All I wanted to do was push some extension and file path antivirus exceptions down to a server.
The customer is a small accounting firm using Sage 50, nothing uncommon. This was on a Windows Server 2019 standalone server running Microsoft RDS, hosted by a DaaS provider. Users connect remotely to the server and run Sage on the server, where the data is also located. Hence, everything – application AND data – is local on the server.
They were experiencing some annoying performance issues with Sage, and after several unfruitful attempts with their tech support, I found a document on their site that talked about putting in place some antivirus exceptions. I manage this customer using Microsoft XDR (Defender + Intune), so I created a separate AV policy for the server with the exceptions in place.
Except…they never made it down to the server.
I searched through multiple documents and forums, but no solution. So, I opened a ticket with Microsoft. That was back in June 2023.
I got transferred from engineer to engineer, from group to group (talked to some awesome folks along the way, though!), but no one could put their finger on the problem. During the summer, (sometime in August, I believe), I migrated the server to a new Windows Server 2022 VM, this for other reasons (the now-infamous and as-yet-unresolved “Error 1001” issue – if you know, you know). I thought perhaps refreshing everything would resolve the issue with the exceptions, but no.
What was I trying to exclude?
Firstly, two file extensions: sai and saj.
As mentioned in the pop-up tip and on the related page, I added the two extensions separated by a “|”:
Then, I needed to add a few paths:
- c:\data\Simply Accounting
- C:\Program Files (x86)\Sage 50 Édition Experts Version 2023
- C:\ProgramData\Sage
- C:\ProgramData\Sage 50 Canadian
- C:\Program Files (x86)\winsim
So, similarly, I added an entry using the same syntax:
“c:\data\Simply Accounting”|”C:\Program Files (x86)\Sage 50 Édition Experts Version 2023″|”C:\ProgramData\Sage”|”C:\ProgramData\Sage 50 Canadian”|”C:\Program Files (x86)\winsim”
I waited for the server to communicate with Defender/Intune, and after it did, I checked on the server: the exceptions were NOT pushed to the server.
When looking at the policy report in Intune, the status was always at Pending; it never got to Success.
Now, that was already a few months back, but I’m fairly certain that I tried many more combinations, putting each extension and path on a separate entry, with or without quotes. Nothing worked.
Hence the call to Microsoft, as I figured it was something else.
So, what was it?
After months of diagnostics and log-gathering, one of the engineers got back to me and said, “It has to do with the extensions.” She was going to get back to me. However, on a bitterly cold January winter day (Canada, folks!) when it was too cold to go play outside, I started back on that aspect of the policy.
I started by removing all the exceptions, both file types AND paths. I waited for the server to communicate and sync, and the policy went from Pending to Success!!
Then, I added back the file extensions, but instead of piping the list of extensions as described HERE, I added them on separate lines:
If you remember, my original policy had only one entry with sai|saj
After a sync, TA-DAAAA!
The exceptions were on the server!
I then added back only one path exception:
“c:\data\Simply Accounting”
It synched down to the server!
I added a second one:
“C:\ProgramData\Sage”
Still success!
Onwards we go; I then added:
“C:\Program Files (x86)\Sage 50 Édition Experts Version 2023”
And this is where it stopped working!!
I even waited until the next morning to make sure the server had properly picked up the policy, but still no.
Then I thought, “Maybe there’s something in the path it doesn’t like, or it’s too long.”
So, I went on the server and used the “dir /x” command to view the short 8.3 names for the directories, and ended up with this:
And…:
It worked!!!
I must assume that Defender would exclude the directory from scanning even though I am using the short name…
Then, I added the last two exceptions:
I was confident that “C:\ProgramData\Sage 50 Canadian” would work but wondered if the parentheses in “C:\Program Files (x86)\winsim” were the cause of the issue. I saved the policy and synched the server, then waited.
But I was wrong; all the exceptions were delivered to the server!
So, in true Sherlock Holmes fashion, we must consider that “when you have eliminated the impossible, whatever remains, however improbable, must be the truth”, which leaves the only difference being the French accent in the troublesome path, “Édition”.
I did another test, then – put in the same path but without the accent, just to see if it gets delivered to the server:
Even though the path doesn’t really exist (unless Windows interprets “Édition” and “Edition” as the same!), it was just a test to see if the exception would make it to the server.
And it did!!
CONCLUSION: there is an issue either with Defender or Intune when it comes to accented characters.
This is a bit unbelievable in 2024, when those products are used around the world, but there you go.
And since I am the first person in the world to try this and figure this out, I’ll be expecting huge recognition from Microsoft!