Jan 22 2020 09:35 AM
Jan 22 2020 09:35 AM
is there a known issue with Indicators for URLs/domains?
we recognised that blocking rules stop working for non-edge browsers and edge browser smart screen needs a refresh of the site in order to block the access.
network protection on the client (1903) is enabled and verified.
Jan 23 2020 11:16 AM - edited Jan 23 2020 11:17 AM
I just demonstrated this today with a customer on my own and on one of their devices, worked fine with Chrome on Windows 10 1909 and 1903
Do you see any information in the Windows Event log?
|network protection||Microsoft-Windows-Windows-Defender/Operational||5007||Event when settings are changed|
|1125||Event when a network connection is audited|
|1126||Event when a network connection is blocked|
Jan 24 2020 12:37 AM
thanks for your reply.
in case your indicator works as expected and the block is applied successfully - how does your indicator entry for the related domain/url looks like?
Figured out that indeed a domain name like google.com works pretty fine, but in case you're moving deeper into a URL path, it does not - for instance https://www.youtube.com/?gl=DE&tab=w11
Apr 24 2020 04:06 AM
@Efrat Kliger - Hi having the same issue, URL indicators look correct but blocking stopped working in IE/Chrome and only intermittently blocks in Edge. Have raised a support request w/MS. If anyone has insight on root cause would appreciate feedback
Apr 24 2020 04:12 AM
I assume you're talking about the https related deep links, which are not blocked by CI as "expected" - from my understanding this is currently by design, as mdatp does not act as "man in the middle" breaking up the encrypted channel between the browser and the related webserver. Thus the only way to block https related URLs is to configure the related CI for the domain in general:
working : https://www.google.com
not working: https://www.google.com/whatever-deep-link
Apr 24 2020 07:52 AM
@Scott650 Hi - determined that someone unlinked a GPO that enforced network protection. The reason Edge worked was due to smartscreen. The Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection\EnableNetworkProtection=1 did not exist.
that was our root cause - hope this helps others
Oct 02 2020 05:55 AM
The windows network protection service applies to the entire OS. If you tag a domain/url/ip for a block in IoC then this would be blocked for the entire OS and any browser including Chrome so there is no additional add-in.
You will need to ensure that you have network protection turned on which you can read about here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-p...