Forum Discussion

stengell's avatar
stengell
Copper Contributor
Nov 24, 2025

Defender exclusion model seems to Violate CIS Benchmarks

Basically i wanted to exclude Shadow copies from the Virus scans as this already takes forever and i could see high system usage while this was done on our server. The logic being that this data was already scanned multiple times again and again, and even if a virus managed to infect the shadow volume it would be caught as soon as the file was restored. Unfortunately it seems to be impossible to only exclude the HarddiskVolumeShadowCopy, so to achieve this i would have to exclude the whole "System Volume Information" folder.... and this obviously violates the CIS benchmark for security, and is generally just weak design that this is not possible (unless I am misunderstanding something and that it is possible in some way).

So here is the long and short after my debate with Copilot:

 

Microsoft Defender Antivirus currently lacks support for exclusions using NT device paths such as:

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*

This limitation forces administrators to exclude the entire System Volume Information folder to prevent scanning of VSS shadow copies. However, this folder contains multiple critical system components beyond shadow copies, including:

  • NTFS Change Journal (USN)
  • DFS Replication Database
  • Indexing Service Data
  • Other system metadata

Excluding this entire folder violates CIS Benchmarks and Microsoft’s own hardening guidance, which recommend minimizing antivirus exclusions to the smallest scope possible (Principle of Least Privilege). Current design introduces unnecessary risk and creates compliance gaps for organizations following CIS or similar frameworks.

Impact:

  • Security risk: Broader exclusions than necessary reduce visibility into system metadata.
  • Compliance risk: Organizations cannot meet CIS Benchmark requirements for AV configuration.
  • Operational inefficiency: Defender scans shadow copies using kernel paths but does not allow precise exclusions for those same paths.

Recommendation:
Microsoft should:

  1. Support exclusions for NT device paths (e.g., \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy*).
  2. Alternatively, provide a specific policy setting to exclude VSS snapshots without excluding other system components.

This change would align Defender with CIS Benchmark principles, reduce unnecessary exclusions, and improve performance without compromising security.

References:

  • CIS Microsoft Windows Server Benchmark v3.0
  • Microsoft Defender Antivirus Configuration Guidelines
  • Principle of Least Privilege in AV Exclusions
No RepliesBe the first to reply

Resources