Antivirus exclusions for TwinPane Server (false positive)
How to configure antivirus exclusions for TwinPane Server in Microsoft Defender for Endpoint, Defender Antivirus, and third-party AV products when shell redirection triggers a behavioral detection.
This is a false positive. TwinPane Server is code-signed. The registry keys it writes are standard User Shell Folders under
HKCU— the same keys Microsoft's own Folder Redirection Group Policy writes. No system keys (Userinit,Winlogon, orHKLMrun keys) are modified. If your AV product flags TwinPane Server at logon, adding the exclusions below resolves it.
Why this is needed
TwinPane Server redirects user shell folders (Desktop, Documents, Downloads, etc.) to a network or redirected drive at logon. It does this by writing to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders — the same registry path used by Windows Folder Redirection via Group Policy.
Behavioral and heuristic AV engines may flag this pattern because rapid registry writes to shell folder paths at process startup resembles techniques used by ransomware or persistence mechanisms. The detection is a false positive: TwinPane Server only modifies the current user's shell folder paths within their own hive, restores originals on sign-out, and leaves all system-level keys untouched.
Adding process and folder exclusions for the TwinPane Server executable and install directory resolves the detection without reducing your security posture.
Microsoft Defender for Endpoint (MDE)
Use MDE indicators or policy when TwinPane Server is generating alerts in the Defender portal, or when you want organization-wide suppression managed centrally.
Option 1 — Defender portal (indicators / allow list)
- Go to security.microsoft.com and sign in as a Security Administrator.
- Navigate to Settings > Endpoints > Indicators.
- Select the Files tab, then Add indicator.
- Enter the SHA-256 hash of
FileSyncBridgeServer.exe. Get it by runningGet-FileHashon the installed binary:
Get-FileHash "C:\Program Files\FileSyncBridge Server\FileSyncBridgeServer.exe" -Algorithm SHA256 | Select-Object Hash
- Set Action to Allow, add a title and description, then save.
To allow by certificate instead of hash (recommended for ongoing updates):
- On the Certificates tab, select Add indicator.
- Enter the thumbprint of the TwinPane code-signing certificate.
- Set Action to Allow and save.
Certificate-based indicators cover all binaries signed by that certificate across future releases, so you do not need to update the indicator after each upgrade.
Option 2 — Group Policy
Apply to session hosts via a GPO linked to the OU containing your AVD or RDS session hosts.
Path: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Exclusions
| Setting | Value |
|---|---|
| Process Exclusions | C:\Program Files\FileSyncBridge Server\FileSyncBridgeServer.exe |
| Path Exclusions | C:\Program Files\FileSyncBridge Server\ |
Option 3 — Intune endpoint security policy
- In the Intune admin center, go to Endpoint security > Antivirus.
- Select Create policy, choose Windows 10, Windows 11, and Windows Server, then select Microsoft Defender Antivirus.
- Under Microsoft Defender Antivirus Exclusions, add:
| Exclusion type | Value |
|---|---|
| Excluded processes | C:\Program Files\FileSyncBridge Server\FileSyncBridgeServer.exe |
| Excluded paths | C:\Program Files\FileSyncBridge Server\ |
- Assign the policy to your session host device group and save.
Option 4 — PowerShell
Run on each session host, or deploy via a remediation script in Intune:
Add-MpPreference -ExclusionProcess "C:\Program Files\FileSyncBridge Server\FileSyncBridgeServer.exe"
Add-MpPreference -ExclusionPath "C:\Program Files\FileSyncBridge Server\"
To also add an Attack Surface Reduction (ASR) path exclusion (required if ASR rules are enabled and triggering):
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files\FileSyncBridge Server\FileSyncBridgeServer.exe"
Verify the exclusions were applied:
Get-MpPreference | Select-Object -ExpandProperty ExclusionProcess
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionOnlyExclusions
Microsoft Defender Antivirus (local)
Use this when managing individual machines or when a centralized policy is not yet in place.
Add exclusions via Windows Security UI
- Open Windows Security and go to Virus & threat protection.
- Under Virus & threat protection settings, select Manage settings.
- Scroll to Exclusions and select Add or remove exclusions.
- Add the following:
| Type | Value |
|---|---|
| Process | C:\Program Files\FileSyncBridge Server\FileSyncBridgeServer.exe |
| Folder | C:\Program Files\FileSyncBridge Server\ |
ASR rule exclusions
If Attack Surface Reduction rules are enabled and generating alerts, add a per-rule exclusion via PowerShell. The most common rule triggered by shell folder redirection at logon is Block persistence through WMI event subscription or the behavioral engine's generic heuristics. Add the path exclusion to cover all active rules:
Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Program Files\FileSyncBridge Server\FileSyncBridgeServer.exe"
ASR exclusions are path-based and apply across all enabled rules. A single entry for the executable is sufficient.
Other antivirus products
CrowdStrike Falcon, SentinelOne, Sophos, Trend Micro, and similar products may generate behavioral alerts when TwinPane Server writes to shell folder registry paths at logon. The underlying detection logic is the same: rapid registry modification of user shell paths triggers heuristic sensors.
The resolution is the same across vendors: add a process exclusion for FileSyncBridgeServer.exe and a folder exclusion for C:\Program Files\FileSyncBridge Server\ from behavioral monitoring. Do not limit exclusions to signature-based scanning only — behavioral/heuristic engines must also be excluded.
Consult your vendor's documentation for the specific exclusion type labels (e.g., "sensor exclusion", "exclusion policy", "prevention policy exception"). The principle is consistent: exclude the server executable and its install directory from behavioral process monitoring.
Verifying the exclusion works
After applying exclusions, confirm resolution using all three of the following:
1. Defender protection history (local)
Get-MpThreatDetection | Where-Object { $_.ProcessName -like "*FileSyncBridge*" }
No results means no recent detections for the process.
2. TwinPane Server logs
Open the TwinPane Server log (accessible from the TwinPane Server tray icon or admin console). Confirm entries show shell redirection completing without errors or unusual delays at logon. Expected output includes successful redirection of Desktop, Documents, Downloads, Music, Pictures, and Videos.
3. MDE portal (if using MDE)
In the Defender portal, check Incidents & alerts > Alerts filtered by device name. Confirm no new alerts for FileSyncBridgeServer.exe appear after a test logon. If an alert was previously suppressed rather than excluded, create an exclusion indicator to prevent future alert generation at the engine level.
What TwinPane Server actually modifies
The table below lists every registry write TwinPane Server performs during shell redirection. Security teams can use this as an audit reference to confirm the scope of changes is limited to user shell folder paths.
X: represents the redirected drive letter assigned to the user session.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
| Value name | Data written |
|---|---|
| Desktop | X:\Desktop |
| {374DE290-123F-4565-9164-39C4925E467B} | X:\Downloads |
| Personal | X:\Documents |
| My Music | X:\Music |
| My Pictures | X:\Pictures |
| My Video | X:\Videos |
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
The same six values are mirrored here with fully expanded paths (no environment variable references). This key is a legacy cache maintained by Windows Explorer and is written by the same APIs used by folder redirection.
| Value name | Data written |
|---|---|
| Desktop | X:\Desktop |
| {374DE290-123F-4565-9164-39C4925E467B} | X:\Downloads |
| Personal | X:\Documents |
| My Music | X:\Music |
| My Pictures | X:\Pictures |
| My Video | X:\Videos |
HKCU\Software\FileSyncBridge\ShellRedirection
TwinPane Server stores the original shell folder paths here before applying redirection. These values are used to restore the user's original paths cleanly on sign-out. No system keys or other hives are written.