Wildcard syntax at process exclusion list is not effective

Copper Contributor

Hi
we have a problem with an executable which is establishing a UDP connection to another machine.

The exe can be started, bud defender blocks connection.
Disabling defender result in a succesfull connection.

Adding the process to the process exclusion list is also effective.

BUT!

Using the wildcard syntax as described at
https://learn.microsoft.com/en-us/defender-endpoint/configure-exclusions-microsoft-defender-antiviru...

doesn't work at all.

No wikdcard syntax we tried was effective.

We tried:
*

*.exe
c:\*
c:\*.exe
c:\*\myprocess.exe
c:\mydir\*

The only two syntax versions which was effective is:

c:\myDir\myprocess.exe
or
myprocess.exe

So the doumentation seems to be wrong or incomplete.

What is the correct usage of this wildcard notation?





6 Replies

Hi @LeachimX

To exclude a process using wildcards, you must include the full path of the process. Check this article > https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microso...

 

If the process is located at c:\myDir\myprocess.exe then c:\*\myprocess.exe should work. Keep in mind that if multiple folders are used then you need to use * (asterisk) for each folder. Example: C:\myDir1\myDir2\myprocess.exe > C:\*\*\myprocess.exe

@MatejKlemencic  Hi

I am not sure if you have read my post.

I already Provided the link you just have reposted.

 

And as mentioned, no, the syntax  is not working, and i already gave an example for this .

 

Regards 

Michael

 

Hi @zdarsky 

I did read your post thoroughly. However, the link you provided doesn't point to the same article as mine. 

 

The examples you provided were mostly incorrect. Could you clarify why you want to use a wildcard? Specifically, do you need it for the process name or the folder? This detail might help. Additionally, it would be helpful to know if you are configuring the exclusion directly on a device or through GPO, Intune, SCCM, etc.

@MatejKlemencic 
The link you provide was just a sub chapter of the general topic.

The examples I provide listed the paths we tried
containing exactly your example as an option we tried.
And also your example is not effective.

So again - the option c:\*\myprocess.exe is NOT working.

We are using the GUI from OS settings dialog to try.
The paths entered can than be seen in the registry
Also directly entering it in the registry. Nothing helps.

Initially we tried to enable a bunch of executables until we realized that the wildcard syntax is not effective. And the reason doesn't matter. The point is, the wildcard syntax is not working.

Then we switched to white listing the single executables.
Again: the only optios which were effect were:

c.\mydir\myprocess.exe
and
myprocess.exe

EVERY other wildcard syntax was NOT effectiv, regardless the different possibilities given in the microsoft documentation. So from our perspective the documentation is definitely wrong.

Regards

Michael

@zdarsky 

Did you try to add it as a ExclusionPath? I'm curious to see if it makes any difference. 

 

PowerShell (as administrator):

Add-MpPreference -ExclusionPath c:\*\myprocess.exe

 

 

@MatejKlemencic 
Hi

I don't know what you are going to try.
The point is
when we don't add the correct exclusion for the process, the UDP connection is blocked.



So again
We are talking about blocked UDP connections, when exclusion is missing in processes
The executable is RUNNING.
The connection is blocked the exe is trying to establish.

adding the process to the excusion list, and the connection can be established.

But yes, all necessary paths are already excluded from scanning.




Regards

Michael