ASR | Legit URL getting blocked

%3CLINGO-SUB%20id%3D%22lingo-sub-1960000%22%20slang%3D%22en-US%22%3EASR%20%7C%20Legit%20URL%20getting%20blocked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1960000%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20legit%20exchange%20url%20is%20getting%20blocked%20by%20defender%20and%20showing%20the%20action%20type%20as%26nbsp%3BExploitGuardNetworkProtectionBlocked.%20The%20event%20info%20says%20that%20the%20URL%20is%20blocked%20as%20Custom%20Policy%20by%20ASR.%26nbsp%3B%3C%2FP%3E%3CP%3EThough%20the%20error%20is%20encountered%20only%20on%20few%20of%20the%20machines%20in%20my%20environment%20and%20not%20all%20of%20them.%20As%20of%20now%2C%20I%20have%20allowed%20that%20particular%20URL%20via%20Indicators%20in%20MDATP%20Security%20Center.%3C%2FP%3E%3CP%3ERequest%20is%20someone%20can%20help%20me%20understand%20the%20reason%20on%20why%20it%20was%20getting%20blocked%20and%20if%20I%20need%20to%20revisit%20any%20ASR%20policies%20on%20Intune.%3C%2FP%3E%3CP%3EAppreciate%20any%20help%20here.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1960970%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20%7C%20Legit%20URL%20getting%20blocked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1960970%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F879527%22%20target%3D%22_blank%22%3E%40AnuragSrivastava%3C%2FA%3E%26nbsp%3Bbased%20on%20what%20I%20understand%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%20data-unlink%3D%22true%22%3ENetwork%20protection%20expands%20the%20scope%20of%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3EMicrosoft%20Defender%20SmartScreen%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%20block%20all%20outbound%20HTTP(s)%20traffic%20that%20attempts%20to%20connect%20to%20low-reputation%20sources%20(based%20on%20the%20domain%20or%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ehostname).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1962231%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20%7C%20Legit%20URL%20getting%20blocked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1962231%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F370232%22%20target%3D%22_blank%22%3E%40ehloworldio%3C%2FA%3E%26nbsp%3BThe%20URL%20was%20actually%20accessible%20before%2C%20it%20was%20just%20yesterday%20only%20when%20few%20machines%20were%20not%20able%20to%20access%20the%20URL%20while%20most%20of%20the%20machines%20were%20able%20to%20during%20the%20same%20time%20window.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1983545%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20%7C%20Legit%20URL%20getting%20blocked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1983545%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F879527%22%20target%3D%22_blank%22%3E%40AnuragSrivastava%3C%2FA%3E%26nbsp%3BYou%20can%20whitelist%20specific%20IPs%20and%20URLS%20via%20the%20Windows%20Defender%20Security%20Center%20(Defender%20ATP%20Portal)%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Findicator-ip-domain%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Findicator-ip-domain%3C%2FA%3E%3C%2FP%3E%3CP%3EThis%20should%20unblock%20these%2C%20even%20if%20they%20are%20blacklisted%20at%20Microsoft.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhy%20the%20IPs%2FURLs%20are%20now%20blacklisted%20only%20Microsoft%20can%20tell.%20Why%20this%20only%20happens%20on%20some%20machines%20is%20strange%20-%20I%20think%20it's%20best%20to%20open%20a%20support%20case%20about%20this%20behavior.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3EStefan%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1984116%22%20slang%3D%22en-US%22%3ERe%3A%20ASR%20%7C%20Legit%20URL%20getting%20blocked%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1984116%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F670359%22%20target%3D%22_blank%22%3E%40SteBeSec%3C%2FA%3E%26nbsp%3BThanks%20Stefan%2C%20I%20already%20allowed%20the%20URL%20via%20indicators.%20Yes%2C%20I%20agree%20might%20need%20to%20check%20with%20Microsoft%20on%20why%20the%20URL%20actually%20got%20blocked.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi,

 

A legit exchange url is getting blocked by defender and showing the action type as ExploitGuardNetworkProtectionBlocked. The event info says that the URL is blocked as Custom Policy by ASR. 

Though the error is encountered only on few of the machines in my environment and not all of them. As of now, I have allowed that particular URL via Indicators in MDATP Security Center.

Request is someone can help me understand the reason on why it was getting blocked and if I need to revisit any ASR policies on Intune.

Appreciate any help here.

 

Thanks.

4 Replies

@AnuragSrivastava based on what I understand 

 

Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).

@ehloworldio The URL was actually accessible before, it was just yesterday only when few machines were not able to access the URL while most of the machines were able to during the same time window.

@AnuragSrivastava You can whitelist specific IPs and URLS via the Windows Defender Security Center (Defender ATP Portal): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator...

This should unblock these, even if they are blacklisted at Microsoft.

 

Why the IPs/URLs are now blacklisted only Microsoft can tell. Why this only happens on some machines is strange - I think it's best to open a support case about this behavior.

 

Best regards

Stefan

 

@SteBeSec Thanks Stefan, I already allowed the URL via indicators. Yes, I agree might need to check with Microsoft on why the URL actually got blocked.