How to Configure CrowdStrike Exclusions for SharePoint Server

Last Updated: February 2025

Overview

File-level antivirus software can cause significant issues with SharePoint operations if not properly configured. Incorrect antivirus configuration can lead to “access denied” errors during file uploads, search indexing failures, workflow disruptions, and performance degradation across your SharePoint farm.

This guide provides comprehensive exclusion recommendations for CrowdStrike Falcon when protecting SharePoint environments, based on Microsoft’s official antivirus exclusion guidance for SharePoint.

⚠️ Critical Security Notice: While these exclusions prevent operational conflicts and maintain SharePoint performance, they reduce CrowdStrike’s security coverage. Each exclusion creates a potential security vulnerability. Organizations must implement compensating controls and carefully evaluate the risks versus operational requirements.

Supported SharePoint Versions

This guide covers exclusions for:

  • SharePoint Server Subscription Edition
  • SharePoint Server 2019
  • SharePoint Server 2016
  • SharePoint Server 2013
  • SharePoint Foundation 2013
  • SharePoint Server 2010
  • SharePoint Foundation 2010
  • Windows SharePoint Services 3.0
  • SharePoint Server 2007
  • SharePoint Workflow Manager
  • Office Online Server

Common Issues Without Proper Exclusions

Without appropriate exclusions, you may experience:

  • “Access denied” errors when uploading files
  • Search crawl and indexing failures
  • Workflow execution interruptions
  • Document library corruption
  • Web part rendering issues
  • Timer job failures
  • Service application disruptions
  • Content database locks
  • Configuration cache corruption
  • Temporary file conflicts
  • Office Online Server document conversion failures
  • Performance degradation during peak usage

Prerequisites

  • CrowdStrike Falcon administrative access
  • Access to the Falcon Console: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (varies by tenant)
  • SharePoint installation paths documented
  • SharePoint Management Shell access
  • List of all SharePoint servers and their roles
  • Service account information
  • Understanding of your SharePoint topology

Step 1: Access CrowdStrike Falcon Console

  1. Open your browser and navigate to your Falcon Console:
    • Primary: https://falcon.crowdstrike.com
    • US-2: https://falcon.us-2.crowdstrike.com/
    • (Contact your CrowdStrike administrator if unsure of your tenant location)
  2. Sign in using your admin credentials
  3. Navigate to Endpoint Security > Configure > Exclusions

Step 2: Configure SharePoint Core Exclusions

Note: In all paths below, Drive: represents the drive letter where SharePoint is installed (typically C:).

SharePoint Server Subscription Edition, 2019, and 2016

Add these folder exclusions:

Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\*

Or exclude specific critical folders:

Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\*
Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\Logs\*
Drive:\Program Files\Microsoft Office Servers\16.0\Data\Office Server\Applications\*
Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\*
Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\*
Drive:\Users\ServiceAccount\AppData\Local\Temp\WebTempDir\*
Drive:\ProgramData\Microsoft\SharePoint\*
Drive:\Users\[SearchServiceAccount]\AppData\Local\Temp\*
Drive:\WINDOWS\System32\LogFiles\*
Drive:\Windows\Syswow64\LogFiles\*

Service Account Specific Exclusions

If using specific accounts for SharePoint services:

Drive:\Users\ServiceAccount\AppData\Local\Temp\*
Drive:\Users\Default\AppData\Local\Temp\*

BLOB Cache Exclusions

If using disk-based BLOB cache:

C:\Blobcache\*
[Or your configured BLOB cache location]

IIS Virtual Directories

Exclude all virtual directory folders:

Drive:\inetpub\wwwroot\wss\VirtualDirectories\*
Drive:\inetpub\temp\IIS Temporary Compressed Files\*

Step 3: Configure SharePoint Workflow Manager Exclusions

If using SharePoint Workflow Manager, add these exclusions:

Drive:\Program Files\Workflow Manager\*
Drive:\Program Files\Reference Assemblies\Microsoft\Workflow Manager\*
Drive:\Program Files\Service Bus\*
Drive:\ProgramData\Workflow Manager\*
Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\*
Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\*
Drive:\inetpub\*
Drive:\Windows\System32\inetsrv\*
Drive:\Windows\SysWOW64\inetsrv\*
Drive:\Users\Default\AppData\Local\Temp\*

Step 4: Configure Office Online Server Exclusions

For Office Online Server (formerly Office Web Apps Server):

Folder Exclusions

Drive:\Program Files\Microsoft Office Web Apps\*
Drive:\ProgramData\Microsoft\OfficeWebApps\Working\d\*
Drive:\ProgramData\Microsoft\OfficeWebApps\Working\waccache\*
Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\*

Office Online Server Process Exclusions

Add these processes to exclusions:

AgentManagerWatchdog.exe
AppServerHost.exe
broadcastwatchdog_app.exe
broadcastwatchdog_wfe.exe
DiskCacheWatchdog.exe
EditAppServerHost.exe
EditAppServerHostSlim.exe
excelcnv.exe
FarmStateManagerWatchdog.exe
FarmStateReplicator.exe
HostingServiceWatchdog.exe
ImagingService.exe
ImagingWatchdog.exe
MetricsProvider.exe
Microsoft.Office.Excel.Server.EcsWatchdog.exe
Microsoft.Office.Excel.Server.WfeWatchdog.exe
Microsoft.Office.Web.AgentManager.exe
Microsoft.Office.Web.WebOneNoteWatchdog.exe
OneNoteMerge.exe
ppteditingbackendwatchdog.exe
pptviewerbackendwatchdog.exe
pptviewerfrontendwatchdog.exe
ProofingWatchdog.exe
SandboxHost.exe
SpellingWcfProvider.exe
ULSControllerService.exe
W3wp.exe
WordViewerAppManagerWatchdog.exe
WordViewerWfeWatchdog.exe

Important: Monitor or reduce risk for the AppServerHost.exe process and the wacsm Microsoft service.

Step 5: Configure SharePoint 2013 Specific Exclusions

SharePoint Server 2013

In addition to Foundation exclusions, add:

Drive:\Program Files\Microsoft Office Servers\15.0\Data\*
Drive:\Program Files\Microsoft Office Servers\15.0\Logs\*
Drive:\Program Files\Microsoft Office Servers\15.0\Bin\*
Drive:\Program Files\Microsoft Office Servers\15.0\Synchronization Service\*

SharePoint Foundation 2013

Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Logs\*
Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\Data\Applications\*
Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\*
Drive:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\*
Drive:\Users\ServiceAccount\AppData\Local\Temp\WebTempDir\*
Drive:\ProgramData\Microsoft\SharePoint\*
Drive:\Users\[SearchServiceAccount]\AppData\Local\Temp\Gthrsvc_spsearch4\*
Drive:\WINDOWS\System32\LogFiles\*
Drive:\Windows\Syswow64\LogFiles\*

Step 6: Configure SharePoint 2010 Specific Exclusions

SharePoint Server 2010

Drive:\Program Files\Microsoft Office Servers\14.0\Data\*
Drive:\Program Files\Microsoft Office Servers\14.0\Logs\*
Drive:\Program Files\Microsoft Office Servers\14.0\Bin\*
Drive:\Program Files\Microsoft Office Servers\14.0\Synchronization Service\*

SharePoint Foundation 2010

Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Logs\*
Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Data\Applications\*
Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\*
Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\*
Drive:\Users\ServiceAccount\AppData\Local\Temp\WebTempDir\*
Drive:\ProgramData\Microsoft\SharePoint\*
Drive:\Users\[SearchServiceAccount]\AppData\Local\Temp\Gthrsvc_spsearch4\*

Step 7: Configure Legacy SharePoint Exclusions

Windows SharePoint Services 3.0

Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Logs\*
Drive:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\12\Data\Applications\*
Drive:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\*
Drive:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\*
Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\*
Drive:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\*
Drive:\Windows\Temp\WebTempDir\*
Drive:\Documents and Settings\[SearchServiceAccount]\Local Settings\Temp\*
Drive:\Users\[SearchServiceAccount]\Local\Temp\*

SharePoint Server 2007

Drive:\Program Files\Microsoft Office Servers\12.0\Data\*
Drive:\Program Files\Microsoft Office Servers\12.0\Logs\*
Drive:\Program Files\Microsoft Office Servers\12.0\Bin\*

Installation Note: When installing SharePoint Server 2007 or applying hotfixes, you may need to temporarily disable real-time scanning or exclude Drive:\Windows\Temp.

Step 8: Configure Search Service Exclusions

Critical Search Exclusions

The search service requires special attention:

  1. Index Location:
[Default or Custom Index Location]\*
  1. NodeRunner Process:
  2. Used for indexing process
  3. Ensure noderunner.exe is excluded
  4. Search Service Account Temp:
Drive:\Users\[SearchServiceAccount]\AppData\Local\Temp\Gthrsvc_spsearch4\*

Important: The search account creates folders in the Temp directory that it must write to periodically.

Step 9: Apply and Test Exclusions

  1. Save Configuration: Click Save in the CrowdStrike Console
  2. Policy Propagation: Allow 5-10 minutes for policies to propagate
  3. Verification Steps:
# Test SharePoint services
Get-SPServiceInstance | Where {$_.Status -eq "Online"} | Select TypeName, Status

# Check timer service
Get-SPTimerJob | Where {$_.LastRunTime -lt (Get-Date).AddDays(-1)}

# Test search crawl
$ssa = Get-SPEnterpriseSearchServiceApplication
Get-SPEnterpriseSearchCrawlContentSource -SearchApplication $ssa

# Verify workflow manager (if applicable)
Get-WFServiceStatus
  1. Functional Testing:
    • Upload a test document
    • Perform a search query
    • Create/edit a page
    • Test workflows
    • Verify Office Online document preview
    • Check timer jobs execution

Step 10: Farm-Wide Configuration

Multi-Server Farms

For SharePoint farms with multiple servers:

  1. Apply Role-Specific Exclusions:
    • Web Front End servers
    • Application servers
    • Search servers
    • Distributed cache servers
    • Office Online Server farm
  2. Consistency Check:
    • Ensure all servers have identical exclusions for shared components
    • Verify service account exclusions on all servers
  3. MinRole Compliance:
    • Follow MinRole topology recommendations
    • Apply exclusions based on server roles

Security Best Practices

Compensating Controls for SharePoint

  1. Application Security:
    • Enable SharePoint antivirus scanning at the application level
    • Configure AMSI (Antimalware Scan Interface) integration
    • Implement file upload restrictions
    • Enable versioning and recycle bin
  2. Network Security:
    • Implement Web Application Firewall (WAF)
    • Configure SSL/TLS properly
    • Use network segmentation
    • Enable DDoS protection
  3. Access Control:
    • Implement least privilege principle
    • Use claims-based authentication
    • Enable multi-factor authentication
    • Regular permission audits
  4. Monitoring:
    • Enable SharePoint audit logging
    • Monitor ULS logs
    • Set up SIEM integration
    • Track excluded directory access
  5. Data Protection:
    • Implement Information Rights Management (IRM)
    • Configure Data Loss Prevention (DLP)
    • Regular backups
    • Encryption at rest and in transit

Risk Assessment Matrix

ComponentPerformance Impact if ScannedSecurity Risk if ExcludedRecommendation
Config cacheCritical – Service failuresMediumRequired exclusion
Search indexCritical – Crawl failuresLowRequired exclusion
BLOB cacheHigh – User experienceLowRequired exclusion
Temp directoriesHigh – Operation failuresLow-MediumRequired exclusion
IIS virtual dirsHigh – Access issuesMediumRequired exclusion
Workflow ManagerCritical – Workflow failuresMediumRequired if used
Office OnlineCritical – Conversion failuresLowRequired if used

Troubleshooting

Common Issues and Solutions

  1. File upload fails with “Access Denied”:
    • Verify WebTempDir exclusions
    • Check IIS temporary files exclusion
    • Review service account temp folders
  2. Search crawl errors:
    • Confirm index location is excluded
    • Check noderunner.exe process exclusion
    • Verify search service account temp folder
  3. Workflow failures:
    • Ensure Workflow Manager folders excluded
    • Check Service Bus exclusions
    • Verify .NET temporary files excluded
  4. Office Online document preview fails:
    • Confirm Office Web Apps folder exclusions
    • Check all watchdog processes excluded
    • Verify working directory exclusions
  5. Timer jobs not running:
    • Check configuration cache exclusion
    • Verify timer service account exclusions
    • Review Windows log directories

Diagnostic PowerShell Commands

# Check SharePoint health
Test-SPContentDatabase -Name "ContentDB"

# Verify search health
$ssa = Get-SPEnterpriseSearchServiceApplication
Get-SPEnterpriseSearchStatus -SearchApplication $ssa

# Check timer service
Get-SPTimerJob | Where-Object {$_.Status -ne "Online"}

# Review service applications
Get-SPServiceApplication | Select DisplayName, Status

# Check IIS application pools
Import-Module WebAdministration
Get-IISAppPool | Select Name, State

# Verify disk space on exclusion paths
Get-PSDrive -PSProvider FileSystem | Select Name, Used, Free

Maintenance and Review

Regular Tasks

  • Daily: Monitor ULS logs for antivirus-related errors
  • Weekly: Check search crawl success rates
  • Monthly: Review exclusion effectiveness
  • Quarterly: Audit exclusion list
  • After Updates:
    • SharePoint cumulative updates
    • CrowdStrike sensor updates
    • Windows updates
    • .NET Framework updates

Documentation Requirements

Maintain records of:

  • All configured exclusions per server role
  • Service account mappings
  • Custom folder locations (BLOB cache, index, etc.)
  • Performance baselines
  • Incident history
  • Change management records

Special Considerations

SharePoint Online Hybrid

For hybrid environments:

  • Apply on-premises exclusions
  • Consider Azure AD Connect exclusions if co-located
  • Exclude hybrid picker temporary files
  • Monitor cloud search service application

Custom Solutions

Additional exclusions may be needed for:

  • Third-party add-ins
  • Custom timer jobs
  • Provider-hosted apps
  • Custom service applications
  • Farm solutions with file system components

High Availability

For farms with high availability:

  • Ensure consistent exclusions across all nodes
  • Consider SQL Server AlwaysOn exclusions
  • Exclude witness directories for clustering
  • Monitor distributed cache service

Additional Resources

Disclaimer

⚠️ Security Warning: Implementing these exclusions reduces CrowdStrike Falcon’s ability to detect and prevent threats in excluded locations. This creates potential security vulnerabilities that could be exploited by malicious actors.

Organizations should:

  • Implement SharePoint-native antivirus scanning
  • Deploy comprehensive compensating controls
  • Maintain detailed audit trails
  • Perform regular security assessments
  • Obtain formal risk acceptance from stakeholders
  • Consider the collaborative nature of SharePoint when assessing risk

These exclusions are based on Microsoft’s recommendations for all supported SharePoint versions. Your environment may require additional exclusions based on custom configurations, third-party solutions, or specific business requirements. Always test thoroughly in a non-production environment before implementing in production.

Last reviewed: February 2025
Applies to: SharePoint Server (all versions), SharePoint Foundation, WSS 3.0, Office Online Server, CrowdStrike Falcon