Windows Defender ATP ExploitGuard + Safelinks Issue.

Not applicable

Hi all,


ExploitGuard Network Protection, part of ATP, is currently attacking one node for Safelinks.


Specifically When you click a link in outlook that has been rewritten by Safelinks, you'll  get one of three nodes, whichever you happen to be loadbalanced to. If you happen to be loadbalanced to, you will get stopped in your tracks by ExploitGuard.


I cannot find a way to contact Microsoft in a way that would have this looked at and resolved.


Additionally, ExploitGuard does not seem to respect whitelists added for the IP in Windows Defender Security Center, for any IPs, not just this one.


Your IT administrator has caused Windows Defender Exploit Guard to block a potentially dangerous network connection.
Detection time: 2019-03-12T13:04:55.723Z
User: S-1-5-21-*
Process Name: C:\Program Files\Mozilla Firefox\firefox.exe

2 Replies

@Deleted Just chiming in that I've seen identical behaviour in the past with certain EU nodes. After a while, it goes away. Then it's back weeks later without warning. Whack-a-mole!


The only workaround I've found during this condition is to reduce the Network Protection setting to Warn, which is obviously unsatisfactory.

@Rob Hardman 


So, I found the answer finally after arguing with Microsoft Support for a week.


You can report false ExploitGuard Network Protection blocks here:


The tech I spoke with on the phone trying to get this resolved told us there's no way on our end to add exceptions for external sites, only internal. Hopefully they add that feature soon!