Configure and validate Microsoft Defender Antivirus network connections
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
- Microsoft Defender Antivirus
RSS feed: Get notified when this page is updated by copying and pasting the following URL into your feed reader:
To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, your security team must configure your network to allow connections between your endpoints and certain Microsoft servers. This article lists connections that must be allowed for using the firewall rules. It also provides instructions for validating your connection. Configuring your protection properly will ensure you receive the best value from your cloud-delivered protection services.
This article contains information about configuring network connections only for Microsoft Defender Antivirus. If you are using Microsoft Defender for Endpoint (which includes Microsoft Defender Antivirus), see Configure device proxy and Internet connectivity settings for Defender for Endpoint.
Allow connections to the Microsoft Defender Antivirus cloud service
The Microsoft Defender Antivirus cloud service provides fast, and strong protection for your endpoints. It's optional to enable the cloud-delivered protection service. Microsoft Defender Antivirus cloud service is recommended, because it provides important protection against malware on your endpoints and network. For more information, see Enable cloud-delivered protection for enabling service with Intune, Microsoft Endpoint Configuration Manager, Group Policy, PowerShell cmdlets, or individual clients in the Windows Security app.
After you've enabled the service, you need to configure your network or firewall to allow connections between network and your endpoints. Because your protection is a cloud service, computers must have access to the internet and reach the Microsoft cloud services. Don't exclude the URL
*.blob.core.windows.net from any kind of network inspection.
The Microsoft Defender Antivirus cloud service delivers updated protection to your network and endpoints. The cloud service should not be considered as only protection for your files that are stored in the cloud; instead, the cloud service uses distributed resources and machine learning to deliver protection for your endpoints at a faster rate than the traditional Security intelligence updates.
Services and URLs
The table in this section lists services and their associated website addresses (URLs).
Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you must create an allow rule specifically for those URLs (excluding the URL
*.blob.core.windows.net). The URLs in the following table use port 443 for communication.
|Service and description||URL|
|Microsoft Defender Antivirus cloud-delivered protection service is referred as Microsoft Active Protection Service (MAPS).
Microsoft Defender Antivirus uses the MAPS service to provide cloud-delivered protection.
|Microsoft Update Service (MU) and Windows Update Service (WU)
These services will allow security intelligence and product updates.
For more information, see Connection endpoints for Windows Update
|Security intelligence updates Alternate Download Location (ADL)
This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind).
|Malware submission storage
This is an upload location for files submitted to Microsoft via the Submission form or automatic sample submission.
|Certificate Revocation List (CRL)
Windows use this list while creating the SSL connection to MAPS for updating the CRL.
Microsoft Defender Antivirus uses the Symbol Store to restore certain critical files during the remediation flows.
|Universal GDPR Client
Windows use this client to send the client diagnostic data.
Microsoft Defender Antivirus uses General Data Protection Regulation for product quality, and monitoring purposes.
|The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints:
Validate connections between your network and the cloud
After allowing the URLs listed, test whether you're connected to the Microsoft Defender Antivirus cloud service. Test the URLs are correctly reporting and receiving information to ensure you're fully protected.
Use the cmdline tool to validate cloud-delivered protection
Use the following argument with the Microsoft Defender Antivirus command-line utility (
mpcmdrun.exe) to verify that your network can communicate with the Microsoft Defender Antivirus cloud service:
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -ValidateMapsConnection
Open Command Prompt as an administrator. Right-click the item in the Start menu, click Run as administrator and click Yes at the permissions prompt. This command will only work on Windows 10, version 1703 or higher, or Windows 11.
For more information, see Manage Microsoft Defender Antivirus with the mpcmdrun.exe commandline tool.
Attempt to download a fake malware file from Microsoft
You can download a sample file that Microsoft Defender Antivirus will detect and block if you're properly connected to the cloud. Visit https://aka.ms/ioavtest1 to download the file.
The downloaded file is not exactly malware. It's a fake file designed to test if you're properly connected to the cloud.
If you're properly connected, you'll see a warning Microsoft Defender Antivirus notification.
If you're using Microsoft Edge, you'll also see a notification message:
A similar message occurs if you're using Internet Explorer:
View the fake malware detection in your Windows Security app
On your task bar, select the Shield icon, open the Windows Security app. Or, search the Start for Security.
Select Virus & threat protection, and then select Protection history.
Under the Quarantined threats section, select See full history to see the detected fake malware.
Versions of Windows 10 before version 1703 have a different user interface. See Microsoft Defender Antivirus in the Windows Security app.
The Windows event log will also show Windows Defender client event ID 1116.
If you're looking for Antivirus related information for other platforms, see:
- Set preferences for Microsoft Defender for Endpoint on macOS
- Microsoft Defender for Endpoint on Mac
- macOS Antivirus policy settings for Microsoft Defender Antivirus for Intune
- Set preferences for Microsoft Defender for Endpoint on Linux
- Microsoft Defender for Endpoint on Linux
- Configure Defender for Endpoint on Android features
- Configure Microsoft Defender for Endpoint on iOS features
Submit and view feedback for