Skip to content

Commit 1fdb9ee

Browse files
denisebmsftdenisebmsft
committed
Update network-protection.md
1 parent 8479560 commit 1fdb9ee

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

defender-endpoint/network-protection.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -303,7 +303,7 @@ This procedure creates a custom view that filters to only show the following eve
303303

304304
## Network protection and the TCP three-way handshake
305305

306-
With network protection, the determination of whether to allow or block access to a site is made after the completion of the [three-way handshake via TCP/IP](/troubleshoot/windows-server/networking/three-way-handshake-via-tcpip). Thus, when a site is blocked by network protection, you might see an action type of `ConnectionSuccess` under [`DeviceNetworkEvents`](/defender-xdr/advanced-hunting-devicenetworkevents-table) in the Microsoft Defender portal, even though the site was blocked. `DeviceNetworkEvents` are reported from the TCP layer, and not from network protection. After the three-way handshake has completed, access to the site is allowed or blocked by network protection.
306+
With network protection, the determination of whether to allow or block access to a site is made after the completion of the [three-way handshake via TCP/IP](/troubleshoot/windows-server/networking/three-way-handshake-via-tcpip). Thus, when network protection blocks a site, you might see an action type of `ConnectionSuccess` under [`DeviceNetworkEvents`](/defender-xdr/advanced-hunting-devicenetworkevents-table) in the Microsoft Defender portal, even though the site was blocked. `DeviceNetworkEvents` are reported from the TCP layer, and not from network protection. After the three-way handshake has completed, access to the site is allowed or blocked by network protection.
307307

308308
Here's an example of how that works:
309309

@@ -355,15 +355,15 @@ Verify whether network protection is enabled on a local device by using Registry
355355
1. Select **HKEY_LOCAL_MACHINE** from the side menu.
356356
1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** > **Windows defender** > **Windows Defender Exploit Guard** > **Network Protection**.
357357

358-
(If the key is not present, navigate to **SOFTWARE** > **Microsoft** > **Windows Defender** > **Windows Defender Exploit Guard** > **Network Protection**)
358+
(If the key isn't present, navigate to **SOFTWARE** > **Microsoft** > **Windows Defender** > **Windows Defender Exploit Guard** > **Network Protection**)
359359

360360
4. Select **EnableNetworkProtection** to see the current state of network protection on the device:
361361

362362
- 0 = Off
363363
- 1 = On (enabled)
364364
- 2 = Audit mode
365365

366-
For additional information, see: [Turn on network protection](enable-network-protection.md)
366+
For more information, see [Turn on network protection](enable-network-protection.md).
367367

368368
#### Network protection suggestion
369369

0 commit comments

Comments
 (0)