Why Proper Exclusions are Mandatory for Backup Performance
Microsoft Defender for Endpoint provides robust protection by monitoring every file operation on a system. However, Veeam Backup & Replication generates massive amounts of disk I/O during backup, replication, and synthesis tasks. This high volume of activity often triggers real-time scanning engines to inspect every block being read or written.
When Defender scans these active backup files, it creates resource contention for the CPU and the disk subsystem. This conflict frequently results in slow data transfer rates or timed-out jobs. In many cases, the antivirus engine may temporarily lock a file during a merge or transformation operation. This causes the backup job to fail with a file access error.
Adding specific exclusions ensures that the antivirus engine does not interfere with known, safe processes used by the backup infrastructure. This approach maintains security while allowing the backup window to remain predictable. It prevents the system from wasting CPU cycles on scanning data that has already been verified by the backup software.
Where to Configure Exclusions in the Microsoft Defender Portal
To manage exclusions for a production environment, you should use the centralized Microsoft Defender portal. Avoid making changes locally on individual servers as these can be overwritten by global policies. The following steps describe the path through the security center.
Step 1: Access the Security Policy Section
Log in to the Microsoft Defender portal at security.microsoft.com. In the left hand navigation menu, expand the Configuration management section. Select the Endpoint security policies option to view your current active deployments.
Step 2: Identify the Antivirus Policy
Click on the Antivirus tab located at the top of the main panel. This page lists all Microsoft Defender Antivirus policies currently in effect for your device groups. Select the policy that is assigned to your Veeam Backup & Replication servers, Proxies, and Repositories.
Step 3: Edit the Configuration Settings
Click the Edit button in the policy summary view. Navigate to the Configuration settings page. Expand the Microsoft Defender Antivirus dropdown menu to reveal the specific protection settings. Scroll down until you find the Exclusions section.
Step 4: Add New Exclusions
In the Exclusions panel, you will see options for excluded extensions, paths, and processes. Use the Add button to enter each specific value from the official vendor guidance. Ensure you save the policy and click through the review screen to apply the changes to your target devices.
Required Process and Folder Exclusions
Exclusions must be applied to every server role in the Veeam infrastructure. This includes the primary backup server, any dedicated proxy servers, and all repository servers. Use the following lists as a baseline for your configuration.
Process Exclusions
Excluding these executable files prevents the real-time scanner from hooking into the data movers. This is the most effective way to reduce CPU overhead during active jobs.
- Veeam.Backup.Service.exe: The primary service for the backup server.
- VeeamAgent.exe: The data mover process that runs on proxies and repositories.
- Veeam.Backup.ProxyService.exe: Manages tasks on the proxy server role.
- Veeam.Backup.MountService.exe: Used during file level recovery and instant recovery.
- Veeam.Backup.Manager.exe: Handles the user interface and job management.
- Veeam.Backup.VssBridge.exe: Facilitates communication with the Volume Shadow Copy service.
Folder and Path Exclusions
You should exclude the installation directories and the specific folders where metadata is stored. If you use a custom drive for your configuration backups, include that as well.
- C:\Program Files\Veeam: The default installation directory for all components.
- C:\Program Files (x86)\Veeam: Contains supporting 32 bit components.
- C:\ProgramData\Veeam: Stores logs, cached metadata, and configuration settings.
- C:\VeeamConfigBackup: The default location for the encrypted configuration database backups.
- The folder containing your VBR database files: This is typically inside the Microsoft SQL Server or PostgreSQL data directory.
- The folder containing the Veeam vPower NFS cache: This is critical for Instant VM Recovery performance.
Repository Drive Exclusions
Excluding the actual storage paths where backup files reside is a common practice for high performance environments. However, you must ensure these drives are dedicated solely to backups. Do not exclude the root of a drive if it contains other application data.
- Exclude the specific path to your backup repository (e.g., D:\BackupData or E:\VeeamRepo).
- Exclude the .vbk, .vib, and .vrb file extensions if you cannot exclude the entire folder.
Verification of Exclusion Status
Once you apply the policy, you must confirm that the servers have received and honored the new settings. Do not assume the policy is active just because the portal shows a success message.
Using PowerShell for Instant Verification
Open an elevated PowerShell prompt on the target server. Run the command Get-MpPreference. Look for the lines labeled ExclusionPath and ExclusionProcess. These fields will list every value currently recognized by the local Defender engine. If the list is empty, the policy has not yet synchronized.
Checking the Windows Event Log
Defender logs every configuration change in the Windows Event Viewer. Navigate to Applications and Services Logs. Select Microsoft, then Windows, then Windows Defender. Open the Operational log. Look for Event ID 5007. This event confirms that a configuration change was made and will show the old and new values of the exclusion list.
Common Pitfalls and Troubleshooting
A frequent mistake is forgetting to apply the exclusions to the backup proxy servers. Proxies handle the heaviest data processing and are most susceptible to performance hits from antivirus scanning. Ensure your device groups in the Microsoft Defender portal include all infrastructure roles.
Another issue occurs when path names contain trailing slashes or incorrect wildcards. Microsoft Defender for Endpoint is specific about path formatting. A path like C:\Veeam\ may behave differently than C:\Veeam. Check the local policy to ensure the paths are resolved correctly by the operating system.
If you find that performance is still poor, check if other security features are interfering. Features like Attack Surface Reduction (ASR) rules can sometimes block Veeam from executing scripts or accessing certain folders. Review the blocked actions in the Security Center to see if your backup processes are being throttled by an ASR rule rather than the standard antivirus engine.
Authoritative Documentation Resources
Security requirements change frequently as new threats emerge. Always cross reference your configuration with the latest guidance from both Microsoft and the software vendor. These resources are updated whenever new service packs or versions are released.
For general information on managing exclusions via the security center, visit the Microsoft Learn documentation for Defender for Endpoint at https://learn.microsoft.com/en-us/defender-endpoint/. This site provides the canonical definitions for policy settings and deployment methods.
For the most current list of Veeam specific processes and folders, consult the Veeam Help Center. Search for the Antivirus Exclusions page in the User Guide for VMware vSphere or Microsoft Hyper V. These pages provide a granular breakdown of every service and path involved in the backup lifecycle.