Forum Discussion

Deleted's avatar
Deleted
Mar 12, 2019

Windows Defender ATP ExploitGuard + Safelinks Issue.

Hi all,

 

ExploitGuard Network Protection, part of ATP, is currently attacking one node for Safelinks.

 

Specifically 104.47.50.28. When you click a link in outlook that has been rewritten by Safelinks, you'll  get one of three nodes, whichever you happen to be loadbalanced to. If you happen to be loadbalanced to 104.47.50.28, you will get stopped in your tracks by ExploitGuard.

 

I cannot find a way to contact Microsoft in a way that would have this looked at and resolved.

 

Additionally, ExploitGuard does not seem to respect whitelists added for the IP in Windows Defender Security Center, for any IPs, not just this one.

 

Your IT administrator has caused Windows Defender Exploit Guard to block a potentially dangerous network connection.
Detection time: 2019-03-12T13:04:55.723Z
User: S-1-5-21-*
Destination: http://nam05.safelinks.protection.outlook.com
Process Name: C:\Program Files\Mozilla Firefox\firefox.exe

  • Rob Hardman's avatar
    Rob Hardman
    Iron Contributor

    Deleted Just chiming in that I've seen identical behaviour in the past with certain EU nodes. After a while, it goes away. Then it's back weeks later without warning. Whack-a-mole!

     

    The only workaround I've found during this condition is to reduce the Network Protection setting to Warn, which is obviously unsatisfactory.

Resources