Dec 06 2020 03:18 AM
Hi,
A legit exchange url is getting blocked by defender and showing the action type as ExploitGuardNetworkProtectionBlocked. The event info says that the URL is blocked as Custom Policy by ASR.
Though the error is encountered only on few of the machines in my environment and not all of them. As of now, I have allowed that particular URL via Indicators in MDATP Security Center.
Request is someone can help me understand the reason on why it was getting blocked and if I need to revisit any ASR policies on Intune.
Appreciate any help here.
Thanks.
Dec 06 2020 04:28 PM
@AnuragSrivastava based on what I understand
Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Dec 07 2020 03:22 AM
@ehloworldio The URL was actually accessible before, it was just yesterday only when few machines were not able to access the URL while most of the machines were able to during the same time window.
Dec 13 2020 08:14 AM
@AnuragSrivastava You can whitelist specific IPs and URLS via the Windows Defender Security Center (Defender ATP Portal): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator...
This should unblock these, even if they are blacklisted at Microsoft.
Why the IPs/URLs are now blacklisted only Microsoft can tell. Why this only happens on some machines is strange - I think it's best to open a support case about this behavior.
Best regards
Stefan
Dec 13 2020 09:07 PM
@SteBeSec Thanks Stefan, I already allowed the URL via indicators. Yes, I agree might need to check with Microsoft on why the URL actually got blocked.
Jan 20 2021 05:16 AM
@AnuragSrivastava We have had various legit domains (e.g. zoom.us which is a sanctioned meeting tool) blocked at random for different users at different times.
This is even when domains are explicitly allowed in MDATP Security Center.
MS are continuing to troubleshoot, but it is seeming like an issue with SmartScreen URL lists rather than Defender/MCAS.
The inconsistency is not very assuring however.
Jan 20 2021 05:18 AM
Jan 20 2021 05:35 AM
@sewtom So did you open ticket with Microsoft to fix the same? It would be good to know and understand what actually is the reason behind the blocking of these legit URLs and that too for just few users.
Jan 20 2021 05:37 AM
Feb 08 2021 09:57 PM - edited Feb 08 2021 09:59 PM
You might see this if you are using the web content filtering in Defender for Endpoint. Check the web protection reports and you might see that URL being blocked by one of the web content filtering categories.
Feb 09 2021 01:39 AM
Jan 06 2022 08:29 AM
Over a year later and we're seeing the same issue. Site was tagged as pornography, it wasn't. Created an exception and it is still blocked.
Jan 12 2022 09:41 AM
Jan 13 2022 12:58 PM
Jan 24 2022 08:16 AM
@Jonhed Sorry, didn't see your reply until now. It was being blocked by any browser. Turns out I was just impatient. Waited until the next day and it was no longer blocked.
Jul 01 2022 07:34 AM