Troubleshoot network protection

Applies to:

• Microsoft Defender XDR
• Microsoft Defender for Endpoint Plan 2
• Microsoft Defender for Business
• Microsoft Defender for Endpoint Plan 1

This article provides troubleshooting information for network protection, in cases, such as:

• Network protection blocks a website that is safe (false positive)
• Network protection fails to block a suspicious or known malicious website (false negative)

There are four steps to troubleshooting these problems:

1. Confirm prerequisites
2. Use audit mode to test the rule
3. Add exclusions for the specified rule (for false positives)
4. Submit support logs

Confirm prerequisites

Network protection works on devices with the following conditions:

• Endpoints are running Windows 10 Pro or Enterprise edition, version 1709 or higher.

• Endpoints are using Microsoft Defender Antivirus as the sole antivirus protection app. See what happens when you're using a non-Microsoft antivirus solution.
• Real-time protection is enabled.
• Behavior Monitoring is enabled.
• Cloud-delivered protection is enabled.
• Cloud Protection network connectivity is functional.
• Audit mode isn't enabled. Use Group Policy to set the rule to Disabled (value: 0).

Use audit mode

You can enable network protection in audit mode and then visit a website designed to demo the feature. All website connections are allowed by network protection but an event is logged to indicate any connection that would be blocked if network protection were enabled.

1. Set network protection to Audit mode.

   Set-MpPreference -EnableNetworkProtection AuditMode
   

2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).

3. Review the network protection event logs to see if the feature would block the connection if it were set to Enabled.

   If network protection isn't blocking a connection that you're expecting it should block, enable the feature.

   Set-MpPreference -EnableNetworkProtection Enabled
   

Report a false positive or false negative

If you've tested the feature with the demo site and with audit mode, and network protection is working on preconfigured scenarios, but isn't working as expected for a specific connection, use the Windows Defender Security Intelligence web-based submission form to report a false negative or false positive for network protection. With an E5 subscription, you can also provide a link to any associated alert.

See Address false positives/negatives in Microsoft Defender for Endpoint.

Add exclusions

The current exclusion options are:

1. Setting up a custom allow indicator.

2. Using IP exclusions: Add-MpPreference -ExclusionIpAddress 192.168.1.1.

3. Excluding an entire process. For more information, see Microsoft Defender Antivirus exclusions.

Network Performance issues

In certain circumstances, a network protections component might contribute to slow network connections to Domain Controllers and/or Exchange servers. You might also notice Event ID 5783 NETLOGON errors.

To attempt to solve these issues, change Network Protection from 'block mode' to either 'audit mode' or 'disabled'. If your network issues are fixed, follow the next steps to find out which component in Network Protection is contributing to the behavior.

Disable the following components in order and test your network connectivity performance after disabling each one:

1. Disable Datagram Processing on Windows Server
2. Disable Network Protection Perf Telemetry
3. Disable FTP parsing
4. Disable SSH parsing
5. Disable RDP parsing
6. Disable HTTP parsing
7. Disable SMTP parsing
8. Disable DNS over TCP parsing
9. Disable DNS parsing
10. Disable inbound connection filtering
11. Disable TLS parsing

If your network performance issues persist after following these troubleshooting steps, then they're probably not related to network protection and you should look for other causes of your network performance issues.

Collect diagnostic data for file submissions

When you report a problem with network protection, you're asked to collect and submit diagnostic data for Microsoft support and engineering teams to help troubleshoot issues.

1. Open an elevated command prompt and change to the Windows Defender directory:

   cd c:\program files\windows defender
   

2. Run this command to generate the diagnostic logs:

   mpcmdrun -getfiles
   

3. Attach the file to the submission form. By default, diagnostic logs are saved at C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.

Resolve connectivity issues with network protection (for E5 customers)

Due to the environment where network protection runs, Microsoft is unable to see your operating system proxy settings. In some cases, network protection clients are unable to reach the cloud service. To resolve connectivity issues with network protection, configure one of the following registry keys so that network protection becomes aware of the proxy configuration:

Set-MpPreference -ProxyServer <proxy IP address: Port>

---OR---

Set-MpPreference -ProxyPacUrl <Proxy PAC url>

You can configure the registry key by using PowerShell, Microsoft Configuration Manager, or Group Policy. Here are some resources to help:

• Working with Registry Keys
• Configure custom client settings for Endpoint Protection
• Use Group Policy settings to manage Endpoint Protection

See also

• Network protection
• Network protection and the TCP three-way handshake
• Evaluate network protection
• Enable network protection
• Address false positives/negatives in Defender for Endpoint

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.