Forum Discussion
Proper way to exclude applications or folders from ATP protection
Also curious here. The exclusions for the automated response portion does not actually seem to exclude it from scanning that folder. Custom indicators also does not seem to solve the issue for us, as our hashes are not staying the same day to day as we continue to develop items. It's great that Defender AV can actually exclude a folder, but it's becoming troublesome that EDR/ATP is still hitting heavily on those locations. Did anyone here ever find an answer?
Bennett- We also have the same issue. We have Microsoft Endpoint Manager with Intune, and we have a TeamCity build server where we call sysinternals handle.exe and we can clearly see that mssense.exe has an open file handle to a *.nupkg in our build pipeline, which causes MSBuild to fail.
Here is what I have figured out so far. Add-MpPreference does nothing to stop this problem from happening. The following two documentation links support that it won't stop this problem. However, I can't find documentation explaining how to stop it!
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide#examples-of-exclusions
says:
The exclusions only apply to https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus?view=o365-worldwide. They don't apply to scheduled or on-demand scans.
Note: We don't have real-time monitoring enabled.
Also, see the very top IMPORTANT message on https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide
Important
Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response, https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction, and https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/controlled-folders. Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators.
Separately, when I run Get-MpComputerStatus in PowerShell, the last QuickScan was two days ago, indicating that Mp is completely separate from Windows Defender ATP.
Separately, https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defender-setup?view=o365-worldwide appears to be incorrect. It lists SenseIR.exe as the executable for Windows Server 2019. We're using Windows Server 2019 Datacenter Edition and the executable giving us fits is MsSense.exe. Both are in the same directory on our version of Windows.
Separately, I added a pull request just now to update the documentation in one area, since for some reason dotnet.exe isn't encouraged to NOT be excluded. https://github.com/MicrosoftDocs/microsoft-365-docs/pull/5320
Additional Tags: WDATP, Windows Defender ATP, Advanced Threat Protection Sense
I also think this cannot be coming from ASR (Attack Surface Reduction) feature. The reason is if I remote into the machine with the problem, and run:
Get-MpPreference | Select AttackSurfaceReductionOnlyExclusions,AttackSurfaceReductionRules_Actions,AttackSurfaceReductionRules_IdsThe output is:
AttackSurfaceReductionOnlyExclusions AttackSurfaceReductionRules_Actions AttackSurfaceReductionRules_Ids ------------------------------------ ----------------------------------- -------------------------------
