Thanks for the links!

By the way, here's a useful article on this topic http://myspybot.com/query-router-virus/

"Web browsers are flexible tools allowing for extensive customization to fully meet users’ preferences. It’s remarkably simple to define a site that will be automatically resolved when a browser is opened. Things like the new tab page and default search engine are easy to configure as well. But what if this convenient state of things just stops working all of the sudden? The only plausible reason for such a mishap is malicious activity going on inside a computer. There is a category of offending code that impacts this particular facet of PC usage. It’s generally referred to as adware, which itself can be broken down into subgroups such as hijackers and ad-serving threats. Query Router, also known as QueryRouter, is an unwanted applet that embodies this type of nefarious activity.

When infected with the Query Router virus, people lose control of their custom browsing settings. The cyber parasite bypasses user authorization when changing the homepage, new tab page and search provider to search.queryrouter.com value. These modifications take place without admin’s permission because the corresponding browser plugin or extension obtains elevated privileges automatically – that’s the way it is programmed. Another trait of this adware is that it is indiscriminate in terms of the browser type, so those using Chrome, for instance, aren’t any more secure than Internet Explorer aficionados. In the long run, when working with preferred web browser, infected users will be constantly bumping into a rogue search page."

Look at this from the point of view of the guy creating the malware.  Defender is part of the OS, everyone has it.  If your malware doesn't bypass defender.. it's broken. If you're relying on defender only, I'd hope you have a small malware vulnerability footprint like a grandma that only boots the computer not plugged into the internet to play solitaire and doesn't swap thumb drives with her bridge club.  

I'd be amazed if an A/V developer ever granted a bypass to a software developer, if they do they've basically opened a hole our digital terrorist could piggyback on.  As a consumer of an A/V program I would not want them to do that for anyone, that's my job to do via temporarily disabling the A/V knowing that this installers intrusion into my system is for copy protection and legit.

Excluding your A/V from scanning your sim usually just means it won't scan that drive/folder during a scheduled or manually initiated virus scan.  A more pertinent question for simmers however is whether or not it's setup to do maintenance scans periodically and would those be triggered ANYWHERE while in sim.. unless of course you have cycles and I/O bandwidth to spare... anyone?   Exclusions also probably don't disable realtime monitoring.  The solution to both is just to temporarily disable it all together while in sim which they should offer as a basic feature.