Forum Discussion

Riley Hale's avatar
Riley Hale
Brass Contributor
Feb 20, 2018

Exploit Guard - Network Protection

We've begun pushing the Windows 10 Fall Creator's Update in our business environment.  We have configured many of the new security features through GPO including Exploit Guard - Attack Surface Reduct...
Steve Norton's avatar
Steve Norton
Brass Contributor
Mar 16, 2018

Hi,

Prior to the 'Defender Antimalware Platform Update' in January "C:\Program Files\Windows Defender\wdnsfltr.exe" would be called and make a connection to urs.smartscreen.microsoft.com either directly or via a proxy server (even if a proxy is hardcoded and WPAD/PAC files direct connections to .microsoft.com via the proxy).
This would then invoke 'Network Protection' on a matching FQDN, the connection would be blocked, an event (ID: 1126) recorded in the 'Windows Defender' event log and a notification would alert the user.
Updating Windows 10 with the latest cumulative OS update will still work but as soon as Defender is updated the 'Network Protection' service is no longer called and the connection to the blacklisted site is successful.

I've emailed wdcustomer@microsoft.com directly and the feedback link is https://aka.ms/Vxogvt.

Regards,

Steve

Riley Hale's avatar
Riley Hale
Brass Contributor
Mar 16, 2018

Hi Steve,

 

Thanks for submitting this to microsoft directly.  It's a bit difficult to traverse the feedback hub for this type of problem.  Hopefully you can update this thread if/when you hear something back from MS. 

 

Thanks. 

  • Steve Norton's avatar
    Steve Norton
    Brass Contributor
    Apr 17, 2018

    Okay so we have a new platform update version 4.14.17613.18039-0. I've had connections blocked with this platform on 1709 but no notification, on 1803 I've had both blocked connections and notification.

     

    • Riley Hale's avatar
      Riley Hale
      Brass Contributor
      Apr 17, 2018

      That is interesting.  I'm running 1709 on all of my computers, and I'm now seeing the same thing.  The test site is properly blocked, but I don't receive a notification.  I also do not see a corresponding log entry for the event.  According to https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard I should see log entries for the Network Protection events in the Windows Defender -> Operational log, however nothing is being logged their after the test site is blocked. 

       

      I guess I will just wait until 1803 is ready for broad distribution.   

      • Steve Norton's avatar
        Steve Norton
        Brass Contributor
        Apr 30, 2018

        We've had another platform version released (4.14.17639.18041-0) but the results are the same in 1709 as the last release so blocks but no notifications still. On the upside 1803 Enterprise appears to be a well polished version of 1709, my only problem so far is event logs that are set to archive when full actually stop logging which is a problem that was fixed in 1709 a few months back other than that all is well so you may be able to move to 1803 sooner than you'd planned.

Resources