Forum Discussion
Exploit Guard - Network Protection
Hi,
Prior to the 'Defender Antimalware Platform Update' in January "C:\Program Files\Windows Defender\wdnsfltr.exe" would be called and make a connection to urs.smartscreen.microsoft.com either directly or via a proxy server (even if a proxy is hardcoded and WPAD/PAC files direct connections to .microsoft.com via the proxy).
This would then invoke 'Network Protection' on a matching FQDN, the connection would be blocked, an event (ID: 1126) recorded in the 'Windows Defender' event log and a notification would alert the user.
Updating Windows 10 with the latest cumulative OS update will still work but as soon as Defender is updated the 'Network Protection' service is no longer called and the connection to the blacklisted site is successful.
I've emailed wdcustomer@microsoft.com directly and the feedback link is https://aka.ms/Vxogvt.
Regards,
Steve
Hi Steve,
Thanks for submitting this to microsoft directly. It's a bit difficult to traverse the feedback hub for this type of problem. Hopefully you can update this thread if/when you hear something back from MS.
Thanks.
Okay so we have a new platform update version 4.14.17613.18039-0. I've had connections blocked with this platform on 1709 but no notification, on 1803 I've had both blocked connections and notification.
That is interesting. I'm running 1709 on all of my computers, and I'm now seeing the same thing. The test site is properly blocked, but I don't receive a notification. I also do not see a corresponding log entry for the event. According to https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard I should see log entries for the Network Protection events in the Windows Defender -> Operational log, however nothing is being logged their after the test site is blocked.
I guess I will just wait until 1803 is ready for broad distribution.
