Recently, I have been wondering why a site such as mail[.]ru(and it’s subdomains) is being blocked by Microsoft Exploit Guard’s Network Protection setting and not Umbrella. Considering that Network Protection does not give an actual block page, and instead a generic access denied page, it seems that the order of things were to blame. I did some experimenting and testing along with research to come up with the following conclusions on the order of something being blocked:
- uBlock Origin
- Network Protection\Smartscreen from Microsoft
- Cisco Umbrella
This seems counterintuitive since Umbrella is a DNS level service but from what I have come across, the actual hitting of the Umbrella block page is actually a Man in the Middle redirect based on the DNS classification. Finding a true writeup on where in the connection attempt Umbrella’s redirect happens is difficult to find, as Cisco says it is a kernel driver redirect based on the DNS yet looking at when the Umbrella block screen actually does appear, it is a bit later on in the connection process compared to uBlock origin and Exploit Guard’s Network Protection setting.
uBlock origin uses a known list of bad domains as part of its blocking technology. This allows for known bad sites to be immediately blocked by it.
Umbrella classification of ggmail.com (blocked by ublock origin)
When I went to the above site it was blocked by uBlock origin, even before Network Protection was able to hit because the site was in its autoblock list. Effective but easy to get around. uBlock origin is great though for ad blocking.
Microsoft Exploit Guard’s Network Protection is another interesting situation. While Cisco’s classifications come from its own Talos group, Microsoft has its own threat intelligence team. This data feeds into items such as Network Protection and Smartscreen (which is part of Edge if turned on). Using the site mail[.]ru as our example here, mail[.]ru gets blocked by Smartscreen in Edge and Network Protection on Chrome/Firefox. In Edge you get the famous red block screen saying Smartscreen has blocked access to the site. In Chrome and Firefox, you only get an Access Denied page with no other information.
Both of these technologies actually check and block immediately following the three-way handshake (syn, syn-ack and ack) based on Microsoft’s Threat Intelligence. This block is before any data is transferred that can be redirected (which is where Umbrella’s block page comes in).
Umbrella classification of mail[.]ru (blocked by Exploit Guard Network Protection)
What happens here is that Umbrella’s DNS has classified the site, and Umbrella is ready to send the block page upon connection, but the connection never gets to the redirection point. In the case of mail[.]ru, Umbrella will block the site in Chrome or Firefox if Network Protection is not enabled on the machine due to it being in the custom Blocklist that we have(what does worry me is all threat intelligence platforms I can look up mail[.]ru on show that it is known to house malware across its series of IP addresses, and that Cisco does not classify it as a Malware site is odd to me, but that is something different to look into at a later time). This has been tested on a machine that does have Umbrella and does not have Microsoft Exploit Guard Network Protection enabled on it.
Just as an example of something that Cisco blocked that the others did not, I found someone who went to an obvious typo of gmail.com. It does show the difference in classifications of threat intelligence out there that it is classified as Malware by Cisco but must not be by Microsoft since Network Protection did not kick in on this site.
Umbrella classification of gmai.com (Blocked by Umbrella)
The results of all this show how multiple layers of defense can work together can compliment each other, and where things are actually being blocked. It also shows that Cisco Umbrella’s block page is independent of its classification and being a redirect happens well enough after the three-way handshake (which could be microseconds) for it to not show when Smartscreen/Network Protection feels a site is malicious.