Forum Discussion

LeachimX's avatar
LeachimX
Copper Contributor
May 24, 2024

Wildcard syntax at process exclusion list is not effective

Hi we have a problem with an executable which is establishing a UDP connection to another machine. The exe can be started, bud defender blocks connection. Disabling defender result in a succesfu...
MatejKlemencic's avatar
MatejKlemencic
Brass Contributor
May 26, 2024

Hi LeachimX

To exclude a process using wildcards, you must include the full path of the process. Check this article > https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus#use-wildcards-in-the-process-exclusion-list

 

If the process is located at c:\myDir\myprocess.exe then c:\*\myprocess.exe should work. Keep in mind that if multiple folders are used then you need to use * (asterisk) for each folder. Example: C:\myDir1\myDir2\myprocess.exe > C:\*\*\myprocess.exe

zdarsky's avatar
zdarsky
Copper Contributor
May 26, 2024

MatejKlemencic  Hi

I am not sure if you have read my post.

I already Provided the link you just have reposted.

 

And as mentioned, no, the syntax  is not working, and i already gave an example for this .

 

Regards 

Michael

 

  • MatejKlemencic's avatar
    MatejKlemencic
    Brass Contributor
    May 26, 2024

    Hi zdarsky 

    I did read your post thoroughly. However, the link you provided doesn't point to the same article as mine. 

     

    The examples you provided were mostly incorrect. Could you clarify why you want to use a wildcard? Specifically, do you need it for the process name or the folder? This detail might help. Additionally, it would be helpful to know if you are configuring the exclusion directly on a device or through GPO, Intune, SCCM, etc.

    • zdarsky's avatar
      zdarsky
      Copper Contributor
      May 27, 2024

      MatejKlemencic 
      The link you provide was just a sub chapter of the general topic.

      The examples I provide listed the paths we tried
      containing exactly your example as an option we tried.
      And also your example is not effective.

      So again - the option c:\*\myprocess.exe is NOT working.

      We are using the GUI from OS settings dialog to try.
      The paths entered can than be seen in the registry
      Also directly entering it in the registry. Nothing helps.

      Initially we tried to enable a bunch of executables until we realized that the wildcard syntax is not effective. And the reason doesn't matter. The point is, the wildcard syntax is not working.

      Then we switched to white listing the single executables.
      Again: the only optios which were effect were:

      c.\mydir\myprocess.exe
      and
      myprocess.exe

      EVERY other wildcard syntax was NOT effectiv, regardless the different possibilities given in the microsoft documentation. So from our perspective the documentation is definitely wrong.

      Regards

      Michael

      • MatejKlemencic's avatar
        MatejKlemencic
        Brass Contributor
        May 27, 2024

        zdarsky 

        Did you try to add it as a ExclusionPath? I'm curious to see if it makes any difference. 

         

        PowerShell (as administrator):

        Add-MpPreference -ExclusionPath c:\*\myprocess.exe

         

         

Resources