Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features). | -| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode. ([Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later.
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | -| **Certificates**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later.
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date. | +|**Files**
Helps prevent suspected malware (or potentially malicious files) from being downloaded from the web. Files can include portable executable (PE) files, such as `.exe` and `.dll` files.
The allow or block function cannot be done on a file if the file's classification exists on the device's cache prior to the allow or block action
Trusted, signed files are treated differently. Defender for Endpoint is optimized to handle malicious files. Trying to block trusted, signed files, can have performance implications.
Typically, file blocks are enforced within a few minutes, but can take upwards of 30 minutes.
**[Create an indicator for a file, such as an executable](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-file)** | Microsoft Defender Antivirus with cloud-based protection enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
[Block or allow feature is turned on](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features) | +| **IP addresses and URLs**
Full URL path blocks can be applied on the domain level and all unencrypted URLs
IP is supported for all three protocols
Only external IPs can be added to the indicator list. Indicators cannot be created for internal IPs. For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge uses [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/network-protection) to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS). For all other processes, web protection scenarios use Network Protection for inspection and enforcement.
There might be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked.
Only single IP addresses are supported (no CIDR blocks or IP ranges)
Encrypted URLs (full path) can only be blocked on first party browsers (Internet Explorer, Edge)
Encrypted URLS (FQDN only) can be blocked outside of first party browsers (Internet Explorer, Edge)
**[Create an indicator for an IP address, URL, or domain](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain)** | Network protection in Defender for Endpoint is enabled in block mode (See [Enable network protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection).)
Antimalware client version: 4.18.1906.x or later
Devices are running Windows 10, version 1709 or later
Custom network indicators are turned on in the Microsoft Defender Security Center (See [Advanced features](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-features).) | +| **Certificates**
`.CER` or `.PEM` file extensions are supported.
A valid leaf certificate is a signing certificate that has a valid certification path and must be chained to the Root Certificate Authority (CA) trusted by Microsoft.
Alternatively, a custom (self-signed) certificate can be used as long as it's trusted by the client (Root CA certificate is installed under the Local Machine Trusted Root Certification Authorities).
The children or parent of the allow/block certificate IOCs are not included in the allow/block IoC functionality, only leaf certificates are supported.
Microsoft signed certificates cannot be blocked.
It can take up to 3 hours to create and remove a certificate IoC.
**[Create an indicator for an application certificate](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/indicator-certificates)** | Microsoft Defender Antivirus with cloud-based protection is enabled (See [Manage cloud-based protection](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus).)
Antimalware client version: 4.18.1901.x or later
Devices are running Windows 10, version 1703 or later; Windows Server 2016; or Windows Server 2019
Virus and threat protection definitions are up to date | > [!TIP] > When you create indicators, you can define them one by one or import multiple items at once. Keep in mind there's a limit of 15,000 indicators you can have in a single tenant. And, you might need to gather certain details first, such as file hash information. Make sure to review the prerequisites before you [create indicators](manage-indicators.md).