Many PC users have experienced data loss due to Microsoft Defender Antivirus removing useful files owing to false positive threat detection or a document containing malware. Malicious documents or infected executable files can disrupt the operating system or programs. To protect computer users and maintain PC health and efficiency, antivirus software continually works to prevent potential dangers and eliminate them before they cause any harm. These precautionary measures might sometimes result in the loss of files that the user does not wish to lose. Other times, antiviral software generates false positives (for example, due to digital signature mismatch, revocation, or expiration).
There are several forms of viruses that can infiltrate and deactivate our devices’ built-in antivirus software. In a situation like this, you can use the built-in Windows Security Offline feature designed to help remove tough viruses, see How to find and remove Malware with Microsoft Defender Offline to learn more.
So how can you restore files quarantined by Microsoft Defender antivirus, and how can you reduce the number of future incidents?
Here are other related guides: How to find and remove Malware with Microsoft Defender Offline, How to turn on Windows 10 Tamper Protection for Microsoft Defender, Microsoft Endpoint Manager: How to manage Microsoft Defender Antivirus with Group Policy and Microsoft Malware Protection via the Command Line Utility, and Smart App Control and how to enable Phishing Protection: Windows 11 New Security Features.
In this article, we will look at how to restore quarantine files in Microsoft Defender, and how to add file to Exclusion list to prevent them from being quarantine. I will be using a Windows 11 in this example, but the technique is the same on Windows 10.
View and restore quarantined files in Microsoft Defender Antivirus
Windows Security always quarantines any suspicious file before deleting it, briefly outlining the nature of the probable threat and the potential threat level that threat may pose.
By default, the virus storage in Windows Security is located under the following path: C:\ProgramData\Microsoft\Windows Defender\Quarantine. However, we advise that you only interact with them through Windows Security interface since it is far more reliable.
To view and restore quarantine files in Microsoft Windows Defender, press Windows key + I key combination to open the Settings menu. Click on Privacy and Security, on the right side select the Windows Security item.
Under Windows Security, select the Open Windows Security option.
In the Windows Security click Virus and Threat Protection.
Under Current threats click Protection history. Here you can see the complete list of available and eliminated threats that Windows Defender placed in quarantine. Quarantined items are absolutely harmless while they’re held in quarantine.
If you are certain a quarantined file is not a threat, and you want to restore it. In the list of all recent items, filter on Quarantined Items. Select an item you want to keep, and take an action, such as restore.
Restore file from quarantine using Command Prompt
You can roll back and remove a file from quarantine if you’ve determined that it’s clean after an investigation. Run the following command on each device where the file was quarantined.
Go to Start and type cmd. Then right-click Command prompt and select Run as administrator.
Enter the following command, and press Enter:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -Name EUS:Win32/CustomEnterpriseBlock -All
How to add files to Exclusions
If you are absolutely sure a particular file poses no threat, you can manually fix false positive detection by adding the file to the list of exclusions to prevent future removal by Windows Security.
In the Virus and Threat Protection window, scroll down and find Virus and Threat Protection Settings, under it click on Manage settings.
Scroll down and find the Exclusions option and click on Add or remove exclusions.
Click Add an exclusion and select the type.
Specify the path to the file, folder, file type or process that you want to add as exclusion.
If you have several programs that are falsely detected by Windows Defender, you can place all of them into a separate folder. This will ensure that these files are excluded from future detections.
Important: We strongly advise you not to upload files obtained from unreliable sources to the Exclusion folder. Nobody wants a virus to take control of their computer. Such negligence can have far-reaching effects.