Skip to main content
Microsoft Defenderintermediate

Microsoft Defender for Endpoint Exclusions for Commvault

Configure Microsoft Defender for Endpoint exclusions for Commvault infrastructure to resolve performance bottlenecks and prevent backup job failures.

12 min readUpdated April 2026

Want us to handle this for you?

Get expert help →

Understanding Commvault and Defender Scanning Conflicts

Commvault infrastructure handles high volumes of read and write operations during backup cycles. Microsoft Defender for Endpoint real-time protection engine monitors these operations to detect malicious activity. When a backup job starts, the antivirus agent attempts to scan every file Commvault accesses. This resource contention leads to high CPU usage, increased disk latency, and frequent job timeouts.

Configuring exclusions ensures that Defender trusts the Commvault processes and directories. This optimization is critical for MediaAgents and CommServe servers. Without these settings, the deduplication database performance will degrade significantly. The latency introduced by scanning database lookup operations can cause the database to go offline or report maintenance errors.

Where to Add Exclusions in the Microsoft Defender Portal

Administrators manage exclusions through the Microsoft Defender portal. Open your browser and navigate to the security.microsoft.com dashboard. Locate the navigation menu on the left side of the screen. Scroll down to find the Settings option at the bottom of the list.

Select Endpoints from the Settings sub-menu. Look for the Configuration management section in the center pane. Click on Exclusions to open the management interface. This page allows you to define rules that prevent the antivirus engine from scanning specific files or activities.

Click the Add exclusion button to start a new entry. You must choose between file, folder, or process types for each entry. For larger environments, consider using Microsoft Intune or Group Policy to deploy these exclusions across all MediaAgents and clients simultaneously. Using the portal is best for testing or managing standalone servers.

Effective exclusions must cover the binaries, the temporary storage areas, and the databases. Use the following lists as a baseline for your configuration. Replace the example drive letters with the actual paths used in your environment.

Folder Exclusions

Exclude the main installation directory. The default path is usually C:\Program Files\Commvault\ContentStore. This directory contains the binaries and system configuration files required for the software to run.

Exclude the Job Results directory. This folder handles high-frequency metadata writes during every backup job. A common path is C:\Program Files\Commvault\ContentStore\iDataAgent\JobResults. If you moved this to a different volume, exclude the new path instead.

Exclude the Index Cache folder. MediaAgents use this to store metadata for fast browsing and recovery. A typical path might be D:\Commvault\IndexCache. Scanning this folder causes significant delays when users try to restore data.

Exclude the Deduplication Database (DDB) folder. This is the most critical exclusion. The DDB requires sub-millisecond latency for lookups. Any interference from a security agent will cause the DDB to go into a pending state. An example path is E:\Commvault\DDB.

Process Exclusions

Process exclusions are more effective than folder exclusions because they prevent Defender from scanning any file opened by the specific application. Add the following executables to your process exclusion list:

  • cvd.exe (Commvault Communications Service)
  • cvlaunch.exe (Commvault Launcher Service)
  • ClBackup.exe (Commvault Backup Application)
  • ClRestore.exe (Commvault Restore Application)
  • IFind.exe (Commvault Find Tool)
  • JobMgr.exe (Commvault Job Manager)
  • SIDB.exe (Commvault Deduplication Database Engine)

Include the full path to these processes if your security policy requires it. They are typically located in the Base folder of the installation directory.

Verification of Exclusion Settings

After applying the changes, you must verify that the endpoint honors the exclusions. Open an elevated PowerShell session on the server. Run the command Get-MpPreference and look for the ExclusionPath and ExclusionProcess sections. The output should list every path and process you added in the portal.

Check the Windows Event Viewer for confirmation. Navigate to Applications and Services Logs, then Microsoft, then Windows, then Windows Defender. Look in the Operational log for Event ID 5007. This event logs every change made to the antivirus configuration, including the addition of new exclusions.

Use Performance Monitor to observe the MsMpEng.exe process. This is the executable for the Microsoft Defender antivirus engine. Monitor its CPU and disk usage while a Commvault backup job is running. If the exclusions are working, you should not see high activity from MsMpEng.exe on the Commvault data volumes.

Common Pitfalls and Troubleshooting

A common mistake is using incorrect wildcards. Microsoft Defender supports specific wildcard patterns, but using them incorrectly can leave the system vulnerable or fail to exclude the target. Always prefer absolute paths over environmental variables when possible.

Check for conflicting policies. If you configure exclusions in the Defender portal and also have a Group Policy Object (GPO) for Windows Defender, the GPO might overwrite the portal settings. Use the Resultant Set of Policy tool to confirm which settings the server actually applies.

Ensure that you are not excluding the entire drive. Excluding an entire volume like D:\ is a security risk and may be flagged during audits. Narrow your exclusions to the specific sub-folders used by Commvault. If the exclusion is not honored, check if the server requires a reboot to refresh the real-time protection settings.

Authoritative Documentation and References

Always consult the latest documentation from both vendors when performing these configurations. Microsoft provides a canonical guide for antivirus exclusions on their official site. You can find detailed technical information at https://learn.microsoft.com/en-us/defender-endpoint/.

Commvault also maintains a list of required antivirus exclusions in their online documentation. They update this list whenever they release new versions of the software or introduce new services. Cross-reference your settings with their official maintenance guides for the specific service pack you are running. Keeping these exclusions updated is a vital part of proactive server maintenance.

Maximize Your Defender Investment

Our MDR team monitors your Microsoft Defender environment 24/7 and responds to threats before they become incidents.

Learn About 24/7 Detection & ResponseExplore Vulnerability Management

Related Articles

How to Configure Alert Notifications in Microsoft Defender for Endpoint

Configure email notifications, SIEM integration, and alert rules in Microsoft Defender for Endpoint to ensure timely response to security threats.

Read More →

How to Configure Attack Surface Reduction Rules in Microsoft Defender for Endpoint

Configure Attack Surface Reduction (ASR) rules in Microsoft Defender for Endpoint to block common attack techniques and protect against malware and exploits.

Read More →

Microsoft Defender for Endpoint exclusions for Veeam

Configure Microsoft Defender for Endpoint exclusions for Veeam Backup & Replication to prevent performance issues, CPU spikes, and job failures.

Read More →

Related Tools

Free tools to help you implement what you learned

EDR Needs Assessment

Evaluate endpoint detection and response requirements

Try it free →

MITRE ATT&CK Explorer

Map threats to the MITRE ATT&CK framework

Try it free →

SIEM Query Builder

Build detection queries for your SIEM platform

Try it free →
Back to Microsoft Defender