Jan 22 2020 09:35 AM
Hi,
is there a known issue with Indicators for URLs/domains?
we recognised that blocking rules stop working for non-edge browsers and edge browser smart screen needs a refresh of the site in order to block the access.
network protection on the client (1903) is enabled and verified.
Any ideas?
thank you
Jan 23 2020 11:16 AM - edited Jan 23 2020 11:17 AM
I just demonstrated this today with a customer on my own and on one of their devices, worked fine with Chrome on Windows 10 1909 and 1903
Do you see any information in the Windows Event log?
network protection | Microsoft-Windows-Windows-Defender/Operational | 5007 | Event when settings are changed |
1125 | Event when a network connection is audited | ||
1126 | Event when a network connection is blocked |
Jan 24 2020 12:37 AM
thanks for your reply.
in case your indicator works as expected and the block is applied successfully - how does your indicator entry for the related domain/url looks like?
Figured out that indeed a domain name like google.com works pretty fine, but in case you're moving deeper into a URL path, it does not - for instance https://www.youtube.com/?gl=DE&tab=w11
Jan 24 2020 10:11 AM
i had conifgured www.bitcoin.com, here's the result.
haven't tried the case you described but will try out as well and let you know the results .
Jan 27 2020 02:01 AM
We are working to support this case as well.
Please read through the following documentation section.
Full URL path blocks can be applied on the domain level and all unencrypted URLs.
Apr 24 2020 04:06 AM
@Efrat Kliger - Hi having the same issue, URL indicators look correct but blocking stopped working in IE/Chrome and only intermittently blocks in Edge. Have raised a support request w/MS. If anyone has insight on root cause would appreciate feedback
Apr 24 2020 04:12 AM
Hi Scott,
I assume you're talking about the https related deep links, which are not blocked by CI as "expected" - from my understanding this is currently by design, as mdatp does not act as "man in the middle" breaking up the encrypted channel between the browser and the related webserver. Thus the only way to block https related URLs is to configure the related CI for the domain in general:
working : https://www.google.com
not working: https://www.google.com/whatever-deep-link
Apr 24 2020 04:17 AM
Hi,
Simply marked Zoom as unsanctioned in MCAS, worked for ~3 week and the just stopped.
Allowed the integration between MCAS and Defender ATP to automatically create the indicator.
Apr 24 2020 07:52 AM
@Scott650 Hi - determined that someone unlinked a GPO that enforced network protection. The reason Edge worked was due to smartscreen. The Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection\EnableNetworkProtection=1 did not exist.
that was our root cause - hope this helps others
Sep 30 2020 10:05 AM
@Alex Verboon Hi, appreciate if you can share to me how it will work with chrome browser? What extension do I need to install? Thanks
Oct 02 2020 05:55 AM
@jgumba08
The windows network protection service applies to the entire OS. If you tag a domain/url/ip for a block in IoC then this would be blocked for the entire OS and any browser including Chrome so there is no additional add-in.
You will need to ensure that you have network protection turned on which you can read about here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-p...
Oct 05 2020 04:04 AM