Forum Discussion
Exploit Guard - Network Protection
We've begun pushing the Windows 10 Fall Creator's Update in our business environment. We have configured many of the new security features through GPO including Exploit Guard - Attack Surface Reduction Rules and Exploit Guard - Network Protection.
When we were originally testing and evaluating 1709 (a few months ago) the Network Protection feature worked as expected, and Windows would notify us if a site was blocked due to the setting being enabled. For example, the Network Protection Evaluation page recommends that we visit: https://smartscreentestratings2.net/
That should trigger the Network Protection notification in Windows and prevent us from getting to the page, however; that does not seem to work anymore. The page renders without issue, and I never receive a notification that it was blocked. This is making me question whether or not the feature is working at all anymore. A few things that I've checked:
- The GPO setting "Prevent Users and Apps from Accessing Dangerous Websites" is set to enabled for all computers.
- Ran an RSOP on multiple computers to ensure that settings is being properly applied. It is.
- In PowerShell, ran Get-MpPreference to make sure that EnableNetworkProtection has a value = 1. It does.
Anyone else having the same experience or any idea why the MS test site doesn't evaluate correctly anymore?
Hi,
Prior to the 'Defender Antimalware Platform Update' in January "C:\Program Files\Windows Defender\wdnsfltr.exe" would be called and make a connection to urs.smartscreen.microsoft.com either directly or via a proxy server (even if a proxy is hardcoded and WPAD/PAC files direct connections to .microsoft.com via the proxy).
This would then invoke 'Network Protection' on a matching FQDN, the connection would be blocked, an event (ID: 1126) recorded in the 'Windows Defender' event log and a notification would alert the user.
Updating Windows 10 with the latest cumulative OS update will still work but as soon as Defender is updated the 'Network Protection' service is no longer called and the connection to the blacklisted site is successful.I've emailed wdcustomer@microsoft.com directly and the feedback link is https://aka.ms/Vxogvt.
Regards,
Steve
Hi Steve,
Thanks for submitting this to microsoft directly. It's a bit difficult to traverse the feedback hub for this type of problem. Hopefully you can update this thread if/when you hear something back from MS.
Thanks.
Okay so we have a new platform update version 4.14.17613.18039-0. I've had connections blocked with this platform on 1709 but no notification, on 1803 I've had both blocked connections and notification.
I'm also seeing this issue; the test pages are being blocked only by smartscreen but exploit guard network protection doesn't function at all, ie there is no blocking and no auditing despite the policy being successfully deployed. I've upvoted the issue in the feedback hub and encourage others to do the same.
The last 2 releases of the Defender platform on 1709 have been blocking but not notifying, you can test it in PowerShell with the following;
###Begin[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12
$url = 'https://smartscreentestratings2.net/'
$webClient = New-Object System.Net.WebClient
# $webClient.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy() #Use to bypass the proxy if needed
$webClient.DownloadString($url)
###End
You will get an SSL/TLS negotiation error when blocked, add PowerShell(_ise).exe to the Defender exclusion and restart PowerShell, you'll then get a web response.
I've just found out why it no longer works on my Windows 10 Pro machines, it's now a Windows 10 Enterprise only feature: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np
I've just tested it on Pro 1803 (17134.1) and it works, notifications and blocking.
We have a few PCs, pre and post 1709, that Defender is completely cutting off the network. In one case deleting wdnsfltr.exe and .sys solved it. Nothing in the Defender Event logs about blocking access to the network or a bad site. We are deploying via Group Policy from Server 2016. Win10 Pro clients.
DH
