Forum Discussion

LeachimX's avatar
LeachimX
Copper Contributor
May 24, 2024

Wildcard syntax at process exclusion list is not effective

Hi
we have a problem with an executable which is establishing a UDP connection to another machine.

The exe can be started, bud defender blocks connection.
Disabling defender result in a succesfull connection.

Adding the process to the process exclusion list is also effective.

BUT!

Using the wildcard syntax as described at
https://learn.microsoft.com/en-us/defender-endpoint/configure-exclusions-microsoft-defender-antivirus

doesn't work at all.

No wikdcard syntax we tried was effective.

We tried:
*

*.exe
c:\*
c:\*.exe
c:\*\myprocess.exe
c:\mydir\*

The only two syntax versions which was effective is:

c:\myDir\myprocess.exe
or
myprocess.exe

So the doumentation seems to be wrong or incomplete.

What is the correct usage of this wildcard notation?





  • Hi LeachimX

    To exclude a process using wildcards, you must include the full path of the process. Check this article > https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-process-exclusion-list

     

    If the process is located at c:\myDir\myprocess.exe then c:\*\myprocess.exe should work. Keep in mind that if multiple folders are used then you need to use * (asterisk) for each folder. Example: C:\myDir1\myDir2\myprocess.exe > C:\*\*\myprocess.exe

    • zdarsky's avatar
      zdarsky
      Copper Contributor

      MatejKlemencic  Hi

      I am not sure if you have read my post.

      I already Provided the link you just have reposted.

       

      And as mentioned, no, the syntax  is not working, and i already gave an example for this .

       

      Regards 

      Michael

       

      • MatejKlemencic's avatar
        MatejKlemencic
        Brass Contributor

        Hi zdarsky 

        I did read your post thoroughly. However, the link you provided doesn't point to the same article as mine. 

         

        The examples you provided were mostly incorrect. Could you clarify why you want to use a wildcard? Specifically, do you need it for the process name or the folder? This detail might help. Additionally, it would be helpful to know if you are configuring the exclusion directly on a device or through GPO, Intune, SCCM, etc.

Resources