A security administrator needs to block outbound network connections from a compromised Windows device to a known malicious IP address. The solution should be configured in Microsoft Defender for Endpoint and must work at the network layer, not relying on a user-installed client. Which feature should the administrator enable?
Network protection uses the Windows Defender Firewall to block outbound connections to malicious IPs and domains, as defined by Microsoft threat intelligence.
Why this answer
Option C, Network protection, is correct because it is a Microsoft Defender for Endpoint feature that blocks outbound connections to malicious IP addresses and domains at the network layer, using the Windows Filtering Platform (WFP) to enforce policies without requiring a user-installed client. This ensures the block applies system-wide, even if the device is compromised, as it operates before the TCP/IP stack processes the connection.
Exam trap
The trap here is that candidates often confuse Network protection with Web protection, mistakenly thinking Web protection can block IP-based outbound connections, when in fact Web protection only filters HTTP/HTTPS traffic based on URL reputation and does not operate at the network layer for arbitrary IP addresses.
How to eliminate wrong answers
Option A is wrong because Attack surface reduction (ASR) rules are designed to block specific behaviors (e.g., script execution, Office macro abuse) at the endpoint, not to block outbound network connections to a specific IP address. Option B is wrong because Custom detection rules (advanced hunting) only create alerts based on queries against telemetry data; they do not actively block network traffic. Option D is wrong because Web protection (web threat protection) focuses on blocking malicious URLs and web content based on reputation, not on blocking outbound connections to a known malicious IP address at the network layer.