title: Evaluate network protection description: See how network protection works by testing common scenarios that it protects against. ms.service: defender-endpoint ms.localizationpriority: medium audience: ITPro ms.topic: how-to author: limwainstein ms.author: lwainstein ms.reviewer: yongrhee manager: bagol ms.subservice: asr ms.collection:
- m365-security
- tier2
- mde-asr
search.appverid: met150
ms.date: 04/04/2025
appliesto:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
Network protection helps prevent employees from using any application to access dangerous domains that might host phishing scams, exploits, and other malicious content on the Internet.
This article helps you evaluate network protection by enabling the feature and guiding you to a testing site. The sites in this evaluation article aren't malicious. They're specially created websites that pretend to be malicious. The site replicates the behavior that would happen if a user visited a malicious site or domain.
Enable network protection in audit mode to see which IP addresses and domains might be blocked. You can make sure it doesn't affect line-of-business apps, or get an idea of how often blocks occur.
-
Type powershell in the Start menu, right-click Windows PowerShell and select Run as administrator.
-
Run the following cmdlet:
Set-MpPreference -EnableNetworkProtection AuditMode
-
Open Internet Explorer, Google Chrome, or any other browser of your choice.
-
Go to https://smartscreentestratings2.net.
The network connection is allowed and a test message displays.
:::image type="content" source="media/np-notif.png" alt-text="The connection blockage notification" lightbox="media/np-notif.png":::
Note
Network connections can be successful even though a site is blocked by network protection. To learn more, see Network protection and the TCP three-way handshake.
To review apps that would have been blocked, open Event Viewer and filter for Event ID 1125 in the Microsoft-Windows-Windows Defender/Operational log. The following table lists all network protection events.
| Event ID | Provide/Source | Description |
|---|---|---|
| 5007 | Windows Defender (Operational) | Event when settings are changed |
| 1125 | Windows Defender (Operational) | Event when a network connection is audited |
| 1126 | Windows Defender (Operational) | Event when a network connection is blocked |
If network protection fails to detect, make sure that the following prerequisites are enabled:
-
Microsoft Defender Antivirus is the primary antivirus app (active mode)