maphew

Windows Defender

2021-Mar-19

How to exclude specific shadow copy files or folders from Windows Defender?

I have some utilities purposefully installed on my computer that Windows Defender detects as malware/hacking tools and wants to remove. I've successfully added them to the exclusion whitelist via

Control Panel >> Virus & threat protection >> Manage Settings >> Add or remove exlcusions

Article Image

Powershell

#show existing exclusions
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath

# add new ones
Add-MpPreference -ExclusionPath "C:\tools\NirLauncher"
Add-MpPreference -ExclusionPath “D:\apps\pixi\bin”

# remove
Remove-MpPreference -ExclusionPath "C:\path\to\directory"

This can be overriden by group policy from the domain admin. There's no error when adding/removing in this case, so always finish with 'show existing' to see what's actually in place.

I am no longer plagued by notifications about virus threats for these files. However I am still being spammed about these same files in the ShadowCopy. How do I whitelist files or folders from both the primary volume and the shadowcopy? The [Add an Exclusion] button doesn't allow me to use the path reported by Defender in the threat notification:

file: \Device\HarddiskVolumeShadowCopy35\apps\NirSoft\netpass.exe

From < https://superuser.com/questions/1634615/how-to-exclude-specific-shadow-copy-files-or-folders-from-windows-defender>

Answer maybe below. I've tried the below. Lets see what happens.

Add-MpPreference -ExclusionPath “*\Device\HarddiskVolumeShadowCopy*\apps\NirSoft”

How to exclude a specific file or file extension from Windows Defender from the command line?

[…]

Use the "Add-MpPreference -ExclusionPath" command in Powershell

PS C:\> Add-MpPreference -ExclusionPath “C:\tools\NirLauncher”

This command adds the folder to the exclusion list. The command disables Windows Defender scheduled and real-time scanning for files in this folder.

Reference

 

Error "Add-MpPreference: Operation failed with the following error: 0x%1!x!" probably means not in an Admin shell.

From < https://superuser.com/questions/1416767/exclude-specific-file-from-windows-defender-command-line>

 

Also can use registry:

HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

From < https://stackoverflow.com/questions/40233123/windows-defender-add-exclusion-folder-programmatically>

 

reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths”
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\\Path\\To\\Folder" /t REG_DWORD /d 0 /f
  • reg add - Adds a new entry to the registry.
  • HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths - The registry key where Windows Defender exclusions are stored.
  • /v "C:\\Path\\To\\Folder" - Specifies the name of the registry entry, which is the path you want to exclude.
  • /t REG_DWORD - Specifies the type of registry entry. In this case, it's a DWORD value.
  • /d 0 - Sets the data for the registry entry. The value 0 indicates the path to exclude.
  • /f - Forces the command to execute without prompting for confirmation.

-- from chatgpt