back to article Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta

A below-the-radar security feature in the Windows 10 Fall Creators Update, aka version 1709 released last week, can stop ransomware and other file-scrambling nasties dead. The controlled folder access mechanism within Windows Defender prevents suspicious applications from changing the contents of selected protected folders. …

Page:

  1. inmypjs Silver badge

    "controlled folder access"

    You mean protection like Defense+ in the free Comodo Firewall has been giving me for the last decade?

    1. diodesign (Written by Reg staff) Silver badge

      Re: "controlled folder access"

      Defense in depth! :) Anyway, not that many people will want to install anything to do with Comodo on their machines...

      C.

      1. inmypjs Silver badge

        Re: "controlled folder access"

        "not that many people will want to install anything to do with Comodo on their machines..."

        I don't *want* to install anything to do with Microsoft on my machine.

      2. steviebuk Silver badge

        Re: "controlled folder access"

        Genuinely curious. What's wrong with Comodo? Has been fine for me for years and seems quite powerful. I'm aware they've pretty much stolen Process Explorer it would seems with their version that looks shockingly similar. But still been good.

        Only issue is GeekBuddy. That should be avoided and I guess we should be pulling them up just for that alone.

        1. Kiwi Silver badge
          Paris Hilton

          Re: "controlled folder access"

          Genuinely curious. What's wrong with Comodo?

          Maybe some here don't like it because the initial setting up is (was - last time I used Comodo was in 2008 before I went to mainly Linux) a bit annoying. All that thinking!

          Not like the Windows firewall, which may or may not be turned on (you can't be sure) and just does it's thing, quietly letting anything and everything through protecting you from all them nasties! (at least that's what the marketing dept claim)

          I'd also love to hear someone suggest flaws in Comodo, as my memory of it is good and I may end up suggesting it to someone stuck with Windows - would hate to make their machines even less secure!

    2. Solarflare

      Re: "controlled folder access"

      Although Comodo's original firewall was pretty good, nowadays I wouldn't touch them with a 40ft barge poll if they were on fire*

      *no, i'm not sure why I mixed those two together either, but these things happen.

  2. bombastic bob Silver badge
    Meh

    yet another 'new, shiny' feature that gets a *yawn*

    so how much of a pain IS it to set up everything to be "scramble-proof"? And when will the ransomware be smart enough to "un-do all of that" ?

    I'm guessing that it's NOT password protected with a separate pass-phrase, nor write protected with something that's truly tamper-proof.

    and without much review, we only have Microsoft's claims about its features...

    /me hope it actually works, but I suspect that maybe it's not worth the hype.

    1. Anonymous Coward
      Facepalm

      Re: yet another 'new, shiny' feature that gets a *yawn*

      It can be disabled with the following PS command:

      Set-MpPreference -EnableControlledFolderAccess Disabled

      It does need to be ran as Administrator, but that's trivial to work around.

      It's a false sense of security, if any. Educating users is still the best cure.

      1. Anonymous Coward
        Anonymous Coward

        Re: yet another 'new, shiny' feature that gets a *yawn*

        "It does need to be ran as Administrator, but that's trivial to work around."

        How is that trivial to work around? Users on Windows 10 won't have admin access without at least a warning prompt to elevate access.

        1. Kiwi Silver badge
          Boffin

          Re: yet another 'new, shiny' feature that gets a *yawn*

          "It does need to be ran as Administrator, but that's trivial to work around."

          How is that trivial to work around? Users on Windows 10 won't have admin access without at least a warning prompt to elevate access.

          You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button? Or the one that defaults to the "allow" button being selected, which gets "clicked" when the user presses their space button. Which is not very often really, only every 4-5 characters typed or so....

          Not knowing how the permissions mechanism works, but my plan to defeat it would be 1) to bombard the user with prompts (making the reason sound safe enough, eg "Mostwonderousfreebackup.exe needs to access your data to protect it, allow (yes/no)?" in the expectation that they'll hit "yes" (what turned UAC into just another Useless Annoying C...) or b) use a trojan that acts much like A.

          Now, a versioning system that can detect wholesale changes to user's files and maybe take action (without having a simple yes/no prompt the user can make go away quickly but something that sticks around and explains itself fairly carefully - no I don't know how this can be achieved sorry!) , and make sure that the previous copy of the user's files cannot be touched - that would be good. Of course a quick defeat to that is to fill the HDD with stuff so there's no space left.

          Maybe the versioning software can send the file that's making the changes back to HQ (and other places, ie competing AV firms) for analysis, and hold it's execution till cleared?

          Unfortunately any security system that requires the average user to select "no" several times a day is doomed to failure.

          1. Anonymous Coward
            Anonymous Coward

            Re: yet another 'new, shiny' feature that gets a *yawn*

            "You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button?"

            Only if they have admin rights. Most corporate users wont. This cant beat a determined idiot with admin rights, but it's a good start....

            1. Kiwi Silver badge

              Re: yet another 'new, shiny' feature that gets a *yawn*

              "You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button?"

              Only if they have admin rights. Most corporate users wont. This cant beat a determined idiot with admin rights, but it's a good start....

              I suspect there may be some management issues there as well.. (ie manager demanding certain things be allowed which shouldn't).

        2. Anonymous Coward
          Anonymous Coward

          Re: yet another 'new, shiny' feature that gets a *yawn*

          "How is that trivial to work around? Users on Windows 10 won't have admin access without at least a warning prompt to elevate access."

          Except here the group policy disables UAC as the C-Level kept complaining about the pop-ups...

          1. Anonymous Coward
            Anonymous Coward

            Re: yet another 'new, shiny' feature that gets a *yawn*

            "Except here the group policy disables UAC as the C-Level kept complaining about the pop-ups..."

            You let USERS have admin rights?! And then disable the safeguards?! Good luck with staying in business...

            1. Kiwi Silver badge

              Re: yet another 'new, shiny' feature that gets a *yawn*

              "Except here the group policy disables UAC as the C-Level kept complaining about the pop-ups..."

              You let USERS have admin rights?! And then disable the safeguards?! Good luck with staying in business...

              Typically, if you don't let C-level types have their way, they send you on your way.

              1. Anonymous Coward
                Anonymous Coward

                Re: yet another 'new, shiny' feature that gets a *yawn*

                "Typically, if you don't let C-level types have their way, they send you on your way."

                And typically companies have processes and policies around admin rights that you get fired for ignoring. I have worked in many many varied companies and NEVER do standard user accounts get admin rights. If a C-type REALLY needs admin access then it's via a separate admin login with no profile / email etc so that you just use it when admin is actually required. Someone in your company isn't managing their users properly and you have a weak security policy and processes.

                As I said, good luck with staying in business...

                1. Kiwi Silver badge

                  Re: yet another 'new, shiny' feature that gets a *yawn*

                  And typically companies have processes and policies around admin rights that you get fired for ignoring.

                  Ah yes, the old "I'll fire THE BOSS because I'm IT and therefore bigger than he is. Hello Jake, never knew you to post AC! :)

                  If a C-type REALLY needs admin access then it's via a separate admin login with no profile / email etc so that you just use it when admin is actually required.

                  "What? I don't want to bother with that. My time is important, I don't want to stuff around logging out and back in. Give me permanent admin access or you're fired and I'll get someone in who can do what they're told!". Or words to that effect.

                  As I said, good luck with staying in business...

                  Many of these companies still seem to be surviving quite well actually. YOU, however, would be out at best at the next contract renewal if you don't let some of these people get their own way.

      2. Anonymous Coward
        Anonymous Coward

        Re: yet another 'new, shiny' feature that gets a *yawn*

        It is another layer of protection. It won't be foolproof, but it is better than not having it.

        One more thing to stop you having to go to your backups. (You do have backups right?)

    2. Anonymous Coward
      Anonymous Coward

      Re: yet another 'new, shiny' feature that gets a *yawn*

      It works better if you realise they missed the log out/log back in the setup help. Didn't check if it applies changed folder lists but it doesn't update your app whitelist without it. Cue much annoyance.

      Also if you're using a 'select folder' file dialog it will just silently fail to write. No warning. Be careful.

  3. Tezfair
    Unhappy

    Hmmmm

    I don't seem to have it, maybe it's because im running a different AV and it's disabled?

    1. Richard Jones 1
      Unhappy

      Re: Hmmmm

      I do use Defender and tried to find it using all the link advice I could trace, but could not find the feature. If it should be there I want to have access and be able to exploit or reject any features as I desire without an automatic "it is [whoever] do not bother" response.

    2. Terry 6 Silver badge

      Re: Hmmmm

      Yes, I read the article, had a look and it's greyed out. Even the normally pretty useless "Microsoft Community" (Where shills meet to defend the mother ship) has this documented. To use this protection you have to rely only on the less safe MS AV. It's the IT equivalent of saying "Take off your condom and use the rhythm method".

      1. Terry 6 Silver badge
        WTF?

        Re: Hmmmm

        Now I'm really confused. (Well done Microsoft). Is this thing greyed out because I have third party AV software running, as Microsoft's own forums ("community") say. Or because it isn't allowed to work in Home editions. Either way, they're a bunch of dicks.

  4. harmjschoonhoven
    WTF?

    Cat and Mouse

    I say no more.

    1. FuzzyWuzzys Silver badge
      Facepalm

      Re: Cat and Mouse

      So your defeatist apathy is a better option? You'd better read "Maus" if you think a world is better with all Cat.

      ( Yes Godwin invoked by way of a literary reference! )

      1. Destroy All Monsters Silver badge

        Re: Cat and Mouse

        I have actually had my fill of Holocaust Porn in my life, no longer interested.

  5. Nifty

    What if an unsecured device and a secure one both have the same Dropbox account (other brands I'd cloud storage are available), what happens when the unsecured one gets ransomware?

    1. Pascal

      The obvious unfortunately. The unsecured one scrambles the files, syncs them to dropbox, from where they get synced back to the secured device. If only the unsecured device could have read-only access to your cloud data...

  6. Tim Brown 1
    Facepalm

    For some reason...

    I always seem to misread Windows 10 Fail creators update.

    1. Chairo
      Angel

      Re: For some reason...

      I always have a sinking feeling when I read about falling creators.

      Will they ever land?

      1. DJSpuddyLizard

        Fall Creator's Update

        Is that for people who create fall [autumn], or is it just released in the fall and you have to be godlike to get it working properly?

      2. WolfFan Silver badge

        Re: For some reason...

        I always have a sinking feeling when I read about falling creators.

        Will they ever land?

        With luck they'll land somewhere in Red, and I do mean 'red', mond.

        Insert lyrics from 'Beautiful Streamer' or 'Blood on the Risers' here. http://home.hiwaay.net/~magro/parasongs.html

        Airborne!

    2. Lord Elpuss Silver badge

      Re: For some reason...

      ”I always seem to misread Windows 10 Fail creators update.“

      How is that misreading?

  7. Dippywood

    "The controlled folder access mechanism within Windows Defender prevents suspicious applications from changing the contents of selected protected folders."

    Turned this on, went to check email. OUTLOOK.EXE is blocked.

    OUTLOOK.EXE??

    Another well thought out feature, then!

    1. Pascal

      That, or your outlook.exe lacks the proper signature, and isn't the one on the whitelist. Scan for virii? :)

      (My Outlook from Office 2013 had no problems writing to my document folders when saving an email attachment after enabling this).

    2. DougS Silver badge

      So the next evolution of ransomware

      Will hijack your browser or Outlook or some other whitelisted application and use it to encrypt your folders. It isn't as if those applications don't always have a lengthy list of patches every month, finding such an attack will be pretty easy.

      I don't see this as a long term solution, it is fixing last year's problem while the malware guys are already working on next year's nasties.

      1. Ken Hagan Gold badge

        Re: So the next evolution of ransomware

        "Will hijack your browser or Outlook or some other whitelisted application and use it to encrypt your folders. "

        You have posted this in reply to a comment that Outlook wasn't one of the whitelisted apps.

        Presumably the whitelisted apps have to be digitally signed and will lose their white-listing if they import DLLs that aren't also approved. There's no reason why this can't be made watertight. It doesn't look to be using anything that hasn't been part of the Windows kernel for about a decade. Having said that, I will grant you that whether it is actually effective is another matter.

        1. DougS Silver badge

          Re: So the next evolution of ransomware

          Whitelisting apps and requiring digital signatures? In other words time to welcome Microsoft to an Apple style walled garden, as apps without the signature will be seen as unsafe and to be avoided.

        2. Kiwi Silver badge
          Trollface

          Re: So the next evolution of ransomware

          There's no reason why this can't be made watertight.

          Well, I can think of one obvious reason.... ;)

    3. Hans 1 Silver badge
      Joke

      See, there, this feature is actually working if it blocks Foutlook.

    4. Anonymous Coward
      Anonymous Coward

      Another well thought out feature, then!

      Even better, you can't turn it off for a folder once it's turned on!

      Great for making entire drives read-only

  8. J J Carter Silver badge
    Trollface

    Get Real Everyone

    MSFT just wants you to name the important folders to help focus their slurping work for 'the man'

    1. Anonymous Coward
      Anonymous Coward

      Re: Get Real Everyone

      Well, the documents & desktop folders would be the ones for 99.99999% of the Windows using population.

  9. Anonymous Coward
    Anonymous Coward

    So if this feature is for Defender and Defender is supplied with Windows and Windows 7 is still supported will Microsoft get sued if someone gets ransomware that would have been stopped by something they didn't add to Windows 7 because they are trying to get everyone on Windows 10?

    I'm making the assumption this is not being added to Windows 7.

    1. Anonymous Coward
      Anonymous Coward

      What a crock of shit. Win7 has been out of mainstream support for sometime (2 1/2 years).

      No new features, no additional service packs, only security fixes.

      This is a new feature.

      1. Anonymous Coward
        Anonymous Coward

        My mistake, it's security essentials for Windows 7 however it's still touted as Defender for Windows 7.

        So in your opinion you would not class ransomware protection as a security fix?

      2. Doctor Syntax Silver badge

        "No new features, no additional service packs, only security fixes.

        This is a new feature."

        So it's nothing to do with security?

        1. Anonymous Coward
          Anonymous Coward

          A new feature that adds security and fixes a problem that allows ransomware to propagate on a machine.

          If the OS was secure then it wouldn't be needed however it is therefore it's a fix to a problem.

          Lets say a variant of ransomware infects Windows 7 machines but not Windows 10 due to this "feature", you could argue that Microsoft was negligent in not adding this to Windows 7 leaving users vulnerable as they are obliged to supply security fixes.

          You say tomato, I say potato.

      3. Updraft102 Silver badge

        "Win7 has been out of mainstream support for sometime (2 1/2 years).

        No new features, no additional service packs, only security fixes.

        This is a new feature."

        So you think it will be coming to Windows 8.1 then? Still a year and a half of mainstream support on that!

    2. WolfFan Silver badge

      'Windows Defender' on Win 7 is a useless application which tries and fails to do something about spyware. 'Windows Defender' on Win 8 and later, including Win 10, is an application of quite limited use which attempts to do something about malware in general, including spyware, but which is not the best antimalware app ever made. There are notable differences between Defender on Win 8/8.1 and Defender on Win 10; this feature is merely one more. Defender on Win 8 was built on the bones of Microsoft Security Essentials, for Win 7. They are not the same application. Defender on Win 10 has the same name but is not the same application as Defender on Win 8/8.1. If you want the features of Defender on Win 10, you have to be running Win 10. In other words, no, this won't be backported to Security Essentials on Win 7. And, no, this won't be backported to Defender on Win 8/8.1. Go ahead and sue. You will lose.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019