Forum Discussion

AnuragSrivastava's avatar
AnuragSrivastava
Iron Contributor
Dec 06, 2020

ASR | Legit URL getting blocked

Hi,

 

A legit exchange url is getting blocked by defender and showing the action type as ExploitGuardNetworkProtectionBlocked. The event info says that the URL is blocked as Custom Policy by ASR. 

Though the error is encountered only on few of the machines in my environment and not all of them. As of now, I have allowed that particular URL via Indicators in MDATP Security Center.

Request is someone can help me understand the reason on why it was getting blocked and if I need to revisit any ASR policies on Intune.

Appreciate any help here.

 

Thanks.

15 Replies

  • sewtom's avatar
    sewtom
    Copper Contributor

    AnuragSrivastava We have had various legit domains (e.g. zoom.us which is a sanctioned meeting tool) blocked at random for different users at different times.

     

    This is even when domains are explicitly allowed in MDATP Security Center.

     

    MS are continuing to troubleshoot, but it is seeming like an issue with SmartScreen URL lists rather than Defender/MCAS. 

     

    The inconsistency is not very assuring however. 

    • sewtom's avatar
      sewtom
      Copper Contributor
      Ah and we also had Outlook getting blocked at one point. Turned out MS had added officeclient.microsoft.com to the listed URLs of OneDrive (consumer) in MCAS, which are automatically passing to Defender to block... They have removed it now, but seemingly it is still an immature product.
      • AnuragSrivastava's avatar
        AnuragSrivastava
        Iron Contributor

        sewtom So did you open ticket with Microsoft to fix the same? It would be good to know and understand what actually is the reason behind the blocking of these legit URLs and that too for just few users.

  • ehloworldio's avatar
    ehloworldio
    Copper Contributor

    AnuragSrivastava based on what I understand 

     

    Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).

Resources