Forum Discussion
AnuragSrivastava
Dec 06, 2020Iron Contributor
ASR | Legit URL getting blocked
Hi, A legit exchange url is getting blocked by defender and showing the action type as ExploitGuardNetworkProtectionBlocked. The event info says that the URL is blocked as Custom Policy by ASR. ...
ehloworldio
Dec 07, 2020Brass Contributor
AnuragSrivastava based on what I understand
Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
- AnuragSrivastavaDec 07, 2020Iron Contributor
ehloworldio The URL was actually accessible before, it was just yesterday only when few machines were not able to access the URL while most of the machines were able to during the same time window.
- SteBeSecDec 13, 2020Iron Contributor
AnuragSrivastava You can whitelist specific IPs and URLS via the Windows Defender Security Center (Defender ATP Portal): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain
This should unblock these, even if they are blacklisted at Microsoft.
Why the IPs/URLs are now blacklisted only Microsoft can tell. Why this only happens on some machines is strange - I think it's best to open a support case about this behavior.
Best regards
Stefan
- AnuragSrivastavaDec 14, 2020Iron Contributor
SteBeSec Thanks Stefan, I already allowed the URL via indicators. Yes, I agree might need to check with Microsoft on why the URL actually got blocked.