Exploit Guard - Network Protection

Brass Contributor

We've begun pushing the Windows 10 Fall Creator's Update in our business environment.  We have configured many of the new security features through GPO including Exploit Guard - Attack Surface Reduction Rules and Exploit Guard - Network Protection.  

 

When we were originally testing and evaluating 1709 (a few months ago) the Network Protection feature worked as expected, and Windows would notify us if a site was blocked due to the setting being enabled.  For example, the Network Protection Evaluation page recommends that we visit: https://smartscreentestratings2.net/

 

That should trigger the Network Protection notification in Windows and prevent us from getting to the page, however; that does not seem to work anymore.  The page renders without issue, and I never receive a notification that it was blocked.  This is making me question whether or not the feature is working at all anymore.  A few things that I've checked:

 

  1. The GPO setting "Prevent Users and Apps from Accessing Dangerous Websites" is set to enabled for all computers.
  2. Ran an RSOP on multiple computers to ensure that settings is being properly applied.  It is. 
  3. In PowerShell, ran Get-MpPreference to make sure that EnableNetworkProtection has a value = 1.  It does.

Anyone else having the same experience or any idea why the MS test site doesn't evaluate correctly anymore?  

 

 

 

16 Replies

Hi,

Prior to the 'Defender Antimalware Platform Update' in January "C:\Program Files\Windows Defender\wdnsfltr.exe" would be called and make a connection to urs.smartscreen.microsoft.com either directly or via a proxy server (even if a proxy is hardcoded and WPAD/PAC files direct connections to .microsoft.com via the proxy).
This would then invoke 'Network Protection' on a matching FQDN, the connection would be blocked, an event (ID: 1126) recorded in the 'Windows Defender' event log and a notification would alert the user.
Updating Windows 10 with the latest cumulative OS update will still work but as soon as Defender is updated the 'Network Protection' service is no longer called and the connection to the blacklisted site is successful.

I've emailed wdcustomer@microsoft.com directly and the feedback link is https://aka.ms/Vxogvt.

Regards,

Steve

Hi Steve,

 

Thanks for submitting this to microsoft directly.  It's a bit difficult to traverse the feedback hub for this type of problem.  Hopefully you can update this thread if/when you hear something back from MS. 

 

Thanks. 

Okay so we have a new platform update version 4.14.17613.18039-0. I've had connections blocked with this platform on 1709 but no notification, on 1803 I've had both blocked connections and notification.

 

That is interesting.  I'm running 1709 on all of my computers, and I'm now seeing the same thing.  The test site is properly blocked, but I don't receive a notification.  I also do not see a corresponding log entry for the event.  According to this documentation I should see log entries for the Network Protection events in the Windows Defender -> Operational log, however nothing is being logged their after the test site is blocked. 

 

I guess I will just wait until 1803 is ready for broad distribution.   

I'm also seeing this issue; the test pages are being blocked only by smartscreen but exploit guard network protection doesn't function at all, ie there is no blocking and no auditing despite the policy being successfully deployed. I've upvoted the issue in the feedback hub and encourage others to do the same.

We've had another platform version released (4.14.17639.18041-0) but the results are the same in 1709 as the last release so blocks but no notifications still. On the upside 1803 Enterprise appears to be a well polished version of 1709, my only problem so far is event logs that are set to archive when full actually stop logging which is a problem that was fixed in 1709 a few months back other than that all is well so you may be able to move to 1803 sooner than you'd planned.

The last 2 releases of the Defender platform on 1709 have been blocking but not notifying, you can test it in PowerShell with the following;
###Begin

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12
$url = 'https://smartscreentestratings2.net/'
$webClient = New-Object System.Net.WebClient
# $webClient.Proxy = [System.Net.GlobalProxySelection]::GetEmptyWebProxy() #Use to bypass the proxy if needed
$webClient.DownloadString($url)
###End
You will get an SSL/TLS negotiation error when blocked, add PowerShell(_ise).exe to the Defender exclusion and restart PowerShell, you'll then get a web response.

I've just found out why it no longer works on my Windows 10 Pro machines, it's now a Windows 10 Enterprise only feature: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/t...

I've just tested it on Pro 1803 (17134.1) and it works, notifications and blocking. 

We have a few PCs, pre and post 1709, that Defender is completely cutting off the network. In one case deleting wdnsfltr.exe and .sys solved it. Nothing in the Defender Event logs about blocking access to the network or a bad site. We are deploying via Group Policy from Server 2016. Win10 Pro clients.

 

DH

What platform versions are the affected clients running?

Win 10 Pro.

 

One was 1709 and the other was 1603.

 

In the case of 1709, we had to delete wdnsfltr while unjoined.

 

In the case of 1603, we took it off the domain, applied 1709, rejoined and network came back. wdnsfltr never started up in this case.

 

DH

What Windows Defender platform version was running at the time of the issues, look at C:\ProgramData\Microsoft\Windows Defender\Platform\x.xx.x.xxx for example. The issues we've seen have been a combination of Defender platform and OS version.

Do you still have issues now with platform 4.14.17639.18041-0?

Both clients are at that version now, but part of the troubleshooting for both was to update them to 1709 so not sure what was there before.

 

On checking now on other PCs, some platform folders are empty, some are at 4.12.17007.18022-0, etc etc

 

How do we ensure everyone has current Defender regardless of OS patch level - is there a KB we can quickly push on everyone?

 

Thanks

 

DH

Do the clients without the latest platform version have the latest engine and definitions, Get-MpComputerStatus in PowerShell will show you?

Fails on PCs where AVG is still running.

 

PCs where AVG is gone have been updated to 1709 and so far have the latest Defender.

 

DH