May 24 2024 02:19 AM
Hi
we have a problem with an executable which is establishing a UDP connection to another machine.
The exe can be started, bud defender blocks connection.
Disabling defender result in a succesfull connection.
Adding the process to the process exclusion list is also effective.
BUT!
Using the wildcard syntax as described at
https://learn.microsoft.com/en-us/defender-endpoint/configure-exclusions-microsoft-defender-antiviru...
doesn't work at all.
No wikdcard syntax we tried was effective.
We tried:
*
*.exe
c:\*
c:\*.exe
c:\*\myprocess.exe
c:\mydir\*
The only two syntax versions which was effective is:
c:\myDir\myprocess.exe
or
myprocess.exe
So the doumentation seems to be wrong or incomplete.
What is the correct usage of this wildcard notation?
May 26 2024 10:09 AM
Hi @LeachimX
To exclude a process using wildcards, you must include the full path of the process. Check this article > https://learn.microsoft.com/en-us/defender-endpoint/configure-process-opened-file-exclusions-microso...
If the process is located at c:\myDir\myprocess.exe then c:\*\myprocess.exe should work. Keep in mind that if multiple folders are used then you need to use * (asterisk) for each folder. Example: C:\myDir1\myDir2\myprocess.exe > C:\*\*\myprocess.exe
May 26 2024 10:45 AM
I am not sure if you have read my post.
I already Provided the link you just have reposted.
And as mentioned, no, the syntax is not working, and i already gave an example for this .
Regards
Michael
May 26 2024 01:26 PM
Hi @zdarsky
I did read your post thoroughly. However, the link you provided doesn't point to the same article as mine.
The examples you provided were mostly incorrect. Could you clarify why you want to use a wildcard? Specifically, do you need it for the process name or the folder? This detail might help. Additionally, it would be helpful to know if you are configuring the exclusion directly on a device or through GPO, Intune, SCCM, etc.
May 27 2024 02:17 AM - edited May 27 2024 02:41 AM
@MatejKlemencic
The link you provide was just a sub chapter of the general topic.
The examples I provide listed the paths we tried
containing exactly your example as an option we tried.
And also your example is not effective.
So again - the option c:\*\myprocess.exe is NOT working.
We are using the GUI from OS settings dialog to try.
The paths entered can than be seen in the registry
Also directly entering it in the registry. Nothing helps.
Initially we tried to enable a bunch of executables until we realized that the wildcard syntax is not effective. And the reason doesn't matter. The point is, the wildcard syntax is not working.
Then we switched to white listing the single executables.
Again: the only optios which were effect were:
c.\mydir\myprocess.exe
and
myprocess.exe
EVERY other wildcard syntax was NOT effectiv, regardless the different possibilities given in the microsoft documentation. So from our perspective the documentation is definitely wrong.
Regards
Michael
May 27 2024 11:39 AM
Did you try to add it as a ExclusionPath? I'm curious to see if it makes any difference.
PowerShell (as administrator):
Add-MpPreference -ExclusionPath c:\*\myprocess.exe
May 27 2024 11:51 AM
@MatejKlemencic
Hi
I don't know what you are going to try.
The point is
when we don't add the correct exclusion for the process, the UDP connection is blocked.
So again
We are talking about blocked UDP connections, when exclusion is missing in processes
The executable is RUNNING.
The connection is blocked the exe is trying to establish.
adding the process to the excusion list, and the connection can be established.
But yes, all necessary paths are already excluded from scanning.
Regards
Michael