What risks come with excluding SharePoint Server in CrowdStrike Falcon?

Implementing recommended exclusions for SharePoint Server in CrowdStrike Falcon can improve performance but may expose the system to security vulnerabilities. Excluding entire installation paths allows malicious files to execute undetected, increasing risks of data breaches. To mitigate these risks, organizations should establish compensating controls such as strict access policies, regular security audits, and enhanced monitoring of excluded directories. Application whitelisting can restrict execution to approved applications, and a robust incident response plan is essential for addressing potential security incidents. Utilizing endpoint detection and response (EDR) systems can help identify threats that bypass traditional antivirus solutions. Regularly reviewing and updating the exclusion list is crucial to maintaining security as the SharePoint environment evolves.

How do I manage and check exclusions in CrowdStrike Falcon for SharePoint?

To effectively manage and monitor exclusions in CrowdStrike Falcon for your SharePoint environment, document all exclusions and their justifications for audit purposes. Conduct quarterly reviews to assess the necessity of each exclusion, considering changes in your SharePoint configuration, CrowdStrike updates, or emerging threats. Utilize the CrowdStrike Falcon Console to generate reports on endpoint health and flagged exclusions. Implement logging and monitoring solutions, such as integrating with SIEM systems, to track access to excluded directories and detect anomalies. Configure alerts for unusual access patterns or file changes within these paths, enabling prompt remediation. Additionally, train your IT staff to recognize and respond to alerts related to exclusions to enhance security.

What should I do if I get 'access denied' errors in SharePoint after setting exclusions in CrowdStrike?

If you encounter 'access denied' errors in SharePoint after configuring exclusions in CrowdStrike Falcon, start by verifying that the exclusions are correctly applied to the actual SharePoint installation paths. Check that service accounts have the necessary permissions for these directories and are not restricted by Group Policy Objects (GPOs). If permissions are correct but errors persist, temporarily disable the exclusions to see if they are the cause. If this resolves the issue, refine your exclusion list or consult CrowdStrike support for further assistance. Additionally, review the SharePoint ULS logs for insights into the errors, which may reveal whether they are linked to antivirus settings or other issues. Document any changes and outcomes for future reference.

How to Configure CrowdStrike Exclusions for SharePoint Server

Last Updated: February 2025

Overview

File-level antivirus software can cause significant issues with SharePoint operations if not properly configured. Incorrect antivirus configuration can lead to “access denied” errors during file uploads, search indexing failures, workflow disruptions, and performance degradation across your SharePoint farm.

This guide provides comprehensive exclusion recommendations for CrowdStrike Falcon when protecting SharePoint environments, based on Microsoft's official antivirus exclusion guidance for SharePoint.

⚠️ Critical Security Notice: While these exclusions prevent operational conflicts and maintain SharePoint performance, they reduce CrowdStrike’s security coverage. Each exclusion creates a potential security vulnerability. Organizations must implement compensating controls and carefully evaluate the risks versus operational requirements.

Supported SharePoint Versions

This guide covers exclusions for:

SharePoint Server Subscription Edition
SharePoint Server 2019
SharePoint Server 2016
SharePoint Server 2013
SharePoint Foundation 2013
SharePoint Server 2010
SharePoint Foundation 2010
Windows SharePoint Services 3.0
SharePoint Server 2007
SharePoint Workflow Manager
Office Online Server

Common Issues Without Proper Exclusions

Without appropriate exclusions, you may experience:

“Access denied” errors when uploading files
Search crawl and indexing failures
Workflow execution interruptions
Document library corruption
Web part rendering issues
Timer job failures
Service application disruptions
Content database locks
Configuration cache corruption
Temporary file conflicts
Office Online Server document conversion failures
Performance degradation during peak usage

Prerequisites

CrowdStrike Falcon administrative access
Access to the Falcon Console: https://falcon.crowdstrike.com or https://falcon.us-2.crowdstrike.com/ (varies by tenant)
SharePoint installation paths documented
SharePoint Management Shell access
List of all SharePoint servers and their roles
Service account information
Understanding of your SharePoint topology

Step 1: Access CrowdStrike Falcon Console

Open your browser and navigate to your Falcon Console:
- Primary: https://falcon.crowdstrike.com
- US-2: https://falcon.us-2.crowdstrike.com/
- (Contact your CrowdStrike administrator if unsure of your tenant location)
Sign in using your admin credentials
Navigate to Endpoint Security > Configure > Exclusions

Step 2: Configure SharePoint Core Exclusions

Note: In all paths below, Drive: represents the drive letter where SharePoint is installed (typically C:).

SharePoint Server Subscription Edition, 2019, and 2016

Add these folder exclusions:

Drive:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\*

Or exclude specific critical folders:

Drive:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\16\\*
Drive:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\16\\Logs\\*
Drive:\\Program Files\\Microsoft Office Servers\\16.0\\Data\\Office Server\\Applications\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Temporary ASP.NET Files\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\*
Drive:\\Users\\ServiceAccount\\AppData\\Local\\Temp\\WebTempDir\\*
Drive:\\ProgramData\\Microsoft\\SharePoint\\*
Drive:\\Users\\[SearchServiceAccount]\\AppData\\Local\\Temp\\*
Drive:\\WINDOWS\\System32\\LogFiles\\*
Drive:\\Windows\\Syswow64\\LogFiles\\*

Service Account Specific Exclusions

If using specific accounts for SharePoint services:

Drive:\\Users\\ServiceAccount\\AppData\\Local\\Temp\\*
Drive:\\Users\\Default\\AppData\\Local\\Temp\\*

BLOB Cache Exclusions

If using disk-based BLOB cache:

C:\\Blobcache\\*
[Or your configured BLOB cache location]

IIS Virtual Directories

Exclude all virtual directory folders:

Drive:\\inetpub\\wwwroot\\wss\\VirtualDirectories\\*
Drive:\\inetpub\\temp\\IIS Temporary Compressed Files\\*

Step 3: Configure SharePoint Workflow Manager Exclusions

If using SharePoint Workflow Manager, add these exclusions:

Drive:\\Program Files\\Workflow Manager\\*
Drive:\\Program Files\\Reference Assemblies\\Microsoft\\Workflow Manager\\*
Drive:\\Program Files\\Service Bus\\*
Drive:\\ProgramData\\Workflow Manager\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Temporary ASP.NET Files\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Temporary ASP.NET Files\\*
Drive:\\inetpub\\*
Drive:\\Windows\\System32\\inetsrv\\*
Drive:\\Windows\\SysWOW64\\inetsrv\\*
Drive:\\Users\\Default\\AppData\\Local\\Temp\\*

Step 4: Configure Office Online Server Exclusions

For Office Online Server (formerly Office Web Apps Server):

Folder Exclusions

Drive:\\Program Files\\Microsoft Office Web Apps\\*
Drive:\\ProgramData\\Microsoft\\OfficeWebApps\\Working\\d\\*
Drive:\\ProgramData\\Microsoft\\OfficeWebApps\\Working\\waccache\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Temporary ASP.NET Files\\*

Office Online Server Process Exclusions

Add these processes to exclusions:

AgentManagerWatchdog.exe
AppServerHost.exe
broadcastwatchdog_app.exe
broadcastwatchdog_wfe.exe
DiskCacheWatchdog.exe
EditAppServerHost.exe
EditAppServerHostSlim.exe
excelcnv.exe
FarmStateManagerWatchdog.exe
FarmStateReplicator.exe
HostingServiceWatchdog.exe
ImagingService.exe
ImagingWatchdog.exe
MetricsProvider.exe
Microsoft.Office.Excel.Server.EcsWatchdog.exe
Microsoft.Office.Excel.Server.WfeWatchdog.exe
Microsoft.Office.Web.AgentManager.exe
Microsoft.Office.Web.WebOneNoteWatchdog.exe
OneNoteMerge.exe
ppteditingbackendwatchdog.exe
pptviewerbackendwatchdog.exe
pptviewerfrontendwatchdog.exe
ProofingWatchdog.exe
SandboxHost.exe
SpellingWcfProvider.exe
ULSControllerService.exe
W3wp.exe
WordViewerAppManagerWatchdog.exe
WordViewerWfeWatchdog.exe

Important: Monitor or reduce risk for the AppServerHost.exe process and the wacsm Microsoft service.

Step 5: Configure SharePoint 2013 Specific Exclusions

SharePoint Server 2013

In addition to Foundation exclusions, add:

Drive:\\Program Files\\Microsoft Office Servers\\15.0\\Data\\*
Drive:\\Program Files\\Microsoft Office Servers\\15.0\\Logs\\*
Drive:\\Program Files\\Microsoft Office Servers\\15.0\\Bin\\*
Drive:\\Program Files\\Microsoft Office Servers\\15.0\\Synchronization Service\\*

SharePoint Foundation 2013

Drive:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\15\\Logs\\*
Drive:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\15\\Data\\Applications\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Temporary ASP.NET Files\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\*
Drive:\\Users\\ServiceAccount\\AppData\\Local\\Temp\\WebTempDir\\*
Drive:\\ProgramData\\Microsoft\\SharePoint\\*
Drive:\\Users\\[SearchServiceAccount]\\AppData\\Local\\Temp\\Gthrsvc_spsearch4\\*
Drive:\\WINDOWS\\System32\\LogFiles\\*
Drive:\\Windows\\Syswow64\\LogFiles\\*

Step 6: Configure SharePoint 2010 Specific Exclusions

SharePoint Server 2010

Drive:\\Program Files\\Microsoft Office Servers\\14.0\\Data\\*
Drive:\\Program Files\\Microsoft Office Servers\\14.0\\Logs\\*
Drive:\\Program Files\\Microsoft Office Servers\\14.0\\Bin\\*
Drive:\\Program Files\\Microsoft Office Servers\\14.0\\Synchronization Service\\*

SharePoint Foundation 2010

Drive:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\Logs\\*
Drive:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\14\\Data\\Applications\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Temporary ASP.NET Files\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Config\\*
Drive:\\Users\\ServiceAccount\\AppData\\Local\\Temp\\WebTempDir\\*
Drive:\\ProgramData\\Microsoft\\SharePoint\\*
Drive:\\Users\\[SearchServiceAccount]\\AppData\\Local\\Temp\\Gthrsvc_spsearch4\\*

Step 7: Configure Legacy SharePoint Exclusions

Windows SharePoint Services 3.0

Drive:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\12\\Logs\\*
Drive:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\12\\Data\\Applications\\*
Drive:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Temporary ASP.NET Files\\*
Drive:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Temporary ASP.NET Files\\*
Drive:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\Config\\*
Drive:\\Windows\\Temp\\WebTempDir\\*
Drive:\\Documents and Settings\\[SearchServiceAccount]\\Local Settings\\Temp\\*
Drive:\\Users\\[SearchServiceAccount]\\Local\\Temp\\*

SharePoint Server 2007

Drive:\\Program Files\\Microsoft Office Servers\\12.0\\Data\\*
Drive:\\Program Files\\Microsoft Office Servers\\12.0\\Logs\\*
Drive:\\Program Files\\Microsoft Office Servers\\12.0\\Bin\\*

Installation Note: When installing SharePoint Server 2007 or applying hotfixes, you may need to temporarily disable real-time scanning or exclude Drive:\\Windows\\Temp.

Step 8: Configure Search Service Exclusions

Critical Search Exclusions

The search service requires special attention:

Index Location:

[Default or Custom Index Location]\\*

NodeRunner Process:
Used for indexing process
Ensure noderunner.exe is excluded
Search Service Account Temp:

Drive:\\Users\\[SearchServiceAccount]\\AppData\\Local\\Temp\\Gthrsvc_spsearch4\\*

How to Configure CrowdStrike Exclusions for SharePoint Server

Overview

Supported SharePoint Versions

Common Issues Without Proper Exclusions

Prerequisites

Step 1: Access CrowdStrike Falcon Console

Step 2: Configure SharePoint Core Exclusions

SharePoint Server Subscription Edition, 2019, and 2016

Service Account Specific Exclusions

BLOB Cache Exclusions

IIS Virtual Directories

Step 3: Configure SharePoint Workflow Manager Exclusions

Step 4: Configure Office Online Server Exclusions

Folder Exclusions

Office Online Server Process Exclusions

Step 5: Configure SharePoint 2013 Specific Exclusions

SharePoint Server 2013

SharePoint Foundation 2013

Step 6: Configure SharePoint 2010 Specific Exclusions

SharePoint Server 2010

SharePoint Foundation 2010

Step 7: Configure Legacy SharePoint Exclusions

Windows SharePoint Services 3.0

SharePoint Server 2007

Step 8: Configure Search Service Exclusions

Critical Search Exclusions

Frequently Asked Questions

Need Professional Help?

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Deploy CrowdStrike Falcon via GPO | Active Directory Guide

How to Configure CrowdStrike Exclusions for SharePoint Server

Overview

Supported SharePoint Versions

Common Issues Without Proper Exclusions

Prerequisites

Step 1: Access CrowdStrike Falcon Console

Step 2: Configure SharePoint Core Exclusions

SharePoint Server Subscription Edition, 2019, and 2016

Service Account Specific Exclusions

BLOB Cache Exclusions

IIS Virtual Directories

Step 3: Configure SharePoint Workflow Manager Exclusions

Step 4: Configure Office Online Server Exclusions

Folder Exclusions

Office Online Server Process Exclusions

Step 5: Configure SharePoint 2013 Specific Exclusions

SharePoint Server 2013

SharePoint Foundation 2013

Step 6: Configure SharePoint 2010 Specific Exclusions

SharePoint Server 2010

SharePoint Foundation 2010

Step 7: Configure Legacy SharePoint Exclusions

Windows SharePoint Services 3.0

SharePoint Server 2007

Step 8: Configure Search Service Exclusions

Critical Search Exclusions

Frequently Asked Questions

Need Professional Help?

Related Articles

CrowdStrike User Roles: Create Custom Roles & Manage Permissions

CrowdStrike Exchange Exclusions | Configure Falcon for Exchange Server

Deploy CrowdStrike Falcon via GPO | Active Directory Guide