5.7 KiB
title, description, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.author, ms.date
| title | description | keywords | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.localizationpriority | author | ms.author | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Troubleshoot problems with Network protection | Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues | troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking | eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | andreabichsel | v-anbic | 05/17/2018 |
Troubleshoot Network protection
Applies to:
- Windows 10, version 1709 or higher
Audience
- IT administrators
When you use Network protection you may encounter issues, such as:
- Network protection blocks a website that is safe (false positive)
- Network protection fails to block a suspicious or known malicious website (false negative)
There are four steps to troubleshooting these problems:
- Confirm that you have met all pre-requisites
- Use audit mode to test the rule
- Add exclusions for the specified rule (for false positives)
- Submit support logs
Confirm pre-requisites
Windows Defender Exploit Guard will only work on devices with the following conditions:
[!div class="checklist"]
- Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. Using any other antivirus app will cause Windows Defender AV to disable itself.
- Real-time protection is enabled.
- Cloud-delivered protection is enabled.
- Audit mode is not enabled. Use Group Policy to set the rule to Disabled (value: 0) as described in the Enable Network protection topic.
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
Use audit mode to test the rule
There are two ways that you can test if the feature is working - you can use a demo website, and you can use audit mode.
You can enable Network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by Network protection. See the evaluate Network protection topic for instructions.
If you encounter problems when running the evaluation scenario, check that the device you are testing the tool on meets the pre-requisites listed above.
Tip
While the instructions for using the demo website are intended for evaluating or seeing how Network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem.
You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets Network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run.
- Enable audit mode for Network protection. Use Group Policy to set the rule to Audit mode as described in the Enable Network protection topic.
- Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
- Review the Network protection event logs to see if the feature would have blocked the connection if it had been set to Enabled.
Important
Audit mode will stop Network protection from blocking known malicious connections.
If Network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled.
Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
If you've tested the feature with the demo site and with audit mode, and Network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address.
Report a false positive or false negative
You can use the Windows Defender Security Intelligence web-based submission form to report a problem with Network protection.
When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also provide a link to the associated alert (if there is one).
You can also attach a diagnostic .cab file to your submission if you wish (this is not required). Follow the link below for instructions on how to collect the .cab file:
[!div class="nextstepaction"] Collect and submit diagnostic data Windows Defender Exploit Guard issues