude
Excluding processes is risky business. These processes are often abused during attacks — and shouldn’t be excluded under any circumstance.
Processes to avoid excluding (Windows):
powershell.exe, cmd.exe, cscript.exe, wscript.exe, java.exe, mshta.exe, dotnet.exe, outlook.exe, excel.exe, winword.exe, schtasks.exe, svchost.exe, psexec.exe, wmic.exe, dbgsvc.exe, msbuild.exe, AcroRd32.exe, etc.
🛑 macOS/Linux equivalents:
bash, sh, zsh, python, python3, java
Even processes like iexplore.exe or fsi.exe can be weaponized.
4. Using File Name Only (Without Full Path)
We’ve seen environments where files are excluded by name only — like scan.exe.
Bad idea.
Why?
Because malware can spoof that filename and land in a different location.
Best practice: Always use the fully qualified path, e.g.:
C:\Program Files\Contoso\scan.exe — not just scan.exe.
5. Reusing One List for All Workloads
You wouldn’t apply the same security policy to a domain controller and a file server — so don’t use one giant exclusion list either.
Split exclusions by server role:
IIS vs. SQL Server vs. SharePoint vs. RDS — different exclusions, different needs.
6. Misusing Environment Variables as Wildcards
This is a classic mistake. Defender Antivirus runs in system context, meaning it can only resolve system-level variables — not user variables.
❌ %UserProfile% won’t work
✅ %ProgramFiles%, %SystemRoot% are OK
Avoid using user environment variables in exclusions unless you really understand the runtime context.
🔚 Final Thoughts
Exclusions can be necessary — but they’re also dangerous.
Every time you exclude a folder, process, or file type, you’re potentially giving attackers a safe zone.
Before you add an exclusion, ask:
Is this exclusion really needed?
Can we scope it more narrowly?
Is there another workaround that doesn’t reduce protection?
📎 Full Microsoft article (highly recommended):