Antivirus exclusions can do a lot of damage because what is in the exclusions is not monitored and possibly blocked. Exclusions should only be put in with great circumspection and there should be as few exclusions as possible.
Threat actors may try to create their own exclusions within various malware to allow them to run other malware and thus extend their control over the device. Therefore, exclusions need to be carefully protected and fully controlled.
Tamper Protection for exclusions
If you have tamper protection enabled in Microsoft Defender for Endpoint, then tamper protection can also protect your exceptions. You need to meet a few simple conditions.
- DisableLocalAdminMerge must be active. This is a setting that blocks locally defined changes and ensures that only settings defined globally are applied.
- The device must be managed by Intune or Configuration Manager.
- Antivirus exclusions are only managed from Intune.
- Sense service must be enabled.
How activate DisableLocalAdminMerge
To enable DisableLocalAdminMerge in Intune, go to Endpoint security – Antivirus and create a new policy (or edit an existing one). Select Windows 10, Windows 11, and Windows Server as the Platform. Select Microsoft Defender Antivirus as the Profile.
Type in any policy name, and on the next page in Settings, locate Disable Local Admin Merge and select Disable Local Admin Merge from the drop-down list.
Tamper protection together with DisableLocalAdminMerge is a very strong protection. This applies not only to antivirus exclusions, but also to other exclusions such as the firewall. And as with all exclusions, you need to be very careful and only put in exclusions that really need to be there.
Tamper protection for exclusions is definitely a good thing to turn on and prevent unwanted locally defined exclusions. On the other hand, you should first review what exclusions are configured where, but avoid any unexpected problems and unwanted blocking.