deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

revised np topics

Browse Source
This commit is contained in:
Justin Hall 2019-03-27 18:05:05 -07:00
parent dc23e68c53
commit d960fcf412
4 changed files with 32 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -6,6 +6,11 @@
"redirect_document_id": true "redirect_document_id": true
}, },
{ {
"source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np",
"redirect_document_id": true
},
{
"source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure", "redirect_url": "/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure",
"redirect_document_id": true "redirect_document_id": true

2
windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
View File

@ -28,8 +28,6 @@ Before attempting this process, ensure you have met all required pre-requisites
- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md) - [Troubleshoot attack surface reduction rules](troubleshoot-asr.md)
- [Troubleshoot network protection](troubleshoot-np.md) - [Troubleshoot network protection](troubleshoot-np.md)
1. On the endpoint with the issue, obtain the Windows Defender .cab diagnostic file by following this process: 1. On the endpoint with the issue, obtain the Windows Defender .cab diagnostic file by following this process:
1. Open an administrator-level version of the command prompt: 1. Open an administrator-level version of the command prompt:

45
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: andreabichsel author: andreabichsel
ms.author: v-anbic ms.author: v-anbic
ms.date: 11/16/2018 ms.date: 03/27/2019
--- ---
# Evaluate network protection # Evaluate network protection
@ -22,25 +22,25 @@ ms.date: 11/16/2018
Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. The site in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visted a malicious site or domain.
>[!NOTE]
>The site will replicate the behavior that would happen if a user visted a malicious site or domain. The sites in this evaluation topic are not malicious, they are specially created websites that pretend to be malicious.
>[!TIP] >[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to see how other protection features work.
## Enable network protection ## Enable network protection in audit mode
You can enable network protection in audit mode to see which IP addresses and domains would have been blocked if it was enabled.
You might want to do this to make sure it doesn't affect line-of-business apps or to get an idea of how often blocks occur.
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet: 2. Enter the following cmdlet:
```PowerShell ```PowerShell
Set-MpPreference -EnableNetworkProtection Enabled Set-MpPreference -EnableNetworkProtection AuditMode
``` ```
You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace "Enabled" with either "AuditMode" or "Disabled".
### Visit a (fake) malicious domain ### Visit a (fake) malicious domain
1. Open Internet Explorer, Google Chrome, or any other browser of your choice. 1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
@ -53,17 +53,7 @@ You will get a 403 Forbidden response in the browser, and you will see a notific
## Review network protection events in Windows Event Viewer ## Review network protection events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). To review which apps would have been blocked, open Event Viewer and filter for Event ID 1125. The following table lists all network protection events.
1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
2. On the left panel, under **Actions**, click **Import custom view...**
3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
4. Click **OK**.
5. This will create a custom view that filters to only show the following events related to network protection:
Event ID | Description Event ID | Description
-|- -|-
@ -72,21 +62,6 @@ Event ID | Description
1126 | Event when rule fires in block mode 1126 | Event when rule fires in block mode
## Use audit mode to measure impact
You can also enable the network protection feature in audit mode. This lets you see a record of which IP addresses and domains would have been blocked if the feature were enabled.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
>[!TIP]
>If you want to fully audit how network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network protection topic](network-protection-exploit-guard.md).
## Related topics ## Related topics
- [Protect your network](network-protection-exploit-guard.md) - [Protect your network](network-protection-exploit-guard.md)

28
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
View File

@ -29,12 +29,12 @@ When you use [Network protection](network-protection-exploit-guard.md) you may e
There are four steps to troubleshooting these problems: There are four steps to troubleshooting these problems:
1. Confirm that you have met all pre-requisites 1. Confirm prerequisites
2. Use audit mode to test the rule 2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives) 3. Add exclusions for the specified rule (for false positives)
3. Submit support logs 3. Submit support logs
## Confirm pre-requisites ## Confirm prerequisites
Network protection will only work on devices with the following conditions: Network protection will only work on devices with the following conditions:
@ -45,7 +45,7 @@ Network protection will only work on devices with the following conditions:
> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. > - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
> - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**). > - Audit mode is not enabled. Use [Group Policy](enable-network-protection.md#group-policy) to set the rule to **Disabled** (value: **0**).
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. If prerequisites are met, test the rule in audit mode.
## Use audit mode to test the rule ## Use audit mode to test the rule
@ -53,8 +53,6 @@ There are two ways that you can test if the feature is working - you can use a d
You can enable network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by network protection. See [Evaluate network protection](evaluate-network-protection.md) for instructions. You can enable network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by network protection. See [Evaluate network protection](evaluate-network-protection.md) for instructions.
If you encounter problems when running the evaluation scenario, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
>[!TIP] >[!TIP]
>While the instructions for using the demo website are intended for evaluating or seeing how network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem. >While the instructions for using the demo website are intended for evaluating or seeing how network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem.
@ -72,21 +70,29 @@ You can also use audit mode and then attempt to visit the site or IP (IPv4) addr
> >
>Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed. >Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address. If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address.
## Report a false positive or false negative ## Report a false positive or false negative
You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with network protection. Use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a false negative or false positive for network protection. With an E5 subscription, you can also [provide a link to any associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md).
When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one). ## Collect diagnostic data for file submissions
You can also attach a diagnostic .cab file to your submission if you wish (this is not required). Follow the link below for instructions on how to collect the .cab file: When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
> [!div class="nextstepaction"] 1. Open an elevated command prompt and change to the Windows Defender directory:
> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md) ```console
cd c:\program files\windows defender
```
2. Run this command to generate the diagnostic logs:
```console
mpcmdrun -getfiles
```
3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.
## Related topics ## Related topics
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) - [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
- [Network protection](network-protection-exploit-guard.md) - [Network protection](network-protection-exploit-guard.md)
- [Evaluate network protection](evaluate-network-protection.md)
- [Enable network protection](enable-network-protction.md)