{
	"id": "35ce9ab0-5300-43ce-8f7a-cee0bd91c126",
	"created_at": "2026-04-06T00:18:06.071977Z",
	"updated_at": "2026-04-10T03:22:14.000597Z",
	"deleted_at": null,
	"sha1_hash": "8101dbebb88ce251a8b30af02e476ff99780a30b",
	"title": "Contextual file and folder exclusions - Microsoft Defender for Endpoint",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 71929,
	"plain_text": "Contextual file and folder exclusions - Microsoft Defender for\r\nEndpoint\r\nBy chrisda\r\nArchived: 2026-04-05 20:06:04 UTC\r\nThis article/section describes the contextual file and folder exclusions capability for Microsoft Defender Antivirus\r\non Windows. This capability allows you to be more specific when you define under which context Microsoft\r\nDefender Antivirus shouldn't scan a file or folder, by applying restrictions.\r\nOverview\r\nExclusions are primarily intended to mitigate affects on performance. They come at the penalty of reduced\r\nprotection value. These restrictions allow you to limit this protection reduction by specifying circumstances under\r\nwhich the exclusion should apply. Contextual exclusions aren't suitable for addressing false positives in a reliable\r\nway. If you encounter a false positive, you can submit files for analysis through the Microsoft Defender portal\r\n(subscription required) or through the Microsoft Security Intelligence website. For a temporary suppression\r\nmethod, consider creating a custom allow indicator in Microsoft Defender for Endpoint.\r\nThere are four restrictions you can apply to limit the applicability of an exclusion:\r\nFile/folder path type restriction. You can restrict exclusions to only apply if the target is a file, or a folder\r\nby making the intent specific. If the target is a file but the exclusion is specified to be a folder, the\r\nexclusion doesn't apply. Conversely, if the target is folder but the exclusion is specified to be a file, the\r\nexclusion applies.\r\nScan type restriction. Enables you to define the required scan type for an exclusion to apply. For example,\r\nyou only want to exclude a certain folder from Full scans but not from a \"resource\" scan (targeted scan).\r\nScan trigger type restriction. You can use this restriction to specify that the exclusion should only apply\r\nwhen the scan is initiated by a specific event, such as:\r\non demand;\r\non access; or\r\noriginating from behavioral monitoring.\r\nProcess restriction. Enables you to define that an exclusion should only apply when a file or folder is\r\nbeing accessed by a specific process.\r\nConfiguring restrictions\r\nRestrictions are typically applied by adding the restriction type to the file or folder exclusion path.\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus\r\nPage 1 of 5\n\nRestriction TypeName value\r\nFile/folder PathType\r\nfile\r\nfolder\r\nScan type ScanType\r\nquick\r\nfull\r\nScan trigger ScanTrigger\r\nOnDemand\r\nOnAccess\r\nBM (Behavior monitoring)\r\nProcess Process \u003cpath\u003e\r\nImportant\r\nTypeName and value keywords are case sensitive.\r\nRequirements\r\nThis capability requires Microsoft Defender Antivirus.\r\nPlatform version: 4.18.2205.7 or later\r\nEngine version: 1.1.19300.2 or later\r\nSee Microsoft Defender Antivirus security intelligence and product updates.\r\nSyntax\r\nAs a starting point, you might already have exclusions in place that you wish to make more specific. To form the\r\nexclusion string, first define the path to the file or folder to be excluded, then add the type name and associated\r\nvalue, as shown in the following example.\r\n\u003cPATH\u003e\\:{TypeName:value,TypeName:value}\r\nKeep in mind that all types and values are case sensitive.\r\nNote\r\nConditions inside {} MUST be true for the restriction to match. For example, if you specify two scan triggers\r\nthis cannot be true, and the exclusion will not apply. To specify two restrictions of the same type, create two\r\nseparate exclusions.\r\nExamples\r\nThe following string excludes c:\\documents\\design.doc only if it's a file and only in on-access scans:\r\nc:\\documents\\design.doc\\:{PathType:file,ScanTrigger:OnAccess}\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus\r\nPage 2 of 5\n\nThe following string excludes c:\\documents\\design.doc only if it's scanned (on-access), due to it being\r\naccessed by a process having the image name winword.exe :\r\nc:\\documents\\design.doc\\:{Process:\"winword.exe\"}\r\nFile and folder paths can contain wildcards, as in the following example:\r\nc:\\*\\*.doc\\:{PathType:file,ScanTrigger:OnDemand}\r\nThe process image path can contain wildcards, as in the following example:\r\nc:\\documents\\design.doc\\:{Process:\"C:\\Program Files*\\Microsoft Office\\root\\Office??\\winword.exe\"}\r\nFile/folder restriction\r\nYou can restrict exclusions to only apply if the target is a file or a folder by making the intent specific. If the target\r\nis a file but the exclusion is specified to be a folder, the exclusion doesn't apply. Conversely, if the target is folder\r\nbut the exclusion is specified to be a file, the exclusion applies.\r\nFile/folder exclusions default behavior\r\nIf you don't specify any other options, the file/folder is excluded from all types of scans, and the exclusion applies\r\nregardless of whether the target is a file or a folder. For more information about customizing exclusions to only\r\napply to a specific scan type, see Scan type restriction.\r\nNote\r\nWildcards are supported in file/folder exclusions.\r\nFolders\r\nTo ensure an exclusion only applies if the target is a folder, not a file you can use the PathType:folder restriction.\r\nFor example:\r\nC:\\documents\\*\\:{PathType:folder}\r\nFiles\r\nTo make sure an exclusion only applies if the target is a file, not a folder you can use the PathType: file restriction.\r\nFor example:\r\nC:\\documents\\*.mdb\\:{PathType:file}\r\nScan type restriction\r\nBy default, exclusions apply to all scan types:\r\nresource: a single file or folder is scanned in a targeted way (for example, right-click, Scan)\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus\r\nPage 3 of 5\n\nquick: common startup locations utilized by malware, memory, and certain registry keys\r\nfull: includes quick scan locations and complete file system (all files and folders)\r\nTo mitigate performance issues, you can exclude a folder or a set of files from being scanned by a specific scan\r\ntype. You can also define the required scan type for an exclusion to apply.\r\nTo exclude a folder from being scanned only during a full scan, specify a restriction type together with the file or\r\nfolder exclusion, as in the following example:\r\nC:\\documents\\:{ScanType:full}\r\nTo exclude a folder from being scanned only during a quick scan, specify a restriction type together with the file\r\nor folder exclusion, as in the following example:\r\nC:\\program.exe\\:{ScanType:quick}\r\nIf you want to make sure this exclusion only applies to a specific file and not a folder (c:\\foo.exe could be a\r\nfolder), also apply the PathType restriction, as in the following example:\r\nC:\\program.exe\\:{ScanType:quick,PathType:file}\r\nScan trigger restriction\r\nBy default, basic exclusions apply to all scan triggers. ScanTrigger restriction enables you to specify that the\r\nexclusion should only apply when the scan was initiated by a specific event; on demand (including quick, full, and\r\ntargeted scans), on access or originating from behavioral monitoring (including memory scans).\r\nOnDemand: a scan that's triggered by a command or admin action. Remember that scheduled quick and\r\nfull scans also fall under this category.\r\nOnAccess: a file or folder is opened/written/read/modified (typically considered real-time protection)\r\nBM: a behavioral trigger causes the behavioral monitoring to scan a specific file\r\nTo exclude a file or folder and its contents from being scanned only when the file is being scanned after being\r\naccessed, define a scan trigger restriction such as the following example:\r\nc:\\documents\\:{ScanTrigger:OnAccess}\r\nProcess restriction\r\nThis restriction allows you to define that an exclusion should only apply when a file or folder is being accessed by\r\na specific process. A common scenario is when you want to avoid excluding the process as that avoidance would\r\ncause Defender Antivirus to ignore other operations by that process. Wildcards are supported in the process\r\nname/path.\r\nNote\r\nUsing a large amount of process exclusion restrictions on a machine can adversely affect performance. In addition,\r\nif an exclusion is restricted to a certain process or processes, other active processes (such as indexing, backup,\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus\r\nPage 4 of 5\n\nupdates) can still trigger file scans.\r\nTo exclude a file or folder only when accessed by a specific process, create a normal file or folder exclusion and\r\nadd the process to restrict the exclusion to. For example:\r\nc:\\documents\\design.doc\\:{Process:\"winword.exe\", Process:\"msaccess.exe\", Process:\"C:\\Program\r\nFiles*\\Microsoft Office\\root\\Office??\\winword.exe\"}\r\nHow to configure\r\nAfter constructing your desired contextual exclusions, you can use your existing management tool to configure\r\nfile and folder exclusions using the string you created.\r\nSee Configure and validate exclusions for Microsoft Defender Antivirus scans.\r\nSee also\r\nExclusions overview\r\nCommon mistakes to avoid when defining exclusions\r\nSource: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defe\r\nnder-antivirus\r\nhttps://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-contextual-file-folder-exclusions-microsoft-defender-antivirus"
	],
	"report_names": [
		"configure-contextual-file-folder-exclusions-microsoft-defender-antivirus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434686,
	"ts_updated_at": 1775791334,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8101dbebb88ce251a8b30af02e476ff99780a30b.pdf",
		"text": "https://archive.orkl.eu/8101dbebb88ce251a8b30af02e476ff99780a30b.txt",
		"img": "https://archive.orkl.eu/8101dbebb88ce251a8b30af02e476ff99780a30b.jpg"
	}
}