Windows 10: Windows Defender Exploit Guard-Network Protection

Applies to:
Windows Server 2019
Windows 10 1809
Windows 10 1803
Windows 10 1709

Windows Defender (WD) Exploit Guard (EG) – Network Protection (NP) extends the malware and social engineering (e.g. Phishing attacks) protection offered by Windows Defender SmartScreen (WD Smartscreen) in Microsoft Edge browser and Microsoft Internet Explorer; Covers 3rd party browsers such as Google Chrome, Mozilla Firefox and other applications to cover network traffic and connectivity (URL and/or IP address reputation) on your Windows 10 and Windows Server 2019 based systems.

In a shorter word, it extends (WD Smartscreen) to 3rd party apps.

Windows Defender Exploit Guard: Network Protection, do I need Windows Defender Antivirus (WD AV)?

The answer is yes, you need WD AV to be enabled.

[What is Windows Defender Exploit Guard – Network Protection?]

Protect your network
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard

Windows Defender Exploit Guard
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard

[So why Windows Defender Exploit Guard: Network Protection?]

Tackling phishing with signal-sharing and machine learning
https://cloudblogs.microsoft.com/microsoftsecure/2018/12/19/tackling-phishing-with-signal-sharing-and-machine-learning/

Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers
https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

Building Zero Trust networks with Microsoft 365
https://cloudblogs.microsoft.com/microsoftsecure/2018/06/14/building-zero-trust-networks-with-microsoft-365/

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/10/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017/

Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses
https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses/

[Test / Deploy WD Exploit Guard: Network Protection]

Enable network protection
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection

Confirm pre-requisites
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np#confirm-pre-requisites
     Note: Make sure that you are running the latest:

  1. WD AV Platform update
  2. WD AV Engine update
  3. WD AV definition update

Allow the following URL's through proxy or firewall:

  1. ars.smartscreen.microsoft.com
  2. unitedstates.smartscreen-prod.microsoft.com
  3. smartscreen-sn3p.smartscreen.microsoft.com

Reference:

Windows Defender Smartscreen reporting and notifications
https://docs.microsoft.com/en-us/windows/privacy/manage-windows-1809-endpoints#windows-defender

Use audit mode to test the rule
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np#use-audit-mode-to-test-the-rule

Testing network protection feature
https://demo.wd.microsoft.com/Page/NP

List of 'attack surface reduction' events such as for WD EG NP:
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-attack-surface-reduction-events

Use 'custom views' to review in 'Event Viewer' to review WD EG NP:

XML for network protection events
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#xml-for-network-protection-events

Report a false positive or false negative
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np#report-a-false-positive-or-false-negative

Thanks,

Yong

P.S. Related blog posts:
Windows 10/Windows Server 2016/Windows Server 2019 Antivirus (AV)
https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-server-2016-windows-server-2019-antivirus-av/

Windows 10: Windows Defender Exploit Guard-Exploit Protection
https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-defender-exploit-guard-exploit-protection/

Windows 10: Windows Defender Exploit Guard-Attack Surface Reduction rules
https://blogs.technet.microsoft.com/yongrhee/2019/02/24/windows-10-windows-defender-exploit-guard-attack-surface-reduction-rules/