Merge pull request #1312 from j0shbregman/docs-editor/configure-extension-file-exclu-1725996679

denisebmsft · web-flow · commit 58660dd2f362 · 2024-09-10T14:34:04.000-07:00
Update configure-extension-file-exclusions-microsoft-defender-antivirus.md
diff --git a/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md b/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@@ -4,7 +4,7 @@ description: Exclude files from Microsoft Defender Antivirus scans based on thei
 ms.service: defender-endpoint
 ms.subservice: ngp
 ms.localizationpriority: medium
-ms.date: 04/03/2024
+ms.date: 09/10/2024
 author: siosulli
 ms.author: siosulli
 ms.topic: conceptual
@@ -30,7 +30,7 @@ search.appverid: met150
 
 - Windows
 
-You can define exclusions for Microsoft Defender Antivirus that apply to [scheduled scans](schedule-antivirus-scans.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on, real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). **Generally, you don't need to apply exclusions**. If you do need to apply exclusions, then you can choose from the following:
+You can define exclusions for Microsoft Defender Antivirus that apply to [scheduled scans](schedule-antivirus-scans.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on, real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). **Generally, you don't need to apply exclusions**. If you do need to apply exclusions, then you can choose from the following types:
 
 - Exclusions based on file extensions and folder locations (described in this article)
 - [Exclusions for files that are opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
@@ -46,7 +46,7 @@ See [Recommendations for defining exclusions](configure-exclusions-microsoft-def
 
 ## Exclusion lists
 
-To exclude certain files from Microsoft Defender Antivirus scans, modify your exclusion lists. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios and situations.
+To exclude certain files from Microsoft Defender Antivirus scans, modify your exclusion lists. Microsoft Defender Antivirus includes many automatic exclusions based on known operating system behaviors and typical management files, such as those used in enterprise management, database management, and other enterprise scenarios.
 
 > [!NOTE]
 > Exclusions apply to [potentially unwanted apps (PUA) detections](detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md) as well.
@@ -109,21 +109,28 @@ See [How to create and deploy antimalware policies: Exclusion settings](/configm
 4. Open the **Path Exclusions** setting for editing, and add your exclusions.
 
     1. Set the option to **Enabled**.
+
     2. Under the **Options** section, select **Show**.
+    
     3. Specify each folder on its own line under the **Value name** column.
-    4. If you are specifying a file, ensure that you enter a fully qualified path to the file, including the drive letter, folder path, file name, and extension.
+    
+    4. If you're specifying a file, ensure that you enter a fully qualified path to the file, including the drive letter, folder path, file name, and extension.
+    
     5. Enter **0** in the **Value** column.
 
-5. Choose **OK**.
+    6. Choose **OK**.
 
-6. Open the **Extension Exclusions** setting for editing and add your exclusions.
+5. Open the **Extension Exclusions** setting for editing and add your exclusions.
 
     1. Set the option to **Enabled**.
+    
     2. Under the **Options** section, select **Show**.
+    
     3. Enter each file extension on its own line under the **Value name** column.
+    
     4. Enter **0** in the **Value** column.
 
-7. Choose **OK**.
+    5. Choose **OK**.
 
 <a id="ps"></a>
 
@@ -150,7 +157,7 @@ The following table lists values that you can use in the `<exclusion list>` port
 |Exclusion type|PowerShell parameter|
 |---|---|
 |All files with a specified file extension|`-ExclusionExtension`|
-|All files under a folder (including files in sub-directories), or a specific file|`-ExclusionPath`|
+|All files under a folder (including files in subdirectories), or a specific file|`-ExclusionPath`|
 
 > [!IMPORTANT]
 > If you have created a list, either with `Set-MpPreference` or `Add-MpPreference`, using the `Set-MpPreference` cmdlet again overwrites the existing list.
@@ -188,7 +195,7 @@ See [Add exclusions in the Windows Security app](microsoft-defender-security-cen
 
 ## Use wildcards in the file name and folder path or extension exclusion lists
 
-You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. The way these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
+You can use the asterisk `*`, question mark `?`, or environment variables (such as `%ALLUSERSPROFILE%`) as wildcards when defining items in the file name or folder path exclusion list. You can mix and match `*` and `?` and environment variables into a single exclusion.   The way these wildcards are interpreted differs from their usual usage in other apps and languages. Make sure to read this section to understand their specific limitations.
 
 > [!IMPORTANT]
 > There are key limitations and usage scenarios for these wildcards:
@@ -204,6 +211,7 @@ The following table describes how the wildcards can be used and provides some ex
 |`*` (asterisk) <br/><br/> In **file name and file extension inclusions**, the asterisk replaces any number of characters, and only applies to files in the last folder defined in the argument. <br/><br/> In **folder exclusions**, the asterisk replaces a single folder. Use multiple `*` with folder slashes `\` to indicate multiple nested folders. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\*.txt` includes `C:\MyData\notes.txt` <br/><br/> `C:\somepath\*\Data` includes any file in `C:\somepath\Archives\Data` and its subfolders, and `C:\somepath\Authorized\Data` and its subfolders <br/><br/> `C:\Serv\*\*\Backup` includes any file in `C:\Serv\Primary\Denied\Backup` and its subfolders, and `C:\Serv\Secondary\Allowed\Backup` and its subfolders|
 |`?` (question mark)  <br/><br/> In **file name and file extension inclusions**, the question mark replaces a single character, and only applies to files in the last folder defined in the argument. <br/><br/> In **folder exclusions**, the question mark replaces a single character in a folder name. After matching the number of wild carded and named folders, all subfolders are also included.|`C:\MyData\my?.zip` includes `C:\MyData\my1.zip` <br/><br/> `C:\somepath\?\Data` includes any file in `C:\somepath\P\Data` and its subfolders  <br/><br/> `C:\somepath\test0?\Data` would include any file in `C:\somepath\test01\Data` and its subfolders|
 |Environment variables <br/><br/> The defined variable is populated as a path when the exclusion is evaluated.|`%ALLUSERSPROFILE%\CustomLogFiles` would include `C:\ProgramData\CustomLogFiles\Folder1\file1.txt`|
+|Mix and Match <br/><br/>Environment variables `*` and `?` can be combined into a single exclusion|`%PROGRAMFILES%\Contoso*\v?\bin\contoso.exe` would include `c:\Program Files\Contoso Labs\v1\bin\contoso.exe`|
 
 > [!IMPORTANT]
 > If you mix a file exclusion argument with a folder exclusion argument, the rules stop at the file argument match in the matched folder, and don't look for file matches in any subfolders.
@@ -296,7 +304,7 @@ You can retrieve the items in the exclusion list by using one of the following m
 If you use PowerShell, you can retrieve the list in the following two ways:
 
 - Retrieve the status of all Microsoft Defender Antivirus preferences. Each list is displayed on separate lines, but the items within each list are combined into the same line.
-- Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line.
+- Write the status of all preferences to a variable, and use that variable to only call the specific list you're interested in. Each use of `Add-MpPreference` is written to a new line.
 
 ### Validate the exclusion list by using MpCmdRun
 
@@ -348,43 +356,35 @@ For more information, see [Use PowerShell cmdlets to configure and run Microsoft
 
 You can validate that your exclusion lists are working by using PowerShell with either the `Invoke-WebRequest` cmdlet or the .NET WebClient class to download a test file.
 
-In the following PowerShell snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you have excluded the `.testing` extension, replace `test.txt` with `test.testing`. If you're testing a path, make sure that you run the cmdlet within that path.
+In the following PowerShell snippet, replace `test.txt` with a file that conforms to your exclusion rules. For example, if you're excluding the `.testing` extension, replace `test.txt` with `test.testing`. If you're testing a path, make sure that you run the cmdlet within that path.
 
 ```PowerShell
 Invoke-WebRequest "https://secure.eicar.org/eicar.com.txt" -OutFile "test.txt"
 ```
 
-If Microsoft Defender Antivirus reports malware, then the rule is not working. If there is no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](https://www.eicar.org/download-anti-malware-testfile/).
+If Microsoft Defender Antivirus reports malware, then the rule isn't working. If there's no report of malware and the downloaded file exists, then the exclusion is working. You can open the file to confirm the contents are the same as what is described on the [EICAR test file website](https://www.eicar.org/download-anti-malware-testfile/).
 
-You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace `c:\test.txt` with a file that conforms to the rule you are validating:
+You can also use the following PowerShell code, which calls the .NET WebClient class to download the test file - as with the `Invoke-WebRequest` cmdlet; replace `c:\test.txt` with a file that conforms to the rule you're validating:
 
 ```PowerShell
 $client = new-object System.Net.WebClient
 $client.DownloadFile("http://www.eicar.org/download/eicar.com.txt","c:\test.txt")
 ```
 
-If you do not have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command:
+If you don't have Internet access, you can create your own EICAR test file by writing the EICAR string to a new text file with the following PowerShell command:
 
 ```PowerShell
 [io.file]::WriteAllText("test.txt",'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*')
 ```
 
-You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you are attempting to exclude.
+You can also copy the string into a blank text file and attempt to save it with the file name or in the folder you're attempting to exclude.
 
-> [!TIP]
-> If you're looking for Antivirus related information for other platforms, see:
-> - [Set preferences for Microsoft Defender for Endpoint on macOS](mac-preferences.md)
-> - [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md)
-> - [macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune](/mem/intune/protect/antivirus-microsoft-defender-settings-macos)
-> - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)
-> - [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md)
-> - [Configure Defender for Endpoint on Android features](android-configure.md)
-> - [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md)
 
 ## See also
 
 - [Configure and validate exclusions in Microsoft Defender Antivirus scans](configure-exclusions-microsoft-defender-antivirus.md)
 - [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-microsoft-defender-antivirus.md)
 - [Configure Microsoft Defender Antivirus exclusions on Windows Server](configure-server-exclusions-microsoft-defender-antivirus.md)
 - [Common mistakes to avoid when defining exclusions](common-exclusion-mistakes-microsoft-defender-antivirus.md)
+
 [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../includes/defender-mde-techcommunity.md)]
