8

Recently I setup a backup for some folders. Today I found out that windows defender won't let the backup service do its job.

But how do I exclude the backup's shadow copy from windows defender?

It's not like I can point it to a file or folder and say "Don't check here".
Heck I tried excluding the entire backup drive, with no success.

And if I exclude .exes I might as well disable defender entirely.

Run5k
  • 16,463
  • 24
  • 53
  • 67
martixy
  • 985

4 Answers4

5

You can use PowerShell to add a wildcard pattern for all HD shadow copies to Windows Defender's exclusion list. The Defender settings GUI doesn't let you use wildcards, but the PowerShell command does:

PS C:\> Add-MpPreference -ExclusionPath "\Device\HarddiskVolumeShadowCopy*\"

Or, if you are using cmd.exe:

C:\> powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "\Device\HarddiskVolumeShadowCopy*\"
Gronteth
  • 3
0xabc
  • 186
1

I'm not sure that excluding a volume shadow copy is actually what you need to do. I thought I was in the same boat as you... Windows Backup and Restore was reporting failed backups due to malware. The only references I could find in Windows Defender was to a path similar to Device\HarddiskVolumeShadowCopy5\Download\something.crx, and searching similar paths on my actual drives wasn't turning anything up.

My first clue was when I tried to redo the backup manually, I noticed the first step was "Create Shadow Volume." This made me think that Defender must not be so stupid after all, and perhaps it was catching something being copied from a source drive. After futher investigation, turns out some symbolic links (folder aliases) I had created was confusing the issue and I finally did turn up the reported file (downloaded over 5 years ago!) that it was complaining about. Now why full scans from Defender doesn't find it, but real time access during backup does, is a separate issue.

Likely you aren't as inept as me with locating the reported malware file(s), but maybe you do have a tenacious bad guy that is either having trouble being cleaned up, yet hiding itself well, or that keeps re-infecting the system from another vector.

DannyMeister
  • 111
0

use the notification:

  • go to the notification by clicking on it, or go to [Start > Settings > Update & Security > Windows Security > Virus & Thread protection > Threat history > See full history].
  • then expand the threat > Actions > Allow.

this seems to work better than trying to exclude a path to the shadow volume "file:\Device\HarddiskVolumeShadowCopy16\Download\some_file.exe", which it doesn't recognize.

symbiont
  • 101
0

Defender doesnt have an option to allow for vss "threats". In my case, they are not threats, they are nirsoft files I have already excluded in defender, but when they are being backed up they show as threats in vss and there are no exclusions allowed for vss, only quarantine and remove, so you need to exclude those files from backups altogether

gmmgm
  • 1