What needs to be excluded and why
High performance backup environments require low latency disk and network operations. Microsoft Defender for Endpoint provides deep visibility into system activity, but its real-time protection engine can inadvertently throttle Veritas NetBackup operations. This happens because the antivirus engine treats backup data streams as standard file modifications. The security engine pauses operations to inspect data blocks, which introduces significant overhead for media servers moving terabytes of data.
Veritas NetBackup media servers rely on high throughput to meet backup windows. When the security scanner intercepts these streams, the resulting latency often leads to Status 24 or Status 42 errors. These errors indicate network or socket timeouts caused by the processing delay. Master servers also face issues when the NetBackup database files are scanned during high frequency metadata updates. Double processing leads to CPU spikes, timeouts, and failed catalog backups.
Microsoft Defender uses a filter driver to monitor I/O requests. NetBackup utilizes its own set of drivers for tape management and snapshot operations. When both drivers attempt to intercept the same I/O request, it can cause kernel level contention. Proper exclusions tell the Defender engine to trust the file I/O operations initiated by specific Veritas binaries. This allows the system to bypass the inspection of trusted data streams while maintaining security for the rest of the server.
Where to add the exclusions in the Microsoft Defender portal
Configuring these settings requires administrative access to the Microsoft Defender portal. Open your web browser and navigate to the security.microsoft.com address. Scroll down the left navigation pane until you find the Settings section near the bottom of the list. Click on the Endpoints link to open the endpoint specific configuration menu.
Within the Endpoints menu, locate the section labeled Configuration Management. If your organization manages devices through the integrated Microsoft Intune interface, click on the link for Endpoint security policies. This will redirect you to the policy management blade where you can create or edit Antivirus profiles. If you are using the simplified management mode, look for the Exclusions tab under the Antivirus settings directly in the portal.
When creating a new policy, select Windows 10, Windows 11, and Windows Server as the platform. Choose Microsoft Defender Antivirus as the profile type. This ensures the exclusions apply to the core scanning engine. Navigate to the Configuration settings tab within the policy creator to find the Exclusions section. This panel allows you to input file extensions, folders, and process names for your NetBackup master and media servers.
The actual exclusion list
Folder exclusions must include the root installation paths for all Veritas components. The default path for most Windows installations is C:\Program Files\Veritas. You must ensure this path is added as a folder exclusion and set to include all subdirectories. This covers the binaries, configuration files, and temporary logs generated during active jobs.
Specific directories require individual attention if they are located on non-system drives. The NetBackup relational database is critical and is typically found in C:\Program Files\Veritas\NetBackupDB. This directory contains the Enterprise Media Manager and catalog databases. Scanning these files during a catalog backup can lead to database corruption or extreme performance degradation. If you have relocated your catalog to a different drive, you must exclude that specific path.
Disk Storage Units (DSU) are the most important folder exclusions. If your backups land on a dedicated volume like E:\NBU_Storage, that directory must be excluded from real-time scanning. This prevents the scanner from locking data blocks while the NetBackup Tape Manager is trying to write them. Failure to exclude storage targets is the most common cause of slow backup performance.
Process exclusions are required for the core NetBackup services. You should provide the full path to each executable to prevent potential spoofing. The following processes are essential for stable operations.
Core Process Exclusions
- C:\Program Files\Veritas\NetBackup\bin\bpbkar32.exe (Backup Archive Manager)
- C:\Program Files\Veritas\NetBackup\bin\bptm.exe (Tape Manager)
- C:\Program Files\Veritas\NetBackup\bin\bpdm.exe (Disk Manager)
- C:\Program Files\Veritas\NetBackup\bin\nbemm.exe (Enterprise Media Manager)
- C:\Program Files\Veritas\NetBackup\bin\nbjm.exe (Job Manager)
- C:\Program Files\Veritas\NetBackup\bin\nbproxy.exe (Communication Proxy)
- C:\Program Files\Veritas\NetBackup\bin\vnetd.exe (Veritas Network Daemon)
- C:\Program Files\Veritas\NetBackup\bin\bpcd.exe (Backup Control Daemon)
Verification
To verify that the exclusions are active on a specific server, use PowerShell with administrator privileges. Run the command Get-MpPreference and inspect the output. Review the ExclusionPath and ExclusionProcess properties to ensure all Veritas folders and binaries are listed correctly. If these fields are empty, the policy has not yet successfully synced to the host.
Checking the Windows Event Viewer provides another layer of confirmation. Navigate to Applications and Services Logs, then Microsoft, then Windows, and then Windows Defender. Look for Event ID 5007. This event indicates a configuration change. The event details will list the specific exclusion paths that were added. If you do not see this event after a policy sync, the server is not receiving the updates from the portal.
Use the Windows Performance Monitor to see the real world impact of the changes. Watch the Process counter for the MsMpEng.exe process, which is the Microsoft Malware Protection Engine. If this process shows high CPU usage while NetBackup jobs are running, the exclusions are likely incomplete. A successful configuration typically reduces security related CPU overhead by 60 percent or more during active backup windows.
Common pitfalls
A common mistake is using incorrect wildcard syntax in the portal. Microsoft Defender for Endpoint supports wildcards, but they must be applied carefully. Do not use wildcards in process exclusions. The engine expects either the exact filename or the full path. If you use a wildcard in a process name, the exclusion will be ignored.
Policy precedence can also cause issues. If a server is part of multiple groups in the Microsoft Defender portal, a higher priority policy without exclusions might override your settings. Use the Policy Sync feature in the portal to force an update. Always check the Device Configuration status in the portal to ensure there are no "Conflict" or "Error" states reported for the target server.
Another pitfall is the difference between Antivirus exclusions and EDR exclusions. Antivirus exclusions prevent the real-time scanner from looking at file contents. EDR exclusions prevent the behavioral engine from flagging the process as suspicious. For NetBackup, the Antivirus exclusion is what solves the performance bottleneck. However, if you still see "Suspicious Process" alerts in the portal, you may also need to add an Indicator to allow the NetBackup binaries to run without behavioral interference.
Where to find the vendor's authoritative documentation
The definitive source for Microsoft Defender configuration is the Microsoft Learn documentation. Detailed guides on exclusion syntax and policy management are available at https://learn.microsoft.com/en-us/defender-endpoint/. This site provides the most current information on how the security engine interprets environment variables and path structures.
For Veritas specific guidance, refer to the NetBackup Administrator's Guide. Veritas maintains a dedicated support portal with technotes regarding antivirus software. Search for "NetBackup Antivirus Exclusions" to find the latest version of their official guidance. Always cross reference the Veritas recommended process list with your specific version of NetBackup, as newer versions may introduce additional binaries.