Network protection helps protect devices from certain Internet-based events by preventing connections to malicious or suspicious sites. Network protection is an attack surface reduction capability that helps prevent people in your organization from accessing domains that are considered dangerous through applications. Examples of dangerous domains are domains that host phishing scams, exploits, and other malicious content on the Internet. Network protection expands the scope of Microsoft Defender SmartScreen to block all outbound HTTP(S) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
Network protection extends the protection in Web protection to the operating system level, and is a core component for Web Content Filtering (WCF). It provides the web protection functionality found in Microsoft Edge to other supported browsers and nonbrowser applications. Network protection also provides visibility and blocking of indicators of compromise (IOCs) when used with Endpoint detection and response. For example, network protection works with your custom indicators that you can use to block specific domains or host names.
Network protection coverage
The following table summarizes network protection areas of coverage.
On Mac and Linux, you must have network protection in block mode for these features to be supported in the Microsoft Edge browser.
On Windows, network protection doesn't monitor Microsoft Edge. For processes other than Microsoft Edge and Internet Explorer, web protection scenarios leverage network protection for inspection and enforcement.
Known issues & limitations
IP is supported for all three protocols (TCP, HTTP, and HTTPS (TLS)).
Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators.
Encrypted URLs (full path) are only blocked on Microsoft browsers (Internet Explorer, Microsoft Edge).
Encrypted URLs (FQDN only) are blocked in non-Microsoft browsers.
URLs loaded via HTTP connection coalescing, such as content loaded by modern CDNs, are only blocked on Microsoft browsers (Internet Explorer, Microsoft Edge), unless the CDN URL itself is added to the indicator list.
Network Protection will block connections on both standard and non-standard ports.
Full URL path blocks are applied for unencrypted URLs.
There might be up to two hours of latency (usually less) between the time when the action is taken and the URL/IP is blocked.
Watch this video to learn how network protection helps reduce the attack surface of your devices from phishing scams, exploits, and other malicious content:
Requirements for network protection
Network protection requires devices running one of the following operating systems:
Network protection is a part of the attack surface reduction group of solutions in Microsoft Defender for Endpoint. Network protection enables the network layer to block URLs and IP addresses. Network protection can block URLs from being accessed by using certain browsers and standard network connections. By default, network protection guards your computers from known malicious URLs using the SmartScreen feed, which blocks malicious URLs in a manner similar to SmartScreen in Microsoft Edge browser. The network protection functionality can be extended to:
Block IP/URL addresses from your own threat intelligence (indicators)
Command and Control (C2) server computers are used by malicious users to send commands to systems previously compromised by malware. C2 attacks typically hide in cloud-based services such as file-sharing and webmail services, enabling the C2 servers to avoid detection by blending in with typical traffic.
C2 servers can be used to initiate commands that can:
Steal data
Control compromised computers in a botnet
Disrupt legitimate applications
Spread malware, such as ransomware
The network protection component of Defender for Endpoint identifies and blocks connections to C2 infrastructures used in human-operated ransomware attacks, using techniques like machine learning and intelligent indicator-of-compromise (IoC) identification.
Network protection: C2 detection and remediation
In its initial form, ransomware is a commodity threat that's preprogrammed and focused on limited, specific outcomes (like encrypting a computer). However, ransomware has evolved into a sophisticated threat that is human-driven, adaptive, and focused on larger scale and more widespread outcomes, like holding an entire organization's assets or data for ransom.
Support for Command and Control servers (C2) is an important part of this ransomware evolution, and it's what enables these attacks to adapt to the environment they target. Breaking the link to the command-and-control infrastructure stops the progression of an attack to its next stage. For more information about C2 detection and remediation, see Detecting and remediating command and control attacks at the network layer.
Network protection: New toast notifications
New mapping
Response category
Sources
phishing
Phishing
SmartScreen
malicious
Malicious
SmartScreen
command and control
C2
SmartScreen
command and control
COCO
SmartScreen
malicious
Untrusted
SmartScreen
by your IT admin
CustomBlockList
by your IT admin
CustomPolicy
Note
customAllowList does not generate notifications on endpoints.
New notifications for network protection determination
New capabilities in network protection use functions in SmartScreen to block phishing activities from malicious command and control sites. When an end user attempts to visit a website in an environment in which network protection is enabled, three scenarios are possible, as outlined in the following table:
Scenario
What happens
The URL has a known good reputation
The user is permitted access without obstruction, and there's no toast notification presented on the endpoint. In effect, the domain or URL is set to Allowed.
The URL has an unknown or uncertain reputation
The user's access is blocked, but with the ability to circumvent (unblock) the block. In effect, the domain or url is set to Audit.
The URL has a known bad (malicious) reputation
The user is prevented from access. In effect, the domain or url is set to Block.
Warn experience
A user visits a website. If the url has an unknown or uncertain reputation, a toast notification presents the user with the following options:
Ok: The toast notification is released (removed), and the attempt to access the site is ended.
Unblock: The user has access to the site for 24 hours; at which point the block is reenabled. The user can continue to use Unblock to access the site until such time that the administrator prohibits (blocks) the site, thus removing the option to Unblock.
Feedback: The toast notification presents the user with a link to submit a ticket, which the user can use to submit feedback to the administrator in an attempt to justify access to the site.
Note
The images shown in this article for both the warn experience and block experience use "blocked url" as example placeholder text. In a functioning environment, the actual url or domain is listed.
Right-click the Group Policy Object you want to configure, and then select Edit.
In the Group Policy Management Editor go to Computer configuration and then select Administrative templates.
Expand the tree to Windows components > Microsoft Defender Antivirus > Network inspection system.
Double-click Convert warn verdict to block and set the option to Enabled.
Select OK.
Block experience
A user visits a website. If the url has a bad reputation, a toast notification presents the user with the following options:
Ok: The toast notification is released (removed), and the attempt to access the site is ended.
Feedback: The toast notification presents the user with a link to submit a ticket, which the user can use to submit feedback to the administrator in an attempt to justify access to the site.
SmartScreen Unblock
With indicators in Defender for Endpoint, administrators can allow end users to bypass warnings that are generated for some URLs and IPs. Depending on why the URL is blocked, when a SmartScreen block is encountered, it could offer the user the ability to unblock the site for up to 24 hours. In such cases, a Windows Security toast notification appears, permitting the user to select Unblock. In such cases, the URL or IP is unblocked for the specified period of time.
Microsoft Defender for Endpoint administrators can configure SmartScreen Unblock functionality in the Microsoft Defender portal using an allow indicator for IPs, URLs, and domains.
Network protection is enabled per device, which is typically done using your management infrastructure. For supported methods, see Turn on network protection.
Note
Microsoft Defender Antivirus must be in active mode to enable network protection.
You can enable network protection in audit mode or block mode. If you want to evaluate the impact of enabling network protection before actually blocking IP addresses or URLs, you can enable network protection in audit mode, and gather data on what would be blocked. Audit mode logs whenever end users connect to an address or site that would otherwise be blocked by network protection. In order for indicators of compromise (IoC) or Web content filtering (WCF) to work, network protection must be in block mode.
For information about network protection for Linux and macOS see the following articles:
Audit events are in DeviceEvents with an ActionType of ExploitGuardNetworkProtectionAudited. Blocks are shown with an ActionType of ExploitGuardNetworkProtectionBlocked.
Here's an example query for viewing Network Protection events for non-Microsoft browsers:
Kusto
DeviceEvents
|where ActionType in ('ExploitGuardNetworkProtectionAudited','ExploitGuardNetworkProtectionBlocked')
Tip
These entries have data in the AdditionalFields column which gives you great info around the action, if you expand AdditionalFields you can also get the fields: IsAudit, ResponseCategory, and DisplayName.
You can use the resulting list of URLs and IPs to determine what would be blocked if network protection is set to block mode on the device. You can also see which features would block URLs and IPs. Review the list to identify any URLS or IPs that are necessary for your environment. You can then create an allow indicator for those URLs or IP addresses. Allow indicators take precedence over any blocks.
Once you've created an indicator, you can look at resolving the underlying issue as follows:
As this is a per-device setting, if there are devices that cannot move to Block mode you can simply leave them on audit until you can rectify the challenge and you will still receive the auditing events.
For more information about how to enable network protection, see Enable network protection. Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
After you've enabled network protection, you might need to configure your network or firewall to allow the connections between your endpoint devices and the web services:
When network protection blocks a connection, a notification is displayed from the Action Center. Your security operations team can customize the notification with your organization's details and contact information. In addition, individual attack surface reduction rules can be enabled and customized to suit certain techniques to monitor.
You can also use audit mode to evaluate how network protection would impact your organization if it were enabled.
Review network protection events in the Microsoft Defender portal
Defender for Endpoint provides detailed reporting into events and blocks as part of its alert investigation scenarios. You can view these details in the Microsoft Defender portal (https://security.microsoft.com) in the alerts queue or by using advanced hunting. If you're using audit mode, you can use advanced hunting to see how network protection settings would affect your environment if they were enabled.
Review network protection events in Windows Event Viewer
You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
This procedure creates a custom view that filters to only show the following events related to network protection:
Event ID
Description
5007
Event when settings are changed
1125
Event when network protection fires in audit mode
1126
Event when network protection fires in block mode
Network protection and the TCP three-way handshake
With network protection, the determination of whether to allow or block access to a site is made after the completion of the three-way handshake via TCP/IP. Thus, when network protection blocks a site, you might see an action type of ConnectionSuccess under DeviceNetworkEvents in the Microsoft Defender portal, even though the site was blocked. DeviceNetworkEvents are reported from the TCP layer, and not from network protection. After the three-way handshake has completed, access to the site is allowed or blocked by network protection.
Here's an example of how that works:
Suppose that a user attempts to access a website on their device. The site happens to be hosted on a dangerous domain, and it should be blocked by network protection.
The three-way handshake via TCP/IP commences. Before it completes, a DeviceNetworkEvents action is logged, and its ActionType is listed as ConnectionSuccess. However, as soon as the three-way handshake process completes, network protection blocks access to the site. All of this happens quickly. A similar process occurs with Microsoft Defender SmartScreen; it's when the three-way handshake completes that a determination is made, and access to a site is either blocked or allowed.
In the Microsoft Defender portal, an alert is listed in the alerts queue. Details of that alert include both DeviceNetworkEvents and AlertEvidence. You can see that the site was blocked, even though you also have a DeviceNetworkEvents item with the ActionType of ConnectionSuccess.
Considerations for Windows virtual desktop running Windows 10 Enterprise Multi-Session
Due to the multi-user nature of Windows 10 Enterprise, keep the following points in mind:
Network protection is a device-wide feature and can't be targeted to specific user sessions.
Web content filtering policies are also device-wide.
If you need to differentiate between user groups, consider creating separate Windows Virtual Desktop host pools and assignments.
Test network protection in audit mode to assess its behavior before rolling out.
Consider resizing your deployment if you have a large number of users or a large number of multi-user sessions.
Alternative option for network protection
For Windows Server 2012 R2 and Windows Server 2016 using the modern unified solution, Windows Server version 1803 or later, and Windows 10 Enterprise Multi-Session 1909 and later, used in Windows Virtual Desktop on Azure, network protection for Microsoft Edge can be enabled using the following method:
In some cases, depending on your infrastructure, volume of traffic, and other conditions, Set-MpPreference -AllowDatagramProcessingOnWinServer 1 can have an effect on network performance.
Network protection for Windows Servers
Following is information specific to Windows Servers.
Verify that network protection is enabled
Verify whether network protection is enabled on a local device by using Registry Editor.
Select the Start button in the task bar and type regedit to open Registry Editor.
Select HKEY_LOCAL_MACHINE from the side menu.
Navigate through the nested menus to SOFTWARE > Policies > Microsoft > Windows Defender > Windows Defender Exploit Guard > Network Protection.
(If the key isn't present, navigate to SOFTWARE > Microsoft > Windows Defender > Windows Defender Exploit Guard > Network Protection)
Select EnableNetworkProtection to see the current state of network protection on the device:
For Windows Server 2012 R2 and Windows Server 2016 using the modern unified solution, Windows Server version 1803 or later, and Windows 10 Enterprise Multi-Session 1909 and later (used in Windows Virtual Desktop on Azure), enable other registry keys, as follows:
Go to HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows Defender > Windows Defender Exploit Guard > Network Protection.
Configure the following keys:
AllowNetworkProtectionOnWinServer (DWORD) set to 1 (hex)
EnableNetworkProtection (DWORD) set to 1 (hex)
(On Windows Server 2012 R2 and Windows Server 2016 only) AllowNetworkProtectionDownLevel (DWORD) set to 1 (hex)
Note
Depending on your infrastructure, volume of traffic, and other conditions, HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows Defender > NIS > Consumers > IPS - AllowDatagramProcessingOnWinServer (dword) 1 (hex) can have an effect on network performance.
Windows Servers and Windows Multi-session configuration requires PowerShell
For Windows Servers and Windows Multi-session, there are other items that you must enable by using PowerShell cmdlets. For Windows Server 2012 R2 and Windows Server 2016 using the modern unified solution, Windows Server version 1803 or later, and Windows 10 Enterprise Multi-Session 1909 and later, used in Windows Virtual Desktop on Azure, run the following PowerShell commands:
In some cases, depending on your infrastructure, volume of traffic, and other conditions, Set-MpPreference -AllowDatagramProcessingOnWinServer 1 can affect network performance.
Network protection troubleshooting
Due to the environment where network protection runs, the feature might not be able to detect operating system proxy settings. In some cases, network protection clients are unable to reach the cloud service. To resolve the connectivity problem, configure a static proxy for Microsoft Defender Antivirus.
Note
Before starting troubleshooting, make sure to set the QUIC protocol to disabled in browsers that are used. QUIC protocol is not supported with network protection functionality.
Because Global Secure Access doesn't currently support UDP traffic, UDP traffic to port 443 can't be tunneled. You can disable the QUIC protocol so that Global Secure Access clients fall back to using HTTPS (TCP traffic on port 443). You must make this change if the servers that you're trying to access do support QUIC (for example, through Microsoft Exchange Online). To disable QUIC, you can take one of the following actions:
Disable QUIC in Windows Firewall
The most generic method to disable QUIC is to disable that feature in Windows Firewall. This method affects all applications, including browsers and client apps (such as Microsoft Office). In PowerShell, run the New-NetFirewallRule cmdlet to add a new firewall rule that disables QUIC for all outbound traffic from the device:
You can disable QUIC at the web browser level. However, this method of disabling QUIC means that QUIC continues to work on nonbrowser applications. To disable QUIC in Microsoft Edge or Google Chrome, open the browser, locate the Experimental QUIC protocol setting (#enable-quic flag), and then change the setting to Disabled. The following table shows which URI to enter in the browser's address bar so that you can access that setting.
Browser
URI
Microsoft Edge
edge://flags/#enable-quic
Google Chrome
chrome://flags/#enable-quic
Optimizing network protection performance
Network protection includes performance optimization that allows block mode to asynchronously inspect long-lived connections, which might provide a performance improvement. This optimization can also help with app compatibility problems. This capability is on by default.