Forum Discussion

AnuragSrivastava's avatar
AnuragSrivastava
Iron Contributor
Dec 06, 2020

ASR | Legit URL getting blocked

Hi,   A legit exchange url is getting blocked by defender and showing the action type as ExploitGuardNetworkProtectionBlocked. The event info says that the URL is blocked as Custom Policy by ASR.  ...
sewtom's avatar
sewtom
Copper Contributor
Jan 20, 2021

AnuragSrivastava We have had various legit domains (e.g. zoom.us which is a sanctioned meeting tool) blocked at random for different users at different times.

 

This is even when domains are explicitly allowed in MDATP Security Center.

 

MS are continuing to troubleshoot, but it is seeming like an issue with SmartScreen URL lists rather than Defender/MCAS. 

 

The inconsistency is not very assuring however. 

sewtom's avatar
sewtom
Copper Contributor
Jan 20, 2021
Ah and we also had Outlook getting blocked at one point. Turned out MS had added officeclient.microsoft.com to the listed URLs of OneDrive (consumer) in MCAS, which are automatically passing to Defender to block... They have removed it now, but seemingly it is still an immature product.
  • AnuragSrivastava's avatar
    AnuragSrivastava
    Iron Contributor
    Jan 20, 2021

    sewtom So did you open ticket with Microsoft to fix the same? It would be good to know and understand what actually is the reason behind the blocking of these legit URLs and that too for just few users.

    • sewtom's avatar
      sewtom
      Copper Contributor
      Jan 20, 2021
      Nope, the case has been ongoing for several weeks. Several things have been tried but we don't yet know the true cause. Will try to remember to update here when I know 🙂
      • edinili84's avatar
        edinili84
        Brass Contributor
        Feb 08, 2021

        You might see this if you are using the web content filtering in Defender for Endpoint. Check the web protection reports and you might see that URL being blocked by one of the web content filtering categories.