Clear / Empty Windows Defender Anti-Virus Exclusion List with PowerShell

Problem: Through the Window GUI, there is no way to quickly clear the Windows Defender Anti-Virus Exclusion list when a virus has wrought its havoc on a machine and added countless entries to protect itself from detection.

Solution: A PowerShell script that reads all the exclusion entries and removes them automatically.



Back Story – Feel free to skip…

A family member came to me complaining that when she visited certain very popular websites she would be bombarded by pop-ups. She was worried that she had a virus. The PC was running Windows 10 and in my judgement Windows 10 (when regularly patched) is the most robust Windows to date when it comes to security. I suspected a rogue Firefox or Chrome browser plugin to be the culprit.

I TeamViewer’d into her machine and checked the browsers. They were clean, yet I witnessed an excessive number of pop-ups seemingly invoked by big sites such as ebay. I checked Task Manager and noticed a process called “mi.exe” consuming a large amount of CPU time. A quick web search confirmed my suspicion that it was a crypto miner. I killed the process and started a Windows Defender Anti-Virus scan. The results were clean.

By this point I was sure that the machine was infected with something because I had checked the registry and found some dodgy looking entries.

I delved into the settings of Windows Defender Anti-Virus and checked the Exclusions list. I had found the issue. In the Exclusion screen there was an endless list of suspect looking executables and folders that the virus had added to protect itself from detection.

The problem now then was how to reset or empty this list. There was no clear list button, there was no select all. All you can do through the GUI is click on each individual entry to reveal a remove button, click that button and then confirm the change in UAC. Three clicks for every entry. No thanks. TO POWERSHELL!


Solution

# PowerShell script to clear the ExclusionPath and ExclusionProcess arrays
# associated with Windows Defender Anti-Virus
# by Robin Edmunds - edmunds.me

$x = Get-MpPreference
if($x.ExclusionPath -ne $NULL) {
  write-host("================================================")
  write-host("Removing the following ExclusionPath entries : -")
  foreach ($i in $x.ExclusionPath) {
    Remove-MpPreference -ExclusionPath $i
    write-host($i)
  }
  write-host("================================================")
  write-host("Total ExclusionPath entries deleted:", $x.ExclusionPath.Count)
}else {
  write-host("No ExclusionPath entries present. Skipping...")
}
if($x.ExclusionProcess -ne $NULL) {
  write-host("================================================")
  write-host("Removing the following ExclusionProcess entries : -")
  foreach ($i in $x.ExclusionProcess) {
    Remove-MpPreference -ExclusionProcess $i
    write-host($i)
  }
  write-host("================================================")
  write-host("Total ExclusionProcess entries deleted:", $x.ExclusionProcess.Count)
}else {
  write-host("No ExclusionProcess entries present. Skipping...")
}
write-host("================================================")
write-host("SUMMARY")
write-host($x.ExclusionPath.Count, "ExclusionPath entries deleted.")
write-host($x.ExclusionProcess.Count, "ExclusionProcess entries deleted.")
write-host(($x.ExclusionPath.Count + $x.ExclusionProcess.Count), "Total entries deleted")
write-host("")
write-host("I recommend saving this output for future reference.")
write-host("Done.")

Steps: –

  1. Copy the script text above and paste it into a new text file using your favourite text editor. Change the file extension to .ps1 the extension for PowerShell scripts
  2. Open Windows PowerShell as an Administrator by right-clicking the shortcut and clicking “Run as administrator”
  3. Within PowerShell navigate to the location that you saved the script using cd c:\your\location\
  4. By default, running PowerShell scripts on a machine is restricted for security reasons. To disable this restriction run the command, Set-ExecutionPolicy Unrestricted
  5. To execute the script use .\script-name.ps1
  6. If all went well, you should see the script iterating through all the exclusion list entries and deleting them. At the end the script will give you a count of entries deleted.
  7. Next return the PowerShell execution policy back to its sensible default with Set-ExecutionPolicy Restricted

If you return to the exclusion list in the GUI you should find a completely empty list. Do a Windows Defender Anti-Virus scan now and it will have a fighting chance of catching the nasties!


Back story continued…

After the Exclusion list was cleared, Windows Defender Anti-Virus identified 4 trojans and successfully removed them. However, the issue of excessive pop-ups persisted when browsing the web.

Further investigation revealed that one of the viruses had added registry entries that defined a rogue DNS server. These registry entries took precedence over DHCP or user-defined DNS servers. Deleting these registry entries solved the issue.

The viruses detected and removed were: –

  • Adware:Win32/Adposhel
  • Trojan:Win32/Occamy.c
  • Trojan:Win32/Conteban.a!ml
  • Trojan:Win32/Bitrep.B

Leave a Reply