"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -Name EUS:Win32/CustomEnterpriseBlock -All
Important
In some scenarios, the ThreatName may appear as EUS:Win32/CustomEnterpriseBlock!cl
. Defender for Endpoint will restore all custom blocked files that were quarantined on this device in the last 30 days.
A file that was quarantined as a potential network threat might not be recoverable. If a user attempts to restore the file after quarantine, that file might not be accessible. This can be due to the system no longer having network credentials to access the file. Typically, this is a result of a temporary log on to a system or shared folder and the access tokens expired.
In the pane on the right side of the screen, select Apply to X more instances of this file, and then select Undo.
Part 3: Review or define exclusions
Caution
Before you define an exclusion, review the detailed information in Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus. Keep in mind that every exclusion that is defined lowers your level of protection.
An exclusion is an entity, such as a file or URL, that you specify as an exception to remediation actions. The excluded entity can still get detected, but no remediation actions are taken on that entity. That is, the detected file or process won't be stopped, sent to quarantine, removed, or otherwise changed by Microsoft Defender for Endpoint.
To define exclusions across Microsoft Defender for Endpoint, perform the following tasks:
Define exclusions for Microsoft Defender Antivirus
Create "allow" indicators for Microsoft Defender for Endpoint
Microsoft Defender Antivirus exclusions apply only to antivirus protection, not across other Microsoft Defender for Endpoint capabilities. To exclude files broadly, use exclusions for Microsoft Defender Antivirus and custom indicators for Microsoft Defender for Endpoint.
The procedures in this section describe how to define exclusions and indicators.
Exclusions for Microsoft Defender Antivirus
In general, you shouldn't need to define exclusions for Microsoft Defender Antivirus. Make sure that you define exclusions sparingly, and that you only include the files, folders, processes, and process-opened files that are resulting in false positives. In addition, make sure to review your defined exclusions regularly. We recommend using Microsoft Intune to define or edit your antivirus exclusions; however, you can use other methods, such as Group Policy (see Manage Microsoft Defender for Endpoint.
Need help with antivirus exclusions? See Configure and validate exclusions for Microsoft Defender Antivirus.
Use Intune to manage antivirus exclusions (for existing policies)
In the Microsoft Intune admin center, choose Endpoint security > Antivirus, and then select an existing policy. (If you don't have an existing policy, or you want to create a new policy, skip to Use Intune to create a new antivirus policy with exclusions.)
Choose Properties, and next to Configuration settings, choose Edit.
Expand Microsoft Defender Antivirus Exclusions and then specify your exclusions.
Excluded Extensions are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list must be separated with a |
character. For example, lib|obj
. For more information, see ExcludedExtensions.
Excluded Paths are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a |
character. For example, C:\Example|C:\Example1
. For more information, see ExcludedPaths.
Excluded Processes are exclusions for files that are opened by certain processes. Separate each file type in the list with a |
character. For example, C:\Example. exe|C:\Example1.exe
. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see ExcludedProcesses.
Choose Review + save, and then choose Save.
Use Intune to create a new antivirus policy with exclusions
In the Microsoft Intune admin center, choose Endpoint security > Antivirus > + Create Policy.
Select a platform (such as Windows 10, Windows 11, and Windows Server).
For Profile, select Microsoft Defender Antivirus exclusions, and then choose Create.
On the Create profile step, specify a name and description for the profile, and then choose Next.
On the Configuration settings tab, specify your antivirus exclusions, and then choose Next.
Excluded Extensions are exclusions that you define by file type extension. These extensions apply to any file name that has the defined extension without the file path or folder. Separate each file type in the list with a |
character. For example, lib|obj
. For more information, see ExcludedExtensions.
Excluded Paths are exclusions that you define by their location (path). These types of exclusions are also known as file and folder exclusions. Separate each path in the list with a |
character. For example, C:\Example|C:\Example1
. For more information, see ExcludedPaths.
Excluded Processes are exclusions for files that are opened by certain processes. Separate each file type in the list with a |
character. For example, C:\Example. exe|C:\Example1.exe
. These exclusions aren't for the actual processes. To exclude processes, you can use file and folder exclusions. For more information, see ExcludedProcesses.
On the Scope tags tab, if you're using scope tags in your organization, specify scope tags for the policy you're creating. (See Scope tags.)
On the Assignments tab, specify the users and groups to whom your policy should be applied, and then choose Next. (If you need help with assignments, see Assign user and device profiles in Microsoft Intune.)
On the Review + create tab, review the settings, and then choose Create.
Indicators for Defender for Endpoint
Indicators (specifically, indicators of compromise, or IoCs) enable your security operations team to define the detection, prevention, and exclusion of entities. For example, you can specify certain files to be omitted from scans and remediation actions in Microsoft Defender for Endpoint. Or, indicators can be used to generate alerts for certain files, IP addresses, or URLs.
To specify entities as exclusions for Defender for Endpoint, create "allow" indicators for those entities. Such "allow" indicators apply to next-generation protection and automated investigation & remediation.
"Allow" indicators can be created for:
Files
IP addresses, URLs, and domains
Application certificates
Indicators for files
When you create an "allow" indicator for a file, such as an executable, it helps prevent files that your organization is using from being blocked. Files can include portable executable (PE) files, such as .exe
and .dll
files.
Before you create indicators for files, make sure the following requirements are met:
Microsoft Defender Antivirus is configured with cloud-based protection enabled (see Manage cloud-based protection)
Antimalware client version is 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later, or Windows 11; Windows Server 2012 R2 and Windows Server 2016 with the modern unified solution in Defender for Endpoint, or Windows Server 2019, or Windows Server 2022
The Block or allow feature is turned on
Indicators for IP addresses, URLs, or domains
When you create an "allow" indicator for an IP address, URL, or domain, it helps prevent the sites or IP addresses your organization uses from being blocked.
Before you create indicators for IP addresses, URLs, or domains, make sure the following requirements are met:
Network protection in Defender for Endpoint is enabled in block mode (see Enable network protection)
Antimalware client version is 4.18.1906.x or later
Devices are running Windows 10, version 1709, or later, or Windows 11
Custom network indicators are turned on in the Microsoft Defender XDR. To learn more, see Advanced features.
Indicators for application certificates
When you create an "allow" indicator for an application certificate, it helps prevent applications, such as internally developed applications, that your organization uses from being blocked. .CER
or .PEM
file extensions are supported.
Before you create indicators for application certificates, make sure the following requirements are met:
Microsoft Defender Antivirus is configured with cloud-based protection enabled (see Manage cloud-based protection
Antimalware client version is 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later, or Windows 11; Windows Server 2012 R2 and Windows Server 2016 with the modern unified solution in Defender for Endpoint, or Windows Server 2019, or Windows Server 2022
Virus and threat protection definitions are up to date
When you create indicators, you can define them one by one, or import multiple items at once. Keep in mind there's a limit of 15,000 indicators for a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you create indicators.
Part 4: Submit a file for analysis
You can submit entities, such as files and fileless detections, to Microsoft for analysis. Microsoft security researchers analyze all submissions, and their results help inform Defender for Endpoint threat protection capabilities. When you sign in at the submission site, you can track your submissions.
Submit a file for analysis
If you have a file that was either wrongly detected as malicious or was missed, follow these steps to submit the file for analysis.
Review the guidelines here: Submit files for analysis.
Submit files in Defender for Endpoint or visit the Microsoft Security Intelligence submission site and submit your files.
Submit a fileless detection for analysis
If something was detected as malware based on behavior, and you don't have a file, you can submit your Mpsupport.cab
file for analysis. You can get the .cab file by using the Microsoft Malware Protection Command-Line Utility (MPCmdRun.exe) tool on Windows 10 or Windows 11.
Go to C:\ProgramData\Microsoft\Windows Defender\Platform\<version>
, and then run MpCmdRun.exe
as an administrator.
Type mpcmdrun.exe -GetFiles
, and then press Enter.
A .cab file is generated that contains various diagnostic logs. The location of the file is specified in the output of the command prompt. By default, the location is C:\ProgramData\Microsoft\Microsoft Defender\Support\MpSupportFiles.cab
.
Review the guidelines here: Submit files for analysis.
Visit the Microsoft Security Intelligence submission site (https://www.microsoft.com/wdsi/filesubmission), and submit your .cab files.
What happens after a file is submitted?
Your submission is immediately scanned by our systems to give you the latest determination even before an analyst starts handling your case. It's possible that a file might have already been submitted and processed by an analyst. In those cases, a determination is made quickly.
For submissions that weren't already processed, they're prioritized for analysis as follows:
Prevalent files with the potential to affect a large number of computers are given a higher priority.
Authenticated customers, especially enterprise customers with valid Software Assurance IDs (SAIDs), are given a higher priority.
Submissions flagged as high priority by SAID holders are given immediate attention.
To check for updates regarding your submission, sign in at the Microsoft Security Intelligence submission site.
To learn more, see Submit files for analysis.
Part 5: Review and adjust your threat protection settings
Defender for Endpoint offers a wide variety of options, including the ability to fine-tune settings for various features and capabilities. If you're getting numerous false positives, make sure to review your organization's threat protection settings. You might need to make some adjustments to:
Cloud-delivered protection
Remediation for potentially unwanted applications
Automated investigation and remediation
Cloud-delivered protection
Check your cloud-delivered protection level for Microsoft Defender Antivirus. By default, cloud-delivered protection is set to Not configured; however, we recommend turning it on. To learn more about configuring your cloud-delivered protection, see Turn on cloud protection in Microsoft Defender Antivirus.
You can use Intune or other methods, such as Group Policy, to edit or set your cloud-delivered protection settings.
See Turn on cloud protection in Microsoft Defender Antivirus.
Potentially unwanted applications (PUA) are a category of software that can cause devices to run slowly, display unexpected ads, or install other software that might be unexpected or unwanted. Examples of PUA include advertising software, bundling software, and evasion software that behaves differently with security products. Although PUA isn't considered malware, some kinds of software are PUA based on their behavior and reputation.
To learn more about PUA, see Detect and block potentially unwanted applications.
Depending on the apps your organization is using, you might be getting false positives as a result of your PUA protection settings. If necessary, consider running PUA protection in audit mode for a while, or apply PUA protection to a subset of devices in your organization. PUA protection can be configured for the Microsoft Edge browser and for Microsoft Defender Antivirus.
We recommend using Intune to edit or set PUA protection settings; however, you can use other methods, such as Group Policy.
See Configure PUA protection in Microsoft Defender Antivirus.
Automated investigation and remediation (AIR) capabilities are designed to examine alerts and take immediate action to resolve breaches. As alerts are triggered, and an automated investigation runs, a verdict is generated for each piece of evidence investigated. Verdicts can be Malicious, Suspicious, or No threats found.
Depending on the level of automation set for your organization and other security settings, remediation actions are taken on artifacts that are considered to be Malicious or Suspicious. In some cases, remediation actions occur automatically; in other cases, remediation actions are taken manually or only upon approval by your security operations team.
Learn more about automation levels; and then
Configure AIR capabilities in Defender for Endpoint.
Important
We recommend using Full automation for automated investigation and remediation. Don't turn these capabilities off because of a false positive. Instead, use "allow" indicators to define exceptions, and keep automated investigation and remediation set to take appropriate actions automatically. Following this guidance helps reduce the number of alerts your security operations team must handle.
Still need help?
If you've worked through all the steps in this article and still need help, contact technical support.
In the Microsoft Defender portal, in the upper right corner, select the question mark (?), and then select Microsoft support.
In the Support Assistant window, describe your issue, and then send your message. From there, you can open a service request.
See also
Manage Defender for Endpoint
Manage exclusions for Microsoft Defender for Endpoint and Microsoft Defender Antivirus
Overview of Microsoft Defender portal
Microsoft Defender for Endpoint on Mac
Microsoft Defender for Endpoint on Linux
Configure Microsoft Defender for Endpoint on iOS features
Configure Defender for Endpoint on Android features
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.