Hi, A legit exchange url is getting blocked by defender and showing the action type as ExploitGuardNetworkProtectionBlocked. The event info says that the URL is blocked as Custom Policy by ASR. Though the error is encountered only on few of the machines in my environment and not all of them. As of now, I have allowed that particular URL via Indicators in MDATP Security Center.Request is someone can help me understand the reason on why it was getting blocked and if I need to revisit any ASR policies on Intune.Appreciate any help here. Thanks.

Nope, the case has been ongoing for several weeks. Several things have been tried but we don't yet know the true cause. Will try to remember to update here when I know 🙂

AnuragSrivastava based on what I understand Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).

ehloworldio The URL was actually accessible before, it was just yesterday only when few machines were not able to access the URL while most of the machines were able to during the same time window.

AnuragSrivastava You can whitelist specific IPs and URLS via the Windows Defender Security Center (Defender ATP Portal): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domainThis should unblock these, even if they are blacklisted at Microsoft. Why the IPs/URLs are now blacklisted only Microsoft can tell. Why this only happens on some machines is strange - I think it's best to open a support case about this behavior. Best regardsStefan

SteBeSec Thanks Stefan, I already allowed the URL via indicators. Yes, I agree might need to check with Microsoft on why the URL actually got blocked.

ASR | Legit URL getting blocked | Microsoft Community Hub

15 Replies

sewtom
Copper Contributor
Jan 20, 2021
AnuragSrivastava We have had various legit domains (e.g. zoom.us which is a sanctioned meeting tool) blocked at random for different users at different times.

This is even when domains are explicitly allowed in MDATP Security Center.

MS are continuing to troubleshoot, but it is seeming like an issue with SmartScreen URL lists rather than Defender/MCAS.

The inconsistency is not very assuring however.
- sewtom
  Copper Contributor
  Jan 20, 2021
  Ah and we also had Outlook getting blocked at one point. Turned out MS had added officeclient.microsoft.com to the listed URLs of OneDrive (consumer) in MCAS, which are automatically passing to Defender to block... They have removed it now, but seemingly it is still an immature product.
  - AnuragSrivastava
    Iron Contributor
    Jan 20, 2021
    sewtom So did you open ticket with Microsoft to fix the same? It would be good to know and understand what actually is the reason behind the blocking of these legit URLs and that too for just few users.
ehloworldio
Copper Contributor
Dec 07, 2020
AnuragSrivastava based on what I understand

Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
- AnuragSrivastava
  Iron Contributor
  Dec 07, 2020
  ehloworldio The URL was actually accessible before, it was just yesterday only when few machines were not able to access the URL while most of the machines were able to during the same time window.
  - SteBeSec
    Iron Contributor
    Dec 13, 2020
    AnuragSrivastava You can whitelist specific IPs and URLS via the Windows Defender Security Center (Defender ATP Portal): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain
    This should unblock these, even if they are blacklisted at Microsoft.
    
    Why the IPs/URLs are now blacklisted only Microsoft can tell. Why this only happens on some machines is strange - I think it's best to open a support case about this behavior.
    
    Best regards
    Stefan

Forum Discussion

ASR | Legit URL getting blocked

15 Replies

Resources