back to article Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta

A below-the-radar security feature in the Windows 10 Fall Creators Update, aka version 1709 released last week, can stop ransomware and other file-scrambling nasties dead. The controlled folder access mechanism within Windows Defender prevents suspicious applications from changing the contents of selected protected folders. …

  1. LDS Silver badge

    Could Defender stop to show a warning icon...

    .... when I disable its "feature" to send files automatically to MS without my approval? If you show a warning icon when users disable "features" that may send out proprietary and sensitive information, users will start to ignore the icon even when there's a real threat.

    1. gypsythief

      Re: Could Defender stop showing a warning icon...

      Yes, it could. I'm probably 12 hours too late for this post to be seen, but here goes:

      Screenshot 1: https://i.imgur.com/dnIkfvs.png

      Here, I have just turned off Automatic Sample Submission. Notice how the Defender tray icon is showing a warning icon, along with an alert in the main Defender Security Centre window.

      Critically, clicking the "Dismiss" link by the alert does not just dismiss the alert from the Security Center window: it also dismisses the warning icon from the system tray.

      Screenshot 2: https://i.imgur.com/AjHPfxB.png

      Notice how Automatic Sample submission is still set to "Off", yet the tray icon has a happy little green tick icon on it again.

      Aaah, peace!

  2. Kevin Johnston

    Colour me stupid but...

    Intended as a serious question so please be gentle with me.

    I was under the impression that it was common for the attack to use the user's credentials so I don't understand how this could be as secure as you suggest. Does this simply act as an internal firewall based on connecting application?

    1. TechnicalBen Silver badge

      Re: Colour me stupid but...

      I would assume so.

      I have no idea as I'm not Technical... ah, well, sometimes I am. But I would guess, just as clicking "resource monitor" shows the actual program making the file request, this also works on the program level?

      Though as noted above, it may just be one more step in the escalation to control the malware needs, it now needs to hijack another program in addition to credentials.

    2. Anonymous Coward
      Anonymous Coward

      Re: Colour me stupid but...

      Its an application firewall. Doesn't matter what credentials are used, even if you have permission on the files. If the application isn't allowed, it doesn't get access.

      Its like the application sand boxing in say android but for file access only. The application needs permission to access the files, doesn't matter that the user running the application has access.

    3. Ken Hagan Gold badge

      Re: Colour me stupid but...

      I don't know, but if I were asked to implement such a feature then here's how I'd do it.

      Windows access control already understands the notion of high, medium and low "integrity". That is, whether a piece of code (rather than the user) is trustworthy. This is how they implement UAC. So, on each of the directories that you want to protect, you add a access control entry (ACE) denying write access to some lowly level of integrity.

      Window Defender then hooks into the module loader and arranges that each new process has that lowly level of integrity (in its process token) unless it was whitelisted. It also hooks DLL loading so that adding an untrusted DLL to a trusted process changes the integrity level. (Small loophole there: if you've opened a file and then load the library, you probably still have access via that handle. Perhaps someone at MS has written the additional code required to close that loophole.)

      The result is that most processes only have read access to Desktop and Documents (or wherever) but a few whitelisted processed have write access. Enforcement is via the tried and trusted (for 25 years) mechanism of validating access of tokens against lists of ACEs.

      Update: I should probably state explicitly that although the usual situation is for all processes that run "as you" to have "your" credentials, the Windows kernel is quite happy to juggle with different versions of "you" and access control is actually done based on the identity (token) of each process.

  3. Anonymous Coward
    Anonymous Coward

    chmod go-rw

    With added complexity, 30 years on.

    1. Anonymous Coward
      WTF?

      Re: chmod go-rw

      That's right. the user having to do nothing is far more complex then pulling up a shell and applying a command to obscurely named folders.

      And we wonder why IT people get a bad rep.

      1. Anonymous Coward
        Anonymous Coward

        Re: chmod go-rw

        Sure because 'the user' (nice patronising term there) will know all about the Windows Defender Security Center App won't they? They'll know exactly what arcane switch to flick, what password is needed, and they'll entirely understand why they can no longer save shortcuts on the desktop.

        And we wonder why IT people get a bad rep.

    2. Michael B.

      Re: chmod go-rw

      Not at all. This is stopping applications, that are running under your own privileges, from writing to certain locations that they shouldn't be writing to. In your permissions the malware will still get to write to the user's files.

  4. This post has been deleted by its author

  5. Anonymous Coward
    Anonymous Coward

    Network shares etc?

    Wonder how effective it is at protecting mapped drives? That's what typically hurts businesses the most when they've got a departmental share suddenly encrypted.

    1. Anonymous Coward
      Anonymous Coward

      Re: Network shares etc?

      It's a good point. If you apply it to a server, I presume it would lock out the user access, but interesting to see.

      Backups are all well and good, but not when they have suffered delayed encryption as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: Network shares etc?

        Yeah and you don't have an entire department sh*tting themselves because one member of staff have been doubly stupid whilst "working from home"

    2. LDS Silver badge

      Re: Network shares etc?

      A file systems which allow snapshots is an effective protection against malwares encrypting network shares files. Enable automatic snapshots every n minutes, and when you spot a ransomware, you can go back in time (after you cleared the infection, of course) faster than having to restore a backup.

      Of course, it would be better to minimize the users having write access to any given share/folder, and maybe use a better way to share documents (i.e. something with auditing and versioning, for example), not easily accessible by a ransomware. A "free-for-all" approach is never sensible.

      1. Mark 110 Silver badge

        Re: Network shares etc?

        I'm wondering if you can just apply the protection to the network drive as you would the local drive on your machine. Will give it a go when I get home later.

        1. Mark 110 Silver badge

          Re: Network shares etc?

          Hmmm - no I won't - haven't had the update yet . . . installing now.

      2. Anonymous Coward
        Anonymous Coward

        Re: Network shares etc?

        "A file systems which allow snapshots is an effective protection against malwares encrypting network shares files."

        Windows already takes snapshots / file version backups. That might work for remote file shares, but most Windows ransomware deletes local snapshots!

        1. LDS Silver badge

          Re: Network shares etc?

          That's why I explicitly said "network shares files", where an attacker access is fairly more limited. If the remote file system is also a non Windows one (i.e. ZFS on a FreeBSD system, for example), it becomes harder for the attacker. It's another layer of protection.

          1. Mark 110 Silver badge

            Re: Network shares etc?

            Finally got the update installed. Bit busy and the numerous reboots booting into Linux when I'm not there to tell it not too slowed me down.

            It lets me protect folders on my NAS but not apply the setting to the whole NAS. I need to apply it to each folder. But in answer the answer to the original question - yes - you can apply the protection to network locations.

            1. Kiwi Silver badge
              Linux

              Re: Network shares etc?

              Finally got the update installed. Bit busy and the numerous reboots booting into Linux when I'm not there to tell it not too slowed me down.

              One of the reasons I seldom boot into Windows anymore. It will've decided some driver needs changing, or I've made a drastic hardware change like put the mouse in the wrong USB port (the one I plugged it into last week instead of earlier this week) or some other event that so seriously affects things that it wants a reboot. And when I reboot it takes a few minutes for Windows to shut down (I love showing off 11-15 second shutdowns in Linux with a ton of programs open!) so I wander away, hoping to be back to catch it.

              I found Grub Customizer, which has let me set the Grub time to 5 minutes (I would love a don't automatically boot OS option), so at least I have some hope of intercepting the normal boot-into-Linux and letting Windows start the next stage of it's 5xrebootforminorchanges cycle.

              Nice to know that network shares can be protected. Don't suppose the system defaults to protecting stuff though does it?

              1. Mark 110 Silver badge

                Re: Network shares etc?

                Thanks - been meaning to google how to stop Grub doing that to me :-)

  6. thondwe

    OneDrive

    Not sure this works for OneDrive folders yet - pity - guess it'll come in the Xmas Jolly Update...

    1. Mark 110 Silver badge

      Re: OneDrive

      Another one for me to try later. Or are you saying you already tried and failed? Will save me a task if you have.

      1. Mark 110 Silver badge

        Re: OneDrive

        It works for OneDrive. Well the way I have it set up on this machine anyway. On this machine to write to OneDrive it writes to a local drive which then syncs to OneDrive. I can apply the setting to the OneDrive folder in explorer (which in a physical sense is a local folder. So yes works (on this machine).

        Need to update my laptop at some point. I don't store all OneDrive files locally on the laptop so that might be different.

  7. lansalot

    Yay!

    That sounds like a great tool for home users to protect themselves!

    https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessallowedapplications

    Ah wait - not available in Windows 10 Home edition??

    1. elgarak1

      Re: Yay!

      I remember how I felt back when all these different Editions came into being and I read that the backup on Home Edition wouldn't work. Yeah, right, our data is worthless, right? Bloody wankers...

      IIRC, about the same time Apple released Time Machine...

    2. Fuzz

      Re: Yay!

      That's a list of group policies. It's not possible to enable the feature using group policy on Windows Home. You have to go into the settings and flick the switch.

    3. This post has been deleted by its author

  8. kckeane

    Thank you!

  9. James 29

    I tried enabling this, then an hour later was draging a URL from the address bar on Firefox to the desktop t (just an odd way of bookmarking I use sometimes) and Defender stoped it in its tracks. Feature now switched back off (or until I can be botherd to reconfigure it)

    1. lansalot

      so..

      Not worth persisting with to protect your actual-data then, just because one thing got blocked?

      1. Kiwi Silver badge
        Boffin

        Re: so..

        Not worth persisting with to protect your actual-data then, just because one thing got blocked?

        A big part of the hate directed at 8/8.1/10, a big part of the reasons given why people resist switching to secure OS's etc etc is that it "breaks their workflow".

        People tend to hate things that make their jobs harder. Many also like a new feature and want to use it, but until they get the time to get it working right they turn it off.

        Somtimes time is worth more than faffing about with MS settings and fighting yet another change to the way Windows works. Also why I use Mate instead of other systems - I like functions Gnome2 had which were removed in 3.

        1. Mark 110 Silver badge

          Re: so..

          Upvoted you cos you talk sense - however one of the reasons I can't make the switch to Linux is it breaks my workflow.

          I'm keeping my fingers crossed for no major UI changes in Windows. Just clean up the rough edges still hanging around after the 8 debacle. Its not friendly having both the old XP / 7 interfaces and the new 8/8.1/10 interfaces popping in randomly. The new ones suck pretty hard for anything except basic on/off switches.

          1. Kiwi Silver badge

            Re: so..

            Upvoted you cos you talk sense - however one of the reasons I can't make the switch to Linux is it breaks my workflow.

            Thanks :)

            I switched slowly myself. I started it on some serverstuff I was doing, and slowly moved it over. I had some type of terminal program (maybe cygwin) that would led me ssh into the server. I started using it more and more with Ubuntu 8, and IIRC for a while I had the ultimate in dual-boot - 2 computers side-by-side!.

            What sold me was the first time I went to use my epson printer/scanner on Linux. Stood up to turn the printer on, sat back at the computer, and there was a prompt saying it was ready. No driver searches, no wait while the OS finds drivers, just done and ready to work.

            Of course, back then computers were a tiny fraction of my normal working life, so I had it easy.

            (Oh, and as I said I still stick with something Gnome2-like because that's what I like - I'm comfortable in KDE and Cinamon, but the UI on the latest Fedora also made it my shortest-lived VM :) )

            I'm keeping my fingers crossed for no major UI changes in Windows. Just clean up the rough edges still hanging around after the 8 debacle. Its not friendly having both the old XP / 7 interfaces and the new 8/8.1/10 interfaces popping in randomly. The new ones suck pretty hard for anything except basic on/off switches.

            Yeah they do waste a LOT of screen real estate! Efficient UI design DOESN'T involve having 3 words and one on/off slider per screen!

  10. js6898

    Turned it on, went to edit a .txt file on my desktop (using notepad), wouldn't let me save the changed .txt file back onto the desktop. Turned it off and then I could save the file.

    1. Anonymous Coward
      Anonymous Coward

      So that's:

      chmod -R a-rwx C:\

      Those clever Redmond folk... whatever will they think of in the next 30 years.

      1. Anonymous Coward
        Anonymous Coward

        "So that's:

        chmod -R a-rwx C:\"

        No it isn't; Windows already has a rather more powerful set of more granular file system ACLs than *Nix ever has.

        This is file system access permissions by application binary, not by user ACL.

        1. Captain Obvious
          FAIL

          Riiiiiiight....

          So when you turn on Deny permissions and users still can get access to it, this is more secure? Have seen this happen SO many times. REGARDLESS of inheritance, if you use deny permission on that group, they should not have access, yet randomly, sometimes they do.

          The superiority of Unix is the simplicity of the file permissions that do exactly what you tell them to do.

          1. Ken Hagan Gold badge

            Re: Riiiiiiight....

            This is the stuff that Dave Cutler brought to the party, 25 years ago. I've seen various ways of getting the configuration wrong, but I've never seen the configuration not being enforced properly.

            If you are a big fan of the original UNIX model then you can stick to that subset, although UNIX doesn't anymore so perhaps it wasn't quite so great.

          2. Anonymous Coward
            Anonymous Coward

            Re: Riiiiiiight....

            "if you use deny permission on that group, they should not have access, yet randomly, sometimes they do."

            Not on Windows they don't.. Deny always overrides any access. I have done hundreds of tests as part of a compliance project on various Windows versions and its rock solid. If users have access then they are not in a group with a deny group.

            1. Kiwi Silver badge
              WTF?

              Re: Riiiiiiight....

              Not on Windows they don't.. Deny always overrides any access. I have done hundreds of tests as part of a compliance project on various Windows versions and its rock solid.

              You call "You do not have permission to access this (file/folder/drive). Click here to permanently get full access rights" 'rock solid'?

              I've performed thousands of test, and found the Windows security model... Actually, no that's not true, I've never found the Windows security model because it does not exist!

              1. Anonymous Coward
                Anonymous Coward

                Re: Riiiiiiight....

                "You call "You do not have permission to access this (file/folder/drive). Click here to permanently get full access rights" 'rock solid'?"

                LOL @ complete lack of understanding of ACLs. To be able to do that you need admin rights, AND the admin account needs to have rights to "take ownership" to the files in question.

                By default if you have admin rights, of course you can change permissions. However you can easily deny even the admin account access to files and folders if you need to. Which is something that the inflexible and more primitive *nix ACL model cant manage for root...

                1. Kiwi Silver badge
                  FAIL

                  Re: Riiiiiiight....

                  "You call "You do not have permission to access this (file/folder/drive). Click here to permanently get full access rights" 'rock solid'?"

                  LOL @ complete lack of understanding of ACLs. To be able to do that you need admin rights, AND the admin account needs to have rights to "take ownership" to the files in question.

                  You're an MS shillsupporter and you challenge others on security?

                  And no, you clearly have a complete lack of understanding of MS's complete lack of security. I'm talking a LIMITED account with no admin rights on a Win7 (and I think I've seen this on 8) where the kids wanted to access something in another account (admin or not), they click the folder, get told they don't have permissions "click here to permanently get permission to access this folder",

                  We're talking home users so the MS craptastic and generally rather broken ACL's don't exactly come into it do they? Default MS settings, to be as insecure as possible and and when that's not insecure enough, to automatically and permanently give full access to whoever asks.

          3. Anonymous Coward
            Anonymous Coward

            Re: Riiiiiiight....

            "The superiority of Unix is the simplicity of the file permissions that do exactly what you tell them to do."

            Windows ACLs are more granular and have more options so it's much easier to achieve exactly what you want than on *Nix. Also it has more advanced features like constrained relegation and discretionary access control that you simply can't do with *Nix without installing complex third party products. You clearly don't know the subject matter very well...

            1. DuncanLarge Bronze badge

              Re: Riiiiiiight....

              "Windows ACLs are more granular "

              UNIX ACL's are just as granular and if part of a windows domain implement the same access as on a windows client. Its just not everyone bothers to use UNIX ACL's.

        2. Kiwi Silver badge
          Linux

          No it isn't; Windows already has a rather more powerful set of more granular file system ACLs than *Nix ever has.

          Yet their "security" still constantly lets minor browser bugs get the OS compromised, things that're impossible on proper secure OS's.

          1. Anonymous Coward
            Anonymous Coward

            "Yet their "security" still constantly lets minor browser bugs get the OS compromised, things that're impossible on proper secure OS's."

            That's been possible plenty of times of most OSs including Linux, IOS and Android - so I'm not sure what you have left to class as a proper secure OS?!

  11. Doctor Syntax Silver badge

    I was wondering how this worked seamlessly without changing the entire file access mechanism. By the time I got this far down the comments the answer is clear. "Seamlessly" doesn't apply. PDQ users will be trained to allow anything that wants to write anywhere to do so.

    1. Kiwi Silver badge
      Pint

      PDQ users will be trained to allow anything that wants to write anywhere to do so.

      Yup. UAC V2.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019