cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows Defender ATP ExploitGuard + Safelinks Issue.

Deleted
Not applicable

‎Mar 12 2019 06:59 AM

‎Mar 12 2019 06:59 AM

Windows Defender ATP ExploitGuard + Safelinks Issue.

Hi all,

 

ExploitGuard Network Protection, part of ATP, is currently attacking one node for Safelinks.

 

Specifically 104.47.50.28. When you click a link in outlook that has been rewritten by Safelinks, you'll  get one of three nodes, whichever you happen to be loadbalanced to. If you happen to be loadbalanced to 104.47.50.28, you will get stopped in your tracks by ExploitGuard.

 

I cannot find a way to contact Microsoft in a way that would have this looked at and resolved.

 

Additionally, ExploitGuard does not seem to respect whitelists added for the IP in Windows Defender Security Center, for any IPs, not just this one.

 

Your IT administrator has caused Windows Defender Exploit Guard to block a potentially dangerous network connection.
Detection time: 2019-03-12T13:04:55.723Z
User: S-1-5-21-*
Destination: http://nam05.safelinks.protection.outlook.com
Process Name: C:\Program Files\Mozilla Firefox\firefox.exe

2,031 Views
0 Likes
2 Replies
Reply
2 Replies
Rob Hardman

‎Mar 15 2019 10:00 AM

‎Mar 15 2019 10:00 AM

Re: Windows Defender ATP ExploitGuard + Safelinks Issue.

@Deleted Just chiming in that I've seen identical behaviour in the past with certain EU nodes. After a while, it goes away. Then it's back weeks later without warning. Whack-a-mole!

 

The only workaround I've found during this condition is to reduce the Network Protection setting to Warn, which is obviously unsatisfactory.

0 Likes
Reply

‎Mar 18 2019 08:04 AM

‎Mar 18 2019 08:04 AM

Re: Windows Defender ATP ExploitGuard + Safelinks Issue.

@Rob Hardman 

 

So, I found the answer finally after arguing with Microsoft Support for a week.

 

You can report false ExploitGuard Network Protection blocks here:

https://www.microsoft.com/en-us/wdsi/filesubmission/exploitguard/networkprotection

 

The tech I spoke with on the phone trying to get this resolved told us there's no way on our end to add exceptions for external sites, only internal. Hopefully they add that feature soon!

1 Like
Reply