Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Proper way to exclude applications or folders from ATP protection

Copper Contributor

We have started to see issues creep up with MsSense.exe reading network files while one of our applications is trying to open the files off a network location.  In the past this hasn't caused issues but now we are starting to get file conflicts with both ATP and our application trying to access the file at the same time. 

 

I know you can add exclusions to Windows Defender but as far as I can tell those do not apply to ATP.  The closest thing I have found for trying to exclude MsSense.exe from scanning specific folders or files is automation folder exclusions which according to the Microsoft docs this it can be used to exclude folders from the automated investigation.  Not sure if Automated investigation is what is being run by MsSense.exe.

 

Can someone point me to documentation of how to exclude a folder or file(s) from being scanned/monitored by ATP?

6 Replies

@Dane_BHave you ever found a solution for your issue? I'm experiencing the same thing

@Michiel_Singor No we ended up working with MS support and they added a custom whitelist on the backend.  Things may have changed since then though I dont know.  I dont use ATP I was just doing research as we are a software vendor with clients that use it.  

My understanding was that exclusions should be managed by custom indicators or automation folder exclusions, but would appreciate if others in the community can shed their experience too.

Also curious here. The exclusions for the automated response portion does not actually seem to exclude it from scanning that folder. Custom indicators also does not seem to solve the issue for us, as our hashes are not staying the same day to day as we continue to develop items. It's great that Defender AV can actually exclude a folder, but it's becoming troublesome that EDR/ATP is still hitting heavily on those locations. Did anyone here ever find an answer?

@Bennett- We also have the same issue.  We have Microsoft Endpoint Manager with Intune, and we have a TeamCity build server where we call sysinternals handle.exe and we can clearly see that mssense.exe has an open file handle to a *.nupkg in our build pipeline, which causes MSBuild to fail.

 

Here is what I have figured out so far.  Add-MpPreference does nothing to stop this problem from happening.  The following two documentation links support that it won't stop this problem.  However, I can't find documentation explaining how to stop it!

 

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-f...

 

says:

 

The exclusions only apply to always-on real-time protection and monitoring. They don't apply to scheduled or on-demand scans.

Note: We don't have real-time monitoring enabled.

 

Also, see the very top IMPORTANT message on https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-e...

Important

Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including endpoint detection and response (EDR), attack surface reduction (ASR) rules, and controlled folder access. Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint custom indicators.


Separately, when I run Get-MpComputerStatus in PowerShell, the last QuickScan was two days ago, indicating that Mp is completely separate from Windows Defender ATP.

 

Separately, https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/switch-to-microsoft-defend... appears to be incorrect.  It lists SenseIR.exe as the executable for Windows Server 2019.  We're using Windows Server 2019 Datacenter Edition and the executable giving us fits is MsSense.exe.  Both are in the same directory on our version of Windows.

 

Separately, I added a pull request just now to update the documentation in one area, since for some reason dotnet.exe isn't encouraged to NOT be excluded. https://github.com/MicrosoftDocs/microsoft-365-docs/pull/5320

 

Additional Tags: WDATP, Windows Defender ATP, Advanced Threat Protection Sense

I also think this cannot be coming from ASR (Attack Surface Reduction) feature. The reason is if I remote into the machine with the problem, and run:

 

 

Get-MpPreference | Select AttackSurfaceReductionOnlyExclusions,AttackSurfaceReductionRules_Actions,AttackSurfaceReductionRules_Ids

 

The output is:

AttackSurfaceReductionOnlyExclusions AttackSurfaceReductionRules_Actions AttackSurfaceReductionRules_Ids
------------------------------------ ----------------------------------- -------------------------------