Question

Q: network protection, a feature in windows defender exploit guard, doesn't work right

Hi folks,

I've been wondering if there is anyone who can enable and evaluate "network protection" function, which is 1 of a few features in windows defender exploit guard.

============

# you can find more about expoit guard here

https://docs.microsoft.com/ja-jp/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard?ocid=wd-av-demo-np-bottom

============

Following link below, I enabled netowrk protection using powerShell and try accessing the test URL written in the page, using both chrome and powershell, hoping those access would be blocked, but nothing was blocked and I could access test URL with no issue on both scenario(chrome/powreshell).

============

# testing network protection feature

https://demo.wd.microsoft.com/Page/NP

============

I would like to know if this is some bug in exploit guard or if I miss configure something.

Please let me know if anyone can evaluate that network protection works well, which mean it blocks access to test URL or any malicious URL when using chrome or firefox, any browser other than IE/edge.

If network protection doesn't work right, then it cannot block access from malware inside your PC, including downloader/infoStealer, to malicious URL like C&C or malware distribution site.

Only blocking access to those malicious URL via edge/IE is obviously not enough considering the current threat landscape, where malicious file attached on mail the most well used attack vector.

==============

# Following is my test log for this feature using powerShell, just for your reference.

PS C:\> [System.Environment]::OSVersion
Platform ServicePack Version      VersionString                    
-------- ----------- -------      -------------                    
 Win32NT             10.0.16299.0 Microsoft Windows NT 10.0.16299.0
PS C:\> 
PS C:\> 
PS C:\> 
PS C:\> 
PS C:\> (Get-MpPreference).EnableNetworkProtection
1

PS C:\> 
PS C:\> 
PS C:\> (New-Object System.Net.WebClient).DownloadString("https://smartscreentestratings2.net/")
<!DOCTYPE html>
<html lang="en">
<head>
    <title>SmartScreen Test</title>
    <meta charset="utf-8"/>
    <meta name="viewport" content="width=device-width, initial-scale=1"/>
    <link href="/resources/style/style.css" type="text/css" rel="stylesheet" />
</head>
<body>
 
<h1>SmartScreen Test</h1>
<p>This is a test page for SmartScreen.</p>
</body>
</html>

==============

Thank you for your support.   



* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

You might note the MS article you referenced is targeted to “Enterprise Security Administrators.”

 

Since this is a consumer specific forum you may prefer to seek advice from the Socialtechnet or MSDN Forums.

 

See https://answers.microsoft.com/en-us/feedback/forum/fdbk_commsite-feedback_other/answers-socialmsdn-socialtechnet-forums-whats-the/6ed0e7c4-00e0-4d8f-81e1-04fbcaea6231

MVP Consumer Security 2014-2016
Windows Insider MVP 2016-2018

Did this solve your problem?

Sorry this didn't help.

6 people were helped by this reply


I wasn’t able to get the "expected results" on either Google Chrome or Firefox, using the Windows Defender Testground website:

https://demo.wd.microsoft.com/Page/NP

So I subsequently dropped Network Protection from my list of next-gen features that could be activated in order to upgrade Defender’s real-time protection:

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/windows-defender-detection-rate/09e71b77-e9d3-418f-9746-cd529235ed14

There does appear to be a “technical difficulty” with this feature – so you might want to upvote these reports, or maybe file one of your own:

https://aka.ms/Xfw6kd

https://aka.ms/Rvy67b

https://aka.ms/Nxnl66

There’s a reasonable chance that these reports will eventually be put into a “collection”, and that the issue will subsequently be addressed.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np

GreginMich

Did this solve your problem?

Sorry this didn't help.

1 person was helped by this reply


In case it still isn’t clear; the Windows IT Pro Center documentation gets cited in discussions of the Windows Defender Exploit Guard features because it’s the most comprehensive documentation for all of these next-gen features, including the Network Protection feature. That shouldn’t be taken to imply that any of these technologies are limited to enterprise environments, or that the topic is limited to security administrators. If you’re looking for the simplified documentation, it's right here:

https://www.tenforums.com/tutorials/98100-enable-windows-defender-exploit-guard-network-protection-windows-10-a.html

And yes, I can personally guarantee that no Enterprise Security Administrator would ever be caught dead downloading Brink’s Enable_Windows_Defender_Network_Protection.reg file. That file is for Windows 10 Home users who are afraid of the PowerShell command line.

GreginMich

Did this solve your problem?

Sorry this didn't help.

3 people were helped by this reply


No, they'd be better off to leave such enterprise security features to those with the resources and support offerings that provide them with the access required to fix such problems when they occur.

Mucking around in portions of Windows 10 not supported for consumer users isn't something that should even be discussed in these forums, other then to say quite clearly, only a fool would do that!

Rob

Did this solve your problem?

Sorry this didn't help.

5 people were helped by this reply


I'm fully sharing the opinion of Rob Koch.

I see that a moderator in the meantime deleted the so very arrogant and condescending phrase in the second post of GreginMich...

I'm not a friend of ridiculing the normal, not so tech-savvy average help seekers/consumers. 

The Microsoft Community is after all a forum designed for and mostly visited by consumers who need help with their basic every day computer problems. For normal users who just want to turn on their computer and use it without running into deeply technical problems.

Julia

May 4, 2018: I won't participate anymore in MC. Enough is enough.

Did this solve your problem?

Sorry this didn't help.

1 person was helped by this reply


No, they'd be better off to leave such enterprise security features to those with the resources and support offerings that provide them with the access required to fix such problems when they occur.

Mucking around in portions of Windows 10 not supported for consumer users isn't something that should even be discussed in these forums, other then to say quite clearly, only a fool would do that!

Rob

But as I've just shown, Network Protection actually is supported for "consumer" users, although it isn't functional at the moment. So it should be clear to any impartial observer that this is just empty abuse – thinly veiled in a shroud of misinformation. This is not an "enterprise security feature" simply because its use isn't limited to the Enterprise edition of Windows 10 this is a Windows 10 security feature, available on any Windows edition via the Defender Module for PowerShell. So this is really just a continuation of your old argument that things like the Windows Task Scheduler should be avoided because they’re too technical for “normal” users to absorb, and will only confuse our hapless audience. That argument has no merit, and it only prevents Windows 10 Home users from taking advantage of the settings and features that have been provided for Windows Defender in the Windows 10 Home operating system.

Of course there's a valid reason to be respectful of PowerShell's potential for harm, and Shellophobia, which is a fear of PowerShell scripts, is unquestionably a rational fear. But the Defender Module itself is just a configuration interface for Windows Defender, and there aren't any script monsters lurking in its shadows. The worst that can happen is that you’ll run into a setting that renders a Windows Defender feature dysfunctional. For example, if you change the -ScanParameters setting to the value for a Full Scan (2), you’ll thereby convert the Automatic Maintenance scan to a Full Scan, which would cause it to fail on some systems. But of course that’s a moot point, since the Automatic Maintenance scan has been dysfunctional for years now due to an unidentified issue. I’ve tried to vet the Defender Module settings as I’ve introduced them here in the forum, and I’ve reported some of the bugs with them to the Feedback Hub. But I haven’t reported them all simply because it’s so discouraging to see my reports just pile up there on the shelf without any response. The only warning that I would issue with respect to the Defender Module is that there’s a bug that prevents us from resetting the default value of 0 once we've changed a Default Action setting, which might cause problems.

Other than that, the worst that can happen is that a specific feature just won’t work, as seems to be the case here with the Network Protection feature. Of course I removed this feature from my list as soon as I realized that the issue might be with the feature itself, rather than with the target page. But testing this feature certainly doesn't pose any danger, since the Defender Module is simply a settings and features interface. And in the Home Edition of Windows 10, it's the only settings and features interface that we have:

https://docs.microsoft.com/en-us/powershell/module/defender/?view=win10-ps

I didn’t pick this command line configuration interface, and in fact I complained about its complexity directly to a member of the Windows Defender Team – but this is the interface that we’ve been given, and it is a rich and powerful one. So why on earth would anyone in the Microsoft Virus and Malware forum even suggest that the Windows Defender Module should be off limits to Windows 10 Home users? If you review the third-party documentation for Windows Defender (actually read it, that is) you’ll see that the literature makes constant reference to the Defender Module cmdlets. So if things are put in the proper perspective, I think it’s clear that your efforts to discourage the use of Defender's PowerShell interface in this forum really amounts to nothing more than a unfair profiling of our viewers.

We actually have lots of technically-oriented viewers in our audience, and more than a few of the questions here can only be answered properly by referring to the Defender Module cmdlets. Now I certainly wouldn’t hesitate to send these questions off to the Windows IT Pro Center forum if I thought that would help. But I’ve been working in that forum lately, and I personally wouldn’t recommend it to anyone because it's in an very unhealthy state, and some of the answers there for questions relating to Windows Defender  are just totally absurd, e.g.:

https://social.technet.microsoft.com/Forums/en-US/8fcc9dbb-427f-4ede-bdf4-2b459514b1a6/comparison-between-exploit-protection-and-attack-surface-reduction?forum=win10itprosecurity

So I would have to answer this question myself in the TechNet forum if it was reposted there, and we'd just be missing the opportunity to educate the larger audience that we have here. Anyway, there’s quite obviously an issue with either the Network Protection testing site, or with the Network Protection feature itself, if you'll please excuse me for returning to the topic at hand.

GreginMich

Did this solve your problem?

Sorry this didn't help.

3 people were helped by this reply


I'm fully sharing the opinion of Rob Koch.

I see that a moderator in the meantime deleted the so very arrogant and condescending phrase in the second post of GreginMich...

I'm not a friend of ridiculing the normal, not so tech-savvy average help seekers/consumers. 

The Microsoft Community is after all a forum designed for and mostly visited by consumers who need help with their basic every day computer problems. For normal users who just want to turn on their computer and use it without running into deeply technical problems.

Julia

What got deleted from my post was meant to be humorous, although it did have a valid point to make: Informing people that it would behoove them to acquaint themselves with the Windows Defender advanced configuration interface is just offering them sound advice, despite any claims to the contrary and it really shouldn’t be misconstrued as malicious or “foolish”. I’ve devoted lots of hours (that I didn’t really have to spare) to educating people about the protection enhancements and analytical tools available in the Windows Defender Module for PowerShell, since this is the only configuration option available for Windows Defender in the Windows 10 Home Edition (it doesn’t include the Group Policy Editor).

I’ve devoted myself to educating viewers on the technicalities of the advanced configuration interface for the same reason that I’ve made all of my other contributions in this forum – out of a concern for the welfare of our viewers. I’ve honestly never ridiculed anyone for their lack of technical expertise, or been accused of that in all the years that I’ve worked in the Microsoft forums. So I find it very odd that my efforts to educate people are suddenly being construed as malicious. Unfortunately, there’s nothing simple about Windows 10, and nothing simple about Windows Defender Antivirus, and nothing simple about the malware threats that we have to deal with every day – and that means that we often need to address these issues on a technical level. So the Windows Defender advanced configuration interface will actually have an increasing importance for Windows 10 Home users as time goes by and new features and settings are added.

GreginMich

Did this solve your problem?

Sorry this didn't help.

1 person was helped by this reply


@ Greginmich

 

I believe your post in question included the following. “That file is for the Windows Home Users who are afraid of the PowerShell Command Line and Windows 10 Home Users who are afraid of the Power Shell Command Line would really be better off to eat more Wheaties and man up.”

 

How do you find the above comment being read by folks who just want their computer to work right and come to the forum because suddenly they encountered problems to be “humorous?”  

 

I admit that I’ve always admired and I still am impressed with your knowledge and expertise.  As you stressed in your post "you" have made numerous posts and comments that are helpful to many computer users.  Of course some users don't understand what you're talking about - I recall one making that assertion in a recent response to one of your posts by making an obvious "humorous" comment saying it would have been better if you posted in English.

 

But let's not digress - your attempt at "humor" if you can call it that really fell flat with me. It reminded me of some of the tweets that come out of Washington, D.C.

 

If my wife and daughters and granddaughter visited the forum because of computer problems I’ll bet they wouldn’t appreciate being told to “man up."

 

I wonder if a consumer like my 91 year old widowed mother who still uses a computer as best she can would find your comment that she should "man up" to be humorous. 

 

As far as I know this forum is for consumers (male and female and young and old and of varying socioeconomic background) who have various computer knowledge and abilities. Of course logically most of those who are highly technically astute when it comes to computers would likely have no need to even post in a consumer forum.  

 

So why should anyone on this forum tell (in jest or otherwise) another computer user to "man up?" 

 

Regards...

 

MVP Consumer Security 2014-2016
Windows Insider MVP 2016-2018

Did this solve your problem?

Sorry this didn't help.

1 person was helped by this reply


Because Command-line Phobia will prevent any user from having access to the fastest, safest, and most powerful Windows Defender user interface for the Windows 10 Home environment. Of course I’m clearly not insisting on its use, but I am recommending it. For example, a user would otherwise have to download and merge a REG file in order to turn on Windows Defender Exploit Guard's Network Protection feature, with a potential for several mishaps along the way. But this only takes about 30 seconds with PowerShell – and involves virtually no risk at all.

man up

To deal with something in a more brave, stoic, or masculine way than one has done so hitherto. (Usually used imperatively.) It's just a tiny scratch! You need to man up and quit crying about it. You need to man up and tell your boss that you expect a raise for all the hard work you do!

https://idioms.thefreedictionary.com/man+up

As in “overcome your fear of things that shouldn’t be feared”. Are you sure that I actually forgot to enclose the term in quotation marks, as I would normally do to indicate that I’m quoting a slang expression? There’s really no accounting for my dry sense of humor, or for my scurrilous efforts to raise the forum to a higher level of discourse. But it’s pretty sad that encouraging users to overcome their fear of the command line interface, or of technical things in general, is now deemed offensive here in the Microsoft Virus and Malware forum. Given the current state of the TechNet forum, I don’t think providing the lowest possible level of technical discourse should be the goal in this forum – but I am perfectly willing to dumb down my replies in order to conform to the community standard, and will do so without hesitation just as soon as the request is made by someone with duly constituted authority.

GreginMich

Did this solve your problem?

Sorry this didn't help.

1 person was helped by this reply


Because Command-line Phobia will prevent any user from having access to the fastest, and most powerful Windows Defender user interface for Windows 10 Home Edition. I’m clearly not insisting on its use, but I am recommending it. For example, a user would otherwise have to download and merge a REG file in order to turn on Windows Defender Exploit Guard Network Protection, with a potential for several mishaps along the way. But this only takes about 30 seconds with PowerShell – and involves virtually no risk at all.

man up

To deal with something in a more brave, stoic, or masculine way than one has done so hitherto. (Usually used imperatively.) It's just a tiny scratch! You need to man up and quit crying about it. You need to man up and tell your boss that you expect a raise for all the hard work you do!

https://idioms.thefreedictionary.com/man+up

As in “overcome your fear of things that shouldn’t be feared”. There’s really no accounting for my dry sense of humor, or for my scurrilous efforts to raise the forum to higher level of discourse. But it’s pretty sad that encouraging users to overcome their fear of the command line interface, or of technical things in general, is now deemed offensive here in the Microsoft Virus and Malware forum. Given the current state of the TechNet forum, I don’t think providing the lowest possible level of technical information should be the goal in this forum – but I am certainly willing to dumb down my replies in order to conform to the community standard, and will do so without hesitation just as soon as the request is made by someone with duly constituted  authority.

GreginMich   

You missed the point totally.

You don't need to "dumb down" any of your technical answers.  

But I consider your "man up" comments to be condescending at the very least.  But if you think it's okay to talk down to folks on this forum then by all means you should do so.

Why don't you send a PM to a Forum Owner and file a complaint on me, say whatever you want to say and get whatever guidance you think you need?

I'll not be contacting the Forum Owners - they can contact me if they want to do so.

Regards...

MVP Consumer Security 2014-2016
Windows Insider MVP 2016-2018

Did this solve your problem?

Sorry this didn't help.

3 people were helped by this reply


* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

 
Question Info

Views: 846 Last updated: July 11, 2018 Applies to: