Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.

This article helps you evaluate network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren’t malicious. They’re specially created websites that pretend to be malicious. The site will replicate the behavior that would happen if a user visited a malicious site or domain.


You can also visit the Microsoft Defender demo scenarios website at demo.wd.microsoft.com to see how other protection features work.

Enable network protection in audit mode

Enable network protection in audit mode to see which IP addresses and domains would have been blocked. You can make sure it doesn’t affect line-of-business apps, or get an idea of how often blocks occur.

  1. Type powershell in the Start menu, right-click Windows PowerShell and select Run as administrator
  2. Enter the following cmdlet:

    Set-MpPreference -EnableNetworkProtection AuditMode

Visit a (fake) malicious domain

  1. Open Internet Explorer, Google Chrome, or any other browser of your choice.
  2. Go to https://smartscreentestratings2.net.

    The network connection will be allowed and a test message will be displayed.

    Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.


Network connections can be successful even though a site is blocked by network protection. To learn more, see Network protection and the TCP three-way handshake.

Review network protection events in Windows Event Viewer

To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.

Event ID Provide/Source Description
5007 Windows Defender (Operational) Event when settings are changed
1125 Windows Defender (Operational) Event when a network connection is audited
1126 Windows Defender (Operational) Event when a network connection is blocked

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.