deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

revised tshoot topics

Browse Source
This commit is contained in:
Justin Hall 2019-03-28 12:06:32 -07:00
parent 3b2aa2f77b
commit 33aa5e44de
3 changed files with 24 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -47,19 +47,19 @@ You might want to do this to make sure it doesn't affect line-of-business apps o
1. Go to [https://smartscreentestratings2.net](https://smartscreentestratings2.net).
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
The network connection will be allowed and a test message will be displayed.
![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png)
## Review network protection events in Windows Event Viewer
To review which apps would have been blocked, open Event Viewer and filter for Event ID 1125. The following table lists all network protection events.
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows-Defender/Operational log. The following table lists all network protection events.
Event ID | Description
Event ID | Provide/Source | Description
-|-
5007 | Event when settings are changed
1125 | Event when rule fires in audit mode
1126 | Event when rule fires in block mode
5007 | Windows Defender (Operational) | Event when settings are changed
1125 | Windows Defender (Operational) | Event when a network connection is audited
1126 | Windows Defender (Operational) | Event when a network connection is blocked
## Related topics

32
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
View File

@ -32,7 +32,7 @@ There are four steps to troubleshooting these problems:
3. Add exclusions for the specified rule (for false positives)
3. Submit support logs
## Confirm pre-requisites
## Confirm prerequisites
Attack surface reduction rules will only work on devices with the following conditions:
@ -46,27 +46,14 @@ If these pre-requisites have all been met, proceed to the next step to test the
## Use audit mode to test the rule
There are two ways that you can test if the rule is working.
You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm attack surface reduction rules are generally working for pre-configured scenarios and processes on a device, or you can use audit mode, which enables rules for reporting only.
You can use a pre-configured demo tool to confirm attack surface reduction rules are generally working on the device, or you can use audit mode, which enables rules for reporting only.
Follow these instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the attack surface reduction rule feature as a whole is operating correctly.
If you encounter problems when running the demo tool, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
Follow the instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
>[!TIP]
>While the instructions for using the demo tool are intended for evaluating or seeing how attack surface reduction rules work, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature.
Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run.
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md). Audit mode allows the rule to report the file or process, but will still allow it to run.
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
>[!TIP]
>Audit mode will stop the rule from blocking the file or process.
>
>If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
>
@ -79,26 +66,21 @@ If you've tested the rule with the demo tool and with audit mode, and attack sur
## Add exclusions for a false positive
You can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
This is useful if you have enabled a rule, and it is blocking a file, process, or action that you believe it should not block. You can then collect data from an endpoint where the rule is not working correctly and send that information to us.
To add an exclusion, see the [Customize Attack surface reduction](customize-attack-surface-reduction.md) topic.
To add an exclusion, see [Customize Attack surface reduction](customize-attack-surface-reduction.md).
>[!IMPORTANT]
>You can specify individual files and folders to be excluded, but you cannot specify individual rules.
>
>This means any files or folders that are excluded will be excluded from all ASR rules.
If you have followed all previous troubleshooting steps, and you still have a problem (in particular, if you have a false positive), you should proceed to the next step to collect diagnostic information and send it to us.
## Report a false positive or false negative
Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md).
## Collect diagnostic data for file submissions
When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
When you report a problem with attack surface reduction rules, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
```console

31
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
View File

@ -45,36 +45,27 @@ Network protection will only work on devices with the following conditions:
> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
If prerequisites are met, test the rule in audit mode.
## Use audit mode to test the rule
## Use audit mode
There are two ways that you can test if the feature is working - you can use a demo website, and you can use audit mode.
You can enable network protection in audit mode and then visit a website that we've created to demo the feature. All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.
You can enable network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by network protection. See [Evaluate network protection](evaluate-network-protection.md) for instructions.
>[!TIP]
>While the instructions for using the demo website are intended for evaluating or seeing how network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem.
You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run.
1. Enable audit mode for network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable network protection topic](enable-network-protection.md#group-policy).
1. Set network protection to **Audit mode**.
```powershell
Set-MpPreference -EnableNetworkProtection AuditMode
```
2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
>[!IMPORTANT]
>Audit mode will stop network protection from blocking known malicious connections.
>
>If network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled.
>
>Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
>If network protection is not blocking a connection that you are expecting it should block, enable the feature.
If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address.
```powershell
Set-MpPreference -EnableNetworkProtection Enabled
```
## Report a false positive or false negative
Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md).
If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md).
## Collect diagnostic data for file submissions