疑難排解網路保護Troubleshoot network protection

適用於:Applies to:

提示

想要體驗 Defender for Endpoint?Want to experience Defender for Endpoint? 注册免費試用版。Sign up for a free trial.

當您使用 網路保護 時,可能會發生問題,例如:When you use Network protection you may encounter issues, such as:

  • 網路保護會封鎖安全 (誤報) 的網站Network protection blocks a website that is safe (false positive)
  • 網路保護無法封鎖可疑或已知惡意的網站 (false 負數) Network protection fails to block a suspicious or known malicious website (false negative)

疑難排解這些問題有四個步驟:There are four steps to troubleshooting these problems:

  1. 確認必要條件Confirm prerequisites
  2. 使用稽核模式來測試規則Use audit mode to test the rule
  3. 針對誤報) 新增指定之規則 (的排除Add exclusions for the specified rule (for false positives)
  4. 提交支援記錄檔Submit support logs

確認必要條件Confirm prerequisites

只有在下列情況下,網路保護才能在裝置上運作:Network protection will only work on devices with the following conditions:

使用稽核模式Use audit mode

您可以在稽核模式中啟用網路保護,然後再流覽我們所建立的網站,以示範該功能。You can enable network protection in audit mode and then visit a website that we've created to demo the feature. 網路保護將允許所有的網站連線,但是會記錄事件,以指出在啟用網路保護時,任何已封鎖的連線。All website connections will be allowed by network protection but an event will be logged to indicate any connection that would have been blocked if network protection was enabled.

  1. 將 [網路保護] 設定為 [ 稽核模式]Set network protection to Audit mode.

    Set-MpPreference -EnableNetworkProtection AuditMode
    
  2. 執行導致問題的連線活動 (例如,嘗試訪問網站,或連線至您要封鎖) 的 IP 位址。Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).

  3. 查看網路保護事件記錄 檔,以查看該功能是否已設定為 啟用,以查看該功能是否會封鎖連線。Review the network protection event logs to see if the feature would have blocked the connection if it had been set to Enabled.

    如果網路保護未封鎖您期望它封鎖的連線,請啟用該功能。If network protection is not blocking a connection that you are expecting it should block, enable the feature.

    Set-MpPreference -EnableNetworkProtection Enabled
    

報告誤報或 false 負數Report a false positive or false negative

如果您已使用示範網站和審計模式來測試功能,且網路保護在預先設定的案例上運作,但未如預期的那樣運作,請使用Windows Defender 安全性智慧 web 提交表單報告 false 負數或 false 正值 for a network protection。If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, use the Windows Defender Security Intelligence web-based submission form to report a false negative or false positive for network protection. 透過 E5 訂閱,您也可以 提供任何相關聯警示的連結With an E5 subscription, you can also provide a link to any associated alert.

請參閱 Microsoft Defender For Endpoint 中的 Address false 陽性/負片See Address false positives/negatives in Microsoft Defender for Endpoint.

從網路保護範圍排除網站Exclude website from network protection scope

若要允許封鎖的網站 (誤報) ,請將其 URL 新增至信任的 網站清單To allow the website that is being blocked (false positive), add its URL to the list of trusted sites. 來自此清單的網頁資源略過網路保護檢查。Web resources from this list bypass the network protection check.

收集診斷資料以取得檔提交Collect diagnostic data for file submissions

當您報告網路保護的問題時,系統會要求您收集並提交可供 Microsoft 支援人員和工程團隊使用的診斷資料,以協助疑難排解問題。When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.

  1. 開啟提升許可權的命令提示字元,並變更為 Windows Defender 目錄:Open an elevated command prompt and change to the Windows Defender directory:

    cd c:\program files\windows defender
    
  2. 執行下列命令以產生診斷記錄:Run this command to generate the diagnostic logs:

    mpcmdrun -getfiles
    
  3. 將檔案附加到提交表單。Attach the file to the submission form. 根據預設,診斷記錄會儲存在 C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cabBy default, diagnostic logs are saved at C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab.

解決 (E5 客戶之網路保護的連線問題) Resolve connectivity issues with network protection (for E5 customers)

由於網路保護的執行環境,Microsoft 無法看到您的作業系統 proxy 設定。Due to the environment where network protection runs, Microsoft is unable to see your operating system proxy settings. 在某些情況下,網路保護用戶端無法到達雲端服務。In some cases, network protection clients are unable to reach the cloud service. 若要解決網路保護的連線問題,請設定下列其中一個登錄機碼,讓網路防護知道 proxy 設定:To resolve connectivity issues with network protection, configure one of the following registry keys so that network protection becomes aware of the proxy configuration:

reg add "HKLM\Software\Microsoft\Windows Defender" /v ProxyServer /d "<proxy IP address: Port>" /f

---或------OR---

reg add "HKLM\Software\Microsoft\Windows Defender" /v ProxyPacUrl /d "<Proxy PAC url>" /f

您可以使用 PowerShell、Microsoft 端點管理員或群組原則來設定登錄機碼。You can configure the registry key by using PowerShell, Microsoft Endpoint Manager, or Group Policy. 以下是一些可協助的資源:Here are some resources to help:

另請參閱See also