back to article Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta

A below-the-radar security feature in the Windows 10 Fall Creators Update, aka version 1709 released last week, can stop ransomware and other file-scrambling nasties dead. The controlled folder access mechanism within Windows Defender prevents suspicious applications from changing the contents of selected protected folders. …

Silver badge

"controlled folder access"

You mean protection like Defense+ in the free Comodo Firewall has been giving me for the last decade?

5
27
(Written by Reg staff) Silver badge

Re: "controlled folder access"

Defense in depth! :) Anyway, not that many people will want to install anything to do with Comodo on their machines...

C.

40
0
Silver badge

Re: "controlled folder access"

"not that many people will want to install anything to do with Comodo on their machines..."

I don't *want* to install anything to do with Microsoft on my machine.

31
32

Re: "controlled folder access"

Although Comodo's original firewall was pretty good, nowadays I wouldn't touch them with a 40ft barge poll if they were on fire*

*no, i'm not sure why I mixed those two together either, but these things happen.

17
0

Re: "controlled folder access"

Genuinely curious. What's wrong with Comodo? Has been fine for me for years and seems quite powerful. I'm aware they've pretty much stolen Process Explorer it would seems with their version that looks shockingly similar. But still been good.

Only issue is GeekBuddy. That should be avoided and I guess we should be pulling them up just for that alone.

2
2
Silver badge
Paris Hilton

Re: "controlled folder access"

Genuinely curious. What's wrong with Comodo?

Maybe some here don't like it because the initial setting up is (was - last time I used Comodo was in 2008 before I went to mainly Linux) a bit annoying. All that thinking!

Not like the Windows firewall, which may or may not be turned on (you can't be sure) and just does it's thing, quietly letting anything and everything through protecting you from all them nasties! (at least that's what the marketing dept claim)

I'd also love to hear someone suggest flaws in Comodo, as my memory of it is good and I may end up suggesting it to someone stuck with Windows - would hate to make their machines even less secure!

0
0
Silver badge
Meh

yet another 'new, shiny' feature that gets a *yawn*

so how much of a pain IS it to set up everything to be "scramble-proof"? And when will the ransomware be smart enough to "un-do all of that" ?

I'm guessing that it's NOT password protected with a separate pass-phrase, nor write protected with something that's truly tamper-proof.

and without much review, we only have Microsoft's claims about its features...

/me hope it actually works, but I suspect that maybe it's not worth the hype.

16
29
Facepalm

Re: yet another 'new, shiny' feature that gets a *yawn*

It can be disabled with the following PS command:

Set-MpPreference -EnableControlledFolderAccess Disabled

It does need to be ran as Administrator, but that's trivial to work around.

It's a false sense of security, if any. Educating users is still the best cure.

23
25
Anonymous Coward

Re: yet another 'new, shiny' feature that gets a *yawn*

"It does need to be ran as Administrator, but that's trivial to work around."

How is that trivial to work around? Users on Windows 10 won't have admin access without at least a warning prompt to elevate access.

20
11
Anonymous Coward

Re: yet another 'new, shiny' feature that gets a *yawn*

It is another layer of protection. It won't be foolproof, but it is better than not having it.

One more thing to stop you having to go to your backups. (You do have backups right?)

34
2
Anonymous Coward

Re: yet another 'new, shiny' feature that gets a *yawn*

It works better if you realise they missed the log out/log back in the setup help. Didn't check if it applies changed folder lists but it doesn't update your app whitelist without it. Cue much annoyance.

Also if you're using a 'select folder' file dialog it will just silently fail to write. No warning. Be careful.

1
1
Silver badge
Boffin

Re: yet another 'new, shiny' feature that gets a *yawn*

"It does need to be ran as Administrator, but that's trivial to work around."

How is that trivial to work around? Users on Windows 10 won't have admin access without at least a warning prompt to elevate access.

You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button? Or the one that defaults to the "allow" button being selected, which gets "clicked" when the user presses their space button. Which is not very often really, only every 4-5 characters typed or so....

Not knowing how the permissions mechanism works, but my plan to defeat it would be 1) to bombard the user with prompts (making the reason sound safe enough, eg "Mostwonderousfreebackup.exe needs to access your data to protect it, allow (yes/no)?" in the expectation that they'll hit "yes" (what turned UAC into just another Useless Annoying C...) or b) use a trojan that acts much like A.

Now, a versioning system that can detect wholesale changes to user's files and maybe take action (without having a simple yes/no prompt the user can make go away quickly but something that sticks around and explains itself fairly carefully - no I don't know how this can be achieved sorry!) , and make sure that the previous copy of the user's files cannot be touched - that would be good. Of course a quick defeat to that is to fill the HDD with stuff so there's no space left.

Maybe the versioning software can send the file that's making the changes back to HQ (and other places, ie competing AV firms) for analysis, and hold it's execution till cleared?

Unfortunately any security system that requires the average user to select "no" several times a day is doomed to failure.

3
4
Anonymous Coward

Re: yet another 'new, shiny' feature that gets a *yawn*

"You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button?"

Only if they have admin rights. Most corporate users wont. This cant beat a determined idiot with admin rights, but it's a good start....

2
0
Anonymous Coward

Re: yet another 'new, shiny' feature that gets a *yawn*

"How is that trivial to work around? Users on Windows 10 won't have admin access without at least a warning prompt to elevate access."

Except here the group policy disables UAC as the C-Level kept complaining about the pop-ups...

3
1
Anonymous Coward

Re: yet another 'new, shiny' feature that gets a *yawn*

"Except here the group policy disables UAC as the C-Level kept complaining about the pop-ups..."

You let USERS have admin rights?! And then disable the safeguards?! Good luck with staying in business...

0
2
Silver badge

Re: yet another 'new, shiny' feature that gets a *yawn*

"You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button?"

Only if they have admin rights. Most corporate users wont. This cant beat a determined idiot with admin rights, but it's a good start....

I suspect there may be some management issues there as well.. (ie manager demanding certain things be allowed which shouldn't).

0
0
Silver badge

Re: yet another 'new, shiny' feature that gets a *yawn*

"Except here the group policy disables UAC as the C-Level kept complaining about the pop-ups..."

You let USERS have admin rights?! And then disable the safeguards?! Good luck with staying in business...

Typically, if you don't let C-level types have their way, they send you on your way.

0
1
Anonymous Coward

Re: yet another 'new, shiny' feature that gets a *yawn*

"Typically, if you don't let C-level types have their way, they send you on your way."

And typically companies have processes and policies around admin rights that you get fired for ignoring. I have worked in many many varied companies and NEVER do standard user accounts get admin rights. If a C-type REALLY needs admin access then it's via a separate admin login with no profile / email etc so that you just use it when admin is actually required. Someone in your company isn't managing their users properly and you have a weak security policy and processes.

As I said, good luck with staying in business...

0
2
Silver badge

Re: yet another 'new, shiny' feature that gets a *yawn*

And typically companies have processes and policies around admin rights that you get fired for ignoring.

Ah yes, the old "I'll fire THE BOSS because I'm IT and therefore bigger than he is. Hello Jake, never knew you to post AC! :)

If a C-type REALLY needs admin access then it's via a separate admin login with no profile / email etc so that you just use it when admin is actually required.

"What? I don't want to bother with that. My time is important, I don't want to stuff around logging out and back in. Give me permanent admin access or you're fired and I'll get someone in who can do what they're told!". Or words to that effect.

As I said, good luck with staying in business...

Many of these companies still seem to be surviving quite well actually. YOU, however, would be out at best at the next contract renewal if you don't let some of these people get their own way.

0
0
Unhappy

Hmmmm

I don't seem to have it, maybe it's because im running a different AV and it's disabled?

5
1
Unhappy

Re: Hmmmm

I do use Defender and tried to find it using all the link advice I could trace, but could not find the feature. If it should be there I want to have access and be able to exploit or reject any features as I desire without an automatic "it is [whoever] do not bother" response.

1
1
Silver badge

Re: Hmmmm

Yes, I read the article, had a look and it's greyed out. Even the normally pretty useless "Microsoft Community" (Where shills meet to defend the mother ship) has this documented. To use this protection you have to rely only on the less safe MS AV. It's the IT equivalent of saying "Take off your condom and use the rhythm method".

12
9
Silver badge
WTF?

Re: Hmmmm

Now I'm really confused. (Well done Microsoft). Is this thing greyed out because I have third party AV software running, as Microsoft's own forums ("community") say. Or because it isn't allowed to work in Home editions. Either way, they're a bunch of dicks.

8
3
Bronze badge
WTF?

Cat and Mouse

I say no more.

7
6
Silver badge
Facepalm

Re: Cat and Mouse

So your defeatist apathy is a better option? You'd better read "Maus" if you think a world is better with all Cat.

( Yes Godwin invoked by way of a literary reference! )

8
9
Silver badge

Re: Cat and Mouse

I have actually had my fill of Holocaust Porn in my life, no longer interested.

0
3

What if an unsecured device and a secure one both have the same Dropbox account (other brands I'd cloud storage are available), what happens when the unsecured one gets ransomware?

2
2

The obvious unfortunately. The unsecured one scrambles the files, syncs them to dropbox, from where they get synced back to the secured device. If only the unsecured device could have read-only access to your cloud data...

10
2
Facepalm

For some reason...

I always seem to misread Windows 10 Fail creators update.

32
11
Angel

Re: For some reason...

I always have a sinking feeling when I read about falling creators.

Will they ever land?

14
1

Fall Creator's Update

Is that for people who create fall [autumn], or is it just released in the fall and you have to be godlike to get it working properly?

2
1
Silver badge

Re: For some reason...

”I always seem to misread Windows 10 Fail creators update.“

How is that misreading?

4
2
Silver badge

Re: For some reason...

I always have a sinking feeling when I read about falling creators.

Will they ever land?

With luck they'll land somewhere in Red, and I do mean 'red', mond.

Insert lyrics from 'Beautiful Streamer' or 'Blood on the Risers' here. http://home.hiwaay.net/~magro/parasongs.html

Airborne!

1
0

"The controlled folder access mechanism within Windows Defender prevents suspicious applications from changing the contents of selected protected folders."

Turned this on, went to check email. OUTLOOK.EXE is blocked.

OUTLOOK.EXE??

Another well thought out feature, then!

28
6

That, or your outlook.exe lacks the proper signature, and isn't the one on the whitelist. Scan for virii? :)

(My Outlook from Office 2013 had no problems writing to my document folders when saving an email attachment after enabling this).

9
0
Silver badge

So the next evolution of ransomware

Will hijack your browser or Outlook or some other whitelisted application and use it to encrypt your folders. It isn't as if those applications don't always have a lengthy list of patches every month, finding such an attack will be pretty easy.

I don't see this as a long term solution, it is fixing last year's problem while the malware guys are already working on next year's nasties.

14
4
Silver badge
Joke

See, there, this feature is actually working if it blocks Foutlook.

7
8
Anonymous Coward

Another well thought out feature, then!

Even better, you can't turn it off for a folder once it's turned on!

Great for making entire drives read-only

3
0
Gold badge

Re: So the next evolution of ransomware

"Will hijack your browser or Outlook or some other whitelisted application and use it to encrypt your folders. "

You have posted this in reply to a comment that Outlook wasn't one of the whitelisted apps.

Presumably the whitelisted apps have to be digitally signed and will lose their white-listing if they import DLLs that aren't also approved. There's no reason why this can't be made watertight. It doesn't look to be using anything that hasn't been part of the Windows kernel for about a decade. Having said that, I will grant you that whether it is actually effective is another matter.

4
0
Silver badge

Re: So the next evolution of ransomware

Whitelisting apps and requiring digital signatures? In other words time to welcome Microsoft to an Apple style walled garden, as apps without the signature will be seen as unsafe and to be avoided.

3
1
Silver badge
Trollface

Re: So the next evolution of ransomware

There's no reason why this can't be made watertight.

Well, I can think of one obvious reason.... ;)

2
0
Silver badge
Trollface

Get Real Everyone

MSFT just wants you to name the important folders to help focus their slurping work for 'the man'

16
14
Silver badge

Re: Get Real Everyone

Well, the documents & desktop folders would be the ones for 99.99999% of the Windows using population.

7
0
Anonymous Coward

So if this feature is for Defender and Defender is supplied with Windows and Windows 7 is still supported will Microsoft get sued if someone gets ransomware that would have been stopped by something they didn't add to Windows 7 because they are trying to get everyone on Windows 10?

I'm making the assumption this is not being added to Windows 7.

4
15
Silver badge

What a crock of shit. Win7 has been out of mainstream support for sometime (2 1/2 years).

No new features, no additional service packs, only security fixes.

This is a new feature.

8
4
Anonymous Coward

My mistake, it's security essentials for Windows 7 however it's still touted as Defender for Windows 7.

So in your opinion you would not class ransomware protection as a security fix?

6
4
Silver badge

"No new features, no additional service packs, only security fixes.

This is a new feature."

So it's nothing to do with security?

6
1
Anonymous Coward

A new feature that adds security and fixes a problem that allows ransomware to propagate on a machine.

If the OS was secure then it wouldn't be needed however it is therefore it's a fix to a problem.

Lets say a variant of ransomware infects Windows 7 machines but not Windows 10 due to this "feature", you could argue that Microsoft was negligent in not adding this to Windows 7 leaving users vulnerable as they are obliged to supply security fixes.

You say tomato, I say potato.

4
4
Silver badge

"Win7 has been out of mainstream support for sometime (2 1/2 years).

No new features, no additional service packs, only security fixes.

This is a new feature."

So you think it will be coming to Windows 8.1 then? Still a year and a half of mainstream support on that!

3
0
Silver badge

'Windows Defender' on Win 7 is a useless application which tries and fails to do something about spyware. 'Windows Defender' on Win 8 and later, including Win 10, is an application of quite limited use which attempts to do something about malware in general, including spyware, but which is not the best antimalware app ever made. There are notable differences between Defender on Win 8/8.1 and Defender on Win 10; this feature is merely one more. Defender on Win 8 was built on the bones of Microsoft Security Essentials, for Win 7. They are not the same application. Defender on Win 10 has the same name but is not the same application as Defender on Win 8/8.1. If you want the features of Defender on Win 10, you have to be running Win 10. In other words, no, this won't be backported to Security Essentials on Win 7. And, no, this won't be backported to Defender on Win 8/8.1. Go ahead and sue. You will lose.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017