> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/antivirus-evasion-defender/find-folder-exclusions.md).

# Find Folder Exclusions

{% embed url="<https://blog.fndsec.net/2024/10/04/uncovering-exclusion-paths-in-microsoft-defender-a-security-research-insight/>" %}

```
"C:\Program Files\Windows Defender\MpCmdRun.exe -Scan -ScanType 3 -File "C:\pathe\to\folder\*""
```

<figure><img src="/files/8lEnEk8POSXuEVVAZB7W" alt=""><figcaption></figcaption></figure>

```
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\path\to\folder\|*"
```

## Tool designed to find folder exclusions

{% embed url="<https://github.com/Friends-Security/SharpExclusionFinder?s=03>" %}

## In powershell

```powershell
$logName = "Microsoft-Windows-Windows Defender/Operational"
$eventID = 5007

$events = Get-WinEvent -LogName $logName | Where-Object { $_.Id -eq $eventID }

$exclusionEvents = $events | Where-Object { $_.Message -match "Exclusions" }

$pattern = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\[^\s]+"

$exclusionEvents | ForEach-Object {
    if ($_.Message -match $pattern) {
        $matches[0]
    }
}
```

<figure><img src="/files/IdEiDphxh74xt4u6f08c" alt=""><figcaption></figcaption></figure>

Ref: <https://x.com/miltinh0c/status/1844374550873768434?t=LtuDBOsnwRGKQ1oLH__0Dw&s=03>

## ScriptHostTest

{% embed url="<https://github.com/MHaggis/notes/tree/master/utilities/ScriptHostTest>" %}

<figure><img src="/files/jlae8c9LbB0pMLCopf9B" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/JdrPV4sav7UKuqq56tju" alt=""><figcaption></figcaption></figure>

### Interesting Books <a href="#interesting-book" id="interesting-book"></a>

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems**](https://www.amazon.fr/dp/1718503342?tag=0xss0rz-21) The author uses his years of experience as a red team operator to investigate each of the most common sensor components, discussing their purpose, explaining their implementation, and showing the ways they collect various data points from the Microsoft operating system. In addition to covering the theory behind designing an effective EDR, each chapter also reveals documented evasion strategies for bypassing EDRs that red teamers can use in their engagements.
