How to fix error: cannot stat 'file.txt': Permission denied (possibly blocked by antivirus) in Git

The most effective fix is to exclude your Git repositories from Windows Defender scanning:

Via Windows Security Settings:
1. Open Windows Security (search for it in the Start menu)
2. Click Virus & threat protection
3. Under "Virus & threat protection settings", click Manage settings
4. Scroll down to Exclusions and click Add or remove exclusions
5. Click Add an exclusion and select Folder
6. Navigate to and select your repository folder (e.g., C:\Users\YourName\Projects\your-repo)

Via PowerShell (Administrator):

# Add a folder exclusion
Add-MpPreference -ExclusionPath "C:\Users\YourName\Projects"

# Or add the entire Git repositories parent directory
Add-MpPreference -ExclusionPath "C:\Users\YourName\repos"

# Verify the exclusion was added
Get-MpPreference | Select-Object -ExpandProperty ExclusionPath

Recommended exclusions for developers:
- Your main projects/repos folder
- %USERPROFILE%\.git (Git config directory)
- %LOCALAPPDATA%\GitHubDesktop (if using GitHub Desktop)
- Your IDE's workspace folders

Also exclude the Git installation directory and related development tools:

Via PowerShell (Administrator):

# Exclude Git installation
Add-MpPreference -ExclusionPath "C:\Program Files\Git"

# If using Git for Windows in a different location
Add-MpPreference -ExclusionPath "C:\Users\YourName\AppData\Local\Programs\Git"

# Exclude process by name
Add-MpPreference -ExclusionProcess "git.exe"
Add-MpPreference -ExclusionProcess "git-remote-https.exe"
Add-MpPreference -ExclusionProcess "ssh.exe"

Via Windows Security UI:
1. Go to Windows Security > Virus & threat protection > Manage settings
2. Under Exclusions, click Add or remove exclusions
3. Click Add an exclusion > Process
4. Type git.exe and click Add

This prevents Defender from scanning Git itself during operations, which can significantly speed up Git commands.

Windows 10/11's Controlled Folder Access (ransomware protection) can block Git from modifying files:

Check if Controlled Folder Access is enabled:
1. Open Windows Security
2. Go to Virus & threat protection > Manage ransomware protection
3. Check if Controlled folder access is turned on

Allow Git through Controlled Folder Access:
1. Click Allow an app through Controlled folder access
2. Click Add an allowed app > Browse all apps
3. Navigate to Git's installation and select:
- C:\Program Files\Git\bin\git.exe
- C:\Program Files\Git\cmd\git.exe
- C:\Program Files\Git\mingw64\bin\git.exe

Via PowerShell (Administrator):

# Allow Git through Controlled Folder Access
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\Git\bin\git.exe"
Add-MpPreference -ControlledFolderAccessAllowedApplications "C:\Program Files\Git\cmd\git.exe"

If you primarily work in specific folders, you can also remove those folders from protected folders list, though this reduces ransomware protection for those locations.

If you use third-party antivirus software, add similar exclusions there:

Norton:
1. Open Norton
2. Go to Settings > Antivirus > Scans and Risks
3. Under Exclusions / Low Risks, click Configure
4. Add your repository folders

McAfee:
1. Open McAfee
2. Go to Real-Time Scanning > Excluded Files
3. Click Add file or folder
4. Add your repository folders

Avast/AVG:
1. Open Avast/AVG
2. Go to Menu > Settings > General > Exceptions
3. Click Add Exception
4. Add your repository folders

Kaspersky:
1. Open Kaspersky
2. Go to Settings > Additional > Threats and Exclusions
3. Click Manage exclusions > Add
4. Add your repository folders

ESET:
1. Open ESET
2. Go to Setup > Advanced Setup > Detection Engine
3. Click Exclusions > Performance Exclusions
4. Add your repository folders

Always exclude both the repository folder and the Git executable path.

As a quick workaround, you can temporarily disable real-time protection during Git operations:

Disable Windows Defender temporarily:
1. Open Windows Security
2. Go to Virus & threat protection > Manage settings
3. Turn off Real-time protection
4. Run your Git command
5. Important: Turn real-time protection back on immediately after

Via PowerShell (Administrator) - temporary disable:

# Disable real-time monitoring (requires admin)
Set-MpPreference -DisableRealtimeMonitoring $true

# Run your Git commands here
git checkout main
git pull

# Re-enable real-time monitoring immediately
Set-MpPreference -DisableRealtimeMonitoring $false

Warning: This is only a temporary workaround. Do not leave real-time protection disabled. The exclusion method (Step 1) is the proper long-term solution.

If you must use this approach frequently, create a batch script that disables protection, runs Git, and re-enables protection automatically.

If the error is intermittent (works sometimes, fails others), the antivirus may release locks quickly. You can retry the operation:

Simple retry:

# Wait a moment and retry
sleep 2 && git checkout main

# Or in PowerShell
Start-Sleep -Seconds 2; git checkout main

Retry loop in PowerShell:

$maxRetries = 5
$retryCount = 0
$success = $false

while (-not $success -and $retryCount -lt $maxRetries) {
    try {
        git checkout main
        $success = $true
    } catch {
        $retryCount++
        Write-Host "Attempt $retryCount failed, retrying in 3 seconds..."
        Start-Sleep -Seconds 3
    }
}

if (-not $success) {
    Write-Host "Command failed after $maxRetries attempts"
}

Retry loop in Bash (Git Bash):

for i in {1..5}; do
    git checkout main && break
    echo "Attempt $i failed, retrying in 3 seconds..."
    sleep 3
done

This is a workaround, not a fix. Configure proper exclusions for a permanent solution.

To identify exactly which process is locking the file, use Microsoft's Process Explorer:

Download and run Process Explorer:
1. Download from: https://docs.microsoft.com/sysinternals/downloads/process-explorer
2. Run procexp64.exe as Administrator
3. Press Ctrl+F to open the Find dialog
4. Enter the filename that Git cannot access (e.g., file.txt)
5. Click Search

The results will show which process has a handle to the file. Common culprits:
- MsMpEng.exe - Windows Defender
- avp.exe - Kaspersky
- mcshield.exe - McAfee
- avgnt.exe - Avira

Using Handle.exe (command line):

# Download Handle from Sysinternals, then:
handle.exe "file.txt"

Using PowerShell to find locked files:

# Find processes with handles to files in a directory
Get-Process | ForEach-Object {
    $handles = $_.Handles
    if ($_.Path -like "*git*") {
        Write-Host $_.ProcessName $_.Id
    }
}

Once you identify the locking process, you can configure exclusions specific to that antivirus.

Some Windows locations are monitored more heavily by antivirus. Moving your repository can help:

Heavily monitored locations (avoid for development):
- C:\Users\YourName\Downloads
- C:\Users\YourName\Desktop
- C:\Users\YourName\Documents
- Temporary directories

Better locations for Git repositories:
- C:\dev or D:\dev (dedicated development folder)
- C:\Users\YourName\repos (dedicated repos folder)
- Any folder you've added to exclusions

Move your repository:

# In Git Bash or terminal
mv /c/Users/YourName/Downloads/my-repo /c/dev/my-repo

# Update any IDE workspace paths
# Re-open the project in your IDE from the new location

Clone to a better location instead:

# Instead of cloning to Downloads
git clone https://github.com/user/repo.git /c/dev/repo

Once you have a dedicated development folder, add it to your antivirus exclusions as described in Step 1.