Forum Discussion
Windows Defender ATP ExploitGuard + Safelinks Issue.
Hi all,
ExploitGuard Network Protection, part of ATP, is currently attacking one node for Safelinks.
Specifically 104.47.50.28. When you click a link in outlook that has been rewritten by Safelinks, you'll get one of three nodes, whichever you happen to be loadbalanced to. If you happen to be loadbalanced to 104.47.50.28, you will get stopped in your tracks by ExploitGuard.
I cannot find a way to contact Microsoft in a way that would have this looked at and resolved.
Additionally, ExploitGuard does not seem to respect whitelists added for the IP in Windows Defender Security Center, for any IPs, not just this one.
Your IT administrator has caused Windows Defender Exploit Guard to block a potentially dangerous network connection.
Detection time: 2019-03-12T13:04:55.723Z
User: S-1-5-21-*
Destination: http://nam05.safelinks.protection.outlook.com
Process Name: C:\Program Files\Mozilla Firefox\firefox.exe
- Rob HardmanIron Contributor
Deleted Just chiming in that I've seen identical behaviour in the past with certain EU nodes. After a while, it goes away. Then it's back weeks later without warning. Whack-a-mole!
The only workaround I've found during this condition is to reduce the Network Protection setting to Warn, which is obviously unsatisfactory.
- Deleted
So, I found the answer finally after arguing with Microsoft Support for a week.
You can report false ExploitGuard Network Protection blocks here:
https://www.microsoft.com/en-us/wdsi/filesubmission/exploitguard/networkprotection
The tech I spoke with on the phone trying to get this resolved told us there's no way on our end to add exceptions for external sites, only internal. Hopefully they add that feature soon!