Forum Discussion

mhmmdrn's avatar
mhmmdrn
Copper Contributor
Jul 24, 2023

Automated Investigation Exclusions

Hi Community,

i have a question about AIR exclusions folders in Defender for Endpoint. I need to test this feature to be able to provide information to customers when they need some folders which must be excluded from Automated Investigation.

For that i have tested the following Scenario.

Automation folder exclusion : C:\users\pradeepgupta\downloads\

Antivirus Exclusion Folder (via Intune Policy) : C:\Users\PradeepGupta\Downloads

 

  1. I have downloaded a sample malware into the folder "Downloads". As i expected, there was no Detection from Windows Defender because i have excluded this folder via Intune Policy
  2. Then i have copied this malware to another folder which is not excluded and as i expected Windows Defender has it detected and quarantined. 
  3. In the Defender for Endpoint Portal an Investigation started and a few minutes later i have seen the malware in the non excluded folder has been remediated
  4. But also the malware in the excluded folder - Downloads folder- (via Automation folder exclusions) has been remediated. 

I have expected that the folder which i have added in the Automation Folder Exclusions should not be analyzed and no files or malwares detected or quarantined.

 

Can anyone explain to me how this feature works? All entries would be appreciated. Thanks.

4 Replies

  • elieelkarkafi's avatar
    elieelkarkafi
    MVP
    Jul 24, 2023
    try to exclude the folder using that format %userprofile%\Downloads and test your malware file again
    • mhmmdrn's avatar
      mhmmdrn
      Copper Contributor
      Jul 24, 2023
      Thanks for the answer but it didnt solve the issue. I have tested it with different three folders;
      1. ordinary folder with no exclusions neither Antivirus Policy nor Automated folder exclusions
      2. A folder which has been excluded via Intune Antivirus Policy
      3. A folder which has been excluded via Intune Antvirus Policy and Automated Folder Exclusion(%userprofile%\Downloads)

      I have extracted the malware on the folders and as i expected on the folder1, AV has detected it but then after the MDE Investigation the other two malwares has been remediated. I expected that the malware should be remediated from Folder2 because it was not excluded via Automation Folder Exclusion but for Folder3 i dont have any idea.

      It must be noted that the post remediated malwares have been detected from the Windows Defender as "unwanted application".