PRACTITIONER GUIDE | ENDPOINT SECURITY
Practitioner GuideUpdated 9 min read

Windows Defender Antivirus Exclusion Audit: How to Find and Remove Overly Broad AV Exclusions

5 min
Time to enumerate all exclusions via PowerShell
4
Exclusion types: file, folder, process, extension
Quarterly
Recommended exclusion review frequency

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

AV exclusions are set for legitimate reasons and then forgotten. The person who excluded C:\Apps\Backup\ in 2018 because the old backup agent caused CPU spikes is long gone. The backup agent was replaced in 2021. The exclusion remains. Now any attacker who places a payload in C:\Apps\Backup\ has guaranteed execution without Defender interference. This is not theoretical -- exclusion abuse is a documented technique in ransomware campaigns: operators identify common exclusion patterns, drop payloads in those paths, and know they will not be quarantined. An exclusion audit does not require removing all exclusions -- it requires verifying that every exclusion still has a documented, current, and necessary reason to exist, and ensuring it is as narrow as possible.

Enumerate All Current Exclusions

PowerShell enumeration: Get-MpPreference | Select-Object ExclusionPath, ExclusionExtension, ExclusionProcess | Format-List. This shows all locally configured exclusions. For enterprise environments, exclusions come from multiple sources and you need to check all of them: Local policy (via Set-MpPreference or the Windows Security GUI), Group Policy (Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions), Intune (Endpoint Security > Antivirus > Defender Antivirus policies), and Microsoft Defender for Endpoint security settings management. For a full inventory across all sources: run Get-MpPreference on a sample of representative machines (workstations, servers, DCs) and compare output. GPO-applied exclusions will appear in the output alongside local exclusions but are noted in the registry at HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions. Check both the policy key and the preferences key (HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions) for a complete picture.

Classify Exclusions by Risk Level

Not all exclusions are equal. Classify each exclusion into one of four categories: Documented and narrow (low risk): an exclusion for a specific file like the SQL Server data directory with .mdf extension has a known purpose, is limited in scope, and does not create broad attack surface -- keep. Documented and broad (medium risk): an exclusion for a backup temp folder that was added for a backup product; still necessary but could be narrowed -- review for scope reduction. Undocumented and narrow (medium risk): an exclusion for a specific process you do not recognize; needs investigation -- is this process still installed? Is the exclusion still necessary? Undocumented and broad (high risk): an exclusion for C:\Windows\Temp, all .exe files, or a large portion of the file system with no documented owner -- these must be justified or removed immediately. Process exclusions are higher risk than folder exclusions: excluding a process means Defender will not scan files accessed by that process, which can be exploited if the process is compromised.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Right-Size Broad Folder Exclusions

The most common overly broad exclusion is a top-level folder exclusion that covers more than needed. If the original need was 'exclude SQL Server data files from real-time scanning', the correct exclusion is the specific file extensions (.mdf, .ldf, .ndf) in the specific SQL data directory, not the entire SQL Server installation directory. Narrowing approach: for each folder exclusion, identify the specific files within it that require exclusion (by extension, by subfolder, or by filename pattern). Replace the broad folder exclusion with the specific subfolder (e.g., C:\SQL\DATA\ instead of C:\SQL), or the specific file extension in that folder, or a combination. Microsoft provides vendor-specific exclusion recommendations for common server workloads (Exchange, SQL Server, SharePoint, SCCM) -- use those as the authoritative reference and remove any broader exclusions that predate the official vendor list.

Remove Exclusions for Removed Software

Exclusions do not auto-delete when software is uninstalled. Common stale exclusions: backup agents (Veeam, Backup Exec, Commvault) that were replaced; antivirus products that were previously installed alongside Defender; build servers with old CI agent exclusions; custom applications that no longer run on the machine. To identify stale process exclusions: for each process exclusion, check if the executable still exists at the specified path: Test-Path 'C:\path\to\excluded\process.exe'. If the binary is gone, the exclusion is stale. For folder exclusions: check whether the software that created the folder still exists. Review Add/Remove Programs or Intune device app inventory for each machine and cross-reference with the exclusion list. Automate this check by running a PowerShell script across all endpoints that tests each exclusion path for existence and reports mismatches.

Manage Exclusions via Intune for Ongoing Control

Ad-hoc exclusion additions are the root cause of exclusion sprawl. Establish a policy that all Defender exclusions are managed through a central policy (Intune or GPO) and local exclusions are not permitted. In Intune: create an Endpoint Security > Antivirus policy with explicitly defined exclusion lists. Deploy with 'Replace' mode so local exclusions cannot be added outside policy. In GPO: use Computer Configuration > Policies > Administrative Templates > Windows Defender > Exclusions and set 'Configure local administrator merge behavior for lists' to Disabled -- this prevents local admins from adding exclusions outside policy. Require a documented change request for any new exclusion addition, with the specific application, the specific path being excluded, and the team responsible for the software. Review the exclusion list quarterly.

The bottom line

Exclusions are a tradeoff: the wrong exclusion means malware executes undetected. Audit your current list, remove stale entries, narrow broad folder exclusions to the specific paths and extensions required by each workload, and move all exclusion management to a policy-controlled channel so new exclusions cannot be added without review. The Microsoft documentation on recommended exclusions for specific server workloads (SQL, Exchange, SharePoint) is the authoritative reference -- use it to replace any exclusions that predate the vendor guidance.

Frequently asked questions

Will removing exclusions cause performance problems?

On production servers with high I/O workloads (SQL Server, Exchange, file servers), removing exclusions for database files can cause CPU spikes from real-time scanning. The solution is not to exclude broadly but to add the specific recommended exclusions from the vendor. For example, Microsoft recommends excluding SQL Server .mdf, .ldf, and .ndf files from real-time scanning but not the SQL Server binary directory. Performance problems after exclusion removal are a sign the exclusion was covering something that still needs to be excluded -- narrow the scope and monitor.

How do I find which GPO is delivering specific exclusions?

Run gpresult /h c:\gpresult.html on the affected machine, open the HTML report, and look under Computer Configuration > Policies > Windows Components > Microsoft Defender Antivirus > Exclusions. The report shows which GPO applied each setting and whether it was from a Preferences or Policies node. For Intune-managed devices, check the Intune portal under Devices > select device > Device Configuration > Policies applied.

Should I exclude all of C:\Windows\Temp\?

No. This is one of the most dangerous exclusions to grant -- temp directories are a primary staging location for malware. The only legitimate reason to exclude a temp directory is if a specific application writes a specific file type there during processing and generates false positives. In that case, exclude the specific subfolder or file extension the application uses, not the entire temp directory. If a vendor tells you to exclude C:\Windows\Temp\ broadly, push back and ask for a more specific exclusion or a product fix.

What should I do if I cannot identify who added an exclusion?

If you cannot determine the original purpose of an exclusion, test removing it on a non-production system or a single endpoint first. Monitor for 24 to 48 hours: any false positive detections that appear after removing the exclusion will tell you what the exclusion was covering. If no detections appear, the exclusion was stale. If detections appear on legitimate files, evaluate whether they are true false positives (the file is known-good and incorrectly detected) or whether the exclusion was masking genuine malware.

Can attackers abuse AV exclusion paths to hide malware?

Yes, this is a well-documented persistence technique. If an attacker gains admin rights and knows which directories are excluded from scanning (or can read the exclusion policy from the registry), they can drop malicious files into those excluded paths and avoid detection. Read the exclusion list from HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions on any admin-access machine. Treat the exclusion list as sensitive configuration: restrict who can read and modify it, audit changes to exclusion paths using Event ID 5007 (Microsoft-Windows-Windows Defender/Operational), and alert when new exclusion paths are added. Never add user-writable directories like %APPDATA% or %TEMP% to the exclusion list.

What is the process for auditing all existing Microsoft Defender exclusions across an enterprise fleet?

Query exclusions from all managed endpoints via your MDM or endpoint management platform. In Intune: Device > Monitor > Antivirus reports shows the aggregate exclusion configuration deployed via Intune policy. For exclusions applied via GPO or manually on endpoints: use a PowerShell script deployed via Intune or SCCM that reads the exclusion registry keys (HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths, Processes, Extensions) on each machine and reports them to a central collection point. Compare the results from endpoint-reported exclusions against your Intune/GPO-deployed exclusions to identify unauthorized local exclusions (exclusions present on endpoints but not in any managed policy). Any exclusion not traced to an approved policy is unauthorized and warrants investigation. Prioritize auditing machines with exclusions covering paths that contain executable files or scripts.

Sources & references

  1. Microsoft: Configure Exclusions for Windows Security
  2. Microsoft: Common Mistakes When Defining Exclusions

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.