- How to change the PowerShell prompt - Wed, Mar 22 2023
- Trim characters from strings in PowerShell - Tue, Mar 14 2023
- Set Chrome, Firefox and Edge as default mail client (mailto handlers) - Mon, Mar 6 2023
Microsoft's Exploit Guard (not to be confused with exploit protection) comprises several techniques to defend against phishing attacks and malware. These include controlled folder access, attack surface reduction, and network protection.
The latter is a close cousin of SmartScreen, which can also prevent access to malicious websites or at least warn against them. However, this feature is limited to Microsoft's web browser.
System-wide blocking of malicious sites
Network protection, on the other hand, operates as a filter driver at the kernel level and therefore affects all applications on the entire network stack. To assess the reputation of a domain or IP address, it uses the same Intelligent Security Graph as SmartScreen.
Like SmartScreen, network protection can be operated in two ways. In monitoring mode, it is limited to warning users of potential threats and logging such events. Alternatively, the feature can be configured to block connections to potentially malicious hosts.
Configure network protection
The protection mechanism is not enabled by default and cannot be configured from the Settings app or any other local GUI. To use it, the following requirements must be met:
- Windows 10/11 (Pro or Enterprise), Windows Server 1803 or later
- Defender Antivirus real-time protection and cloud-based protection must be enabled
- Clients must be able to contact .smartscreen.microsoft.com and .smartscreen-prod.microsoft.com
Network protection requires real time protection and cloud based protection to be enabled
PowerShell
The only way to interactively configure network protection is through PowerShell. The Get-MpPreference cmdlet can be used to view the current status of the feature:
Get-MpPreference | Select *NetworkProtection* | Format-List
Available network protection settings
The output of the command contains four settings. Network protection can be switched on via EnableNetwork Protection, optionally with the values Enabled or AuditMode:
Set-MpPreference -EnableNetworkProtection Enabled
With AllowNetworkProtectionOnWinServer, you can allow the feature to be activated on a Windows Server. By default, this is not possible, so you first have to execute the following:
Set-MpPreference -AllowNetworkProtectionOnWinServer $true
Network protection sends anonymized performance data about the monitored connections to Microsoft. You can prevent this using the following:
Set-MpPreference -DisableNetworkProtectionPerfTelemetry $true
The setting AllowNetworkProtectionDownLevel was used to enable network protection for versions of Windows 10 older than 1709. However, this is now obsolete.
Group Policy
Group Policy offers two settings under Computer Configuration > Policies > Administrative Templates > Windows Components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Network Protection:
- Prevent users and apps from accessing dangerous websites
- This setting controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server
Enable network protection via group policies select mode
If you enable the first, then you can choose between monitoring and blocking mode. The second is the counterpart of the AllowNetworkProtectionOnWinServer property in PowerShell, described above.
Summary
Network protection is another mechanism in Exploit Guard. It extends protection against malicious websites and dubious domains known from SmartScreen from the web browser to all applications.
Subscribe to 4sysops newsletter!
By default, the feature is disabled and can be configured in several ways. In addition to PowerShell and the group policies discussed here, Intune and SCCM can also be used.
