Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

indicators for URLs not blocking any longer

Copper Contributor

Hi,

is there a known issue with Indicators for URLs/domains?

we recognised that blocking rules stop working for non-edge browsers and edge browser smart screen needs a refresh of the site in order to block the access.

network protection on the client (1903) is enabled and verified.

Any ideas?

thank you

11 Replies

@Thomas Höhner 

 

I just demonstrated this today with a customer on my own and on one of their devices, worked fine with Chrome on Windows 10 1909 and 1903

 

Do you see any information in the Windows Event log?

 

network protectionMicrosoft-Windows-Windows-Defender/Operational5007Event when settings are changed
1125Event when a network connection is audited
1126Event when a network connection is blocked

 

 

 

 

Hi @Alex Verboon 

 

thanks for your reply.

in case your indicator works as expected and the block is applied successfully - how does your indicator entry for the related domain/url looks like?

Figured out that indeed a domain name like google.com works pretty fine, but in case you're moving deeper into a URL path, it does not - for instance https://www.youtube.com/?gl=DE&tab=w11

 

@Thomas Höhner 

 

i had conifgured www.bitcoin.com, here's the result. 

clipboard_image_0.png

haven't tried the case you described but will try out as well and let you know the results .

 

 

 

 

 

 

@Thomas Höhner 

We are working to support this case as well.

Please read through the following documentation section.
Full URL path blocks can be applied on the domain level and all unencrypted URLs.

 

@Efrat Kliger - Hi having the same issue, URL indicators look correct but blocking stopped working in IE/Chrome and only intermittently blocks in Edge.  Have raised a support request w/MS. If anyone has insight on root cause would appreciate feedback  

@Scott650

Hi Scott,

I assume you're talking about the https related deep links, which are not blocked by CI as "expected" - from my understanding this is currently by design, as mdatp does not act as "man in the middle" breaking up the encrypted channel between the browser and the related webserver. Thus the only way to block https related URLs is to configure the related CI for the domain in general:

working : https://www.google.com

not working: https://www.google.com/whatever-deep-link

@Thomas Höhner 

Hi,

     Simply marked Zoom as unsanctioned in MCAS, worked for ~3 week and the just stopped.

Allowed the integration between MCAS and Defender ATP to automatically create the indicator.

@Scott650 Hi - determined that someone unlinked a GPO that enforced network protection.  The reason Edge worked was due to smartscreen. The Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection\EnableNetworkProtection=1  did not exist.

 

that was our root cause - hope this helps others

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/enable-ne...

@Alex Verboon Hi, appreciate if you can share to me how it will work with chrome browser? What extension do I need to install? Thanks

@jgumba08 

The windows network protection service applies to the entire OS. If you tag a domain/url/ip for a block in IoC then this would be blocked for the entire OS and any browser including Chrome so there is no additional add-in. 

You will need to ensure that you have network protection turned on which you can read about here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/network-p...


@Jamesd749 network protection is turned on already. 

jgumba08_0-1601895843701.png