Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file). | Microsoft Defender Antivirus with cloud-based protection enabled.
Antimalware client version must be 4.18.1901.x or later.
Devices are running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
The [Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. | | IP addresses and URLs
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain) | Network protection in Defender for Endpoint must be enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Your antimalware client version must be 4.18.1906.x or later.
Your devices must be running Windows 10, version 1709 or later
Custom network indicators must be turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement.
There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge) | -| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Your antimalware client version must be 4.18.1901.x or later.
Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Your virus and threat protection definitions must be up to date. | +| Certificates
`.CER` or `.PEM` file extensions are supported.
[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates) |Microsoft Defender Antivirus with cloud-based protection is enabled ([Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Your antimalware client version must be 4.18.1901.x or later.
Your devices must be running one of the following versions of Windows:
- Windows 10, version 1703 or later
- Windows Server 2016
- Windows Server 2019
Your virus and threat protection definitions must be up to date. | A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC. | +