Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | -| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +|**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)**
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action. Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes. | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)**
Full URL path blocks can be applied on the domain level and all unencrypted URLs. IP is supported for all three protocols. Only external IPs can be added to the indicator list; indicators cannot be created for internal IPs.
For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | | **[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date | > [!TIP]