"controlled folder access"
You mean protection like Defense+ in the free Comodo Firewall has been giving me for the last decade?
A below-the-radar security feature in the Windows 10 Fall Creators Update, aka version 1709 released last week, can stop ransomware and other file-scrambling nasties dead. The controlled folder access mechanism within Windows Defender prevents suspicious applications from changing the contents of selected protected folders. …
Genuinely curious. What's wrong with Comodo? Has been fine for me for years and seems quite powerful. I'm aware they've pretty much stolen Process Explorer it would seems with their version that looks shockingly similar. But still been good.
Only issue is GeekBuddy. That should be avoided and I guess we should be pulling them up just for that alone.
Genuinely curious. What's wrong with Comodo?
Maybe some here don't like it because the initial setting up is (was - last time I used Comodo was in 2008 before I went to mainly Linux) a bit annoying. All that thinking!
Not like the Windows firewall, which may or may not be turned on (you can't be sure) and just does it's thing, quietly letting anything and everything through protecting you from all them nasties! (at least that's what the marketing dept claim)
I'd also love to hear someone suggest flaws in Comodo, as my memory of it is good and I may end up suggesting it to someone stuck with Windows - would hate to make their machines even less secure!
so how much of a pain IS it to set up everything to be "scramble-proof"? And when will the ransomware be smart enough to "un-do all of that" ?
I'm guessing that it's NOT password protected with a separate pass-phrase, nor write protected with something that's truly tamper-proof.
and without much review, we only have Microsoft's claims about its features...
/me hope it actually works, but I suspect that maybe it's not worth the hype.
It can be disabled with the following PS command:
Set-MpPreference -EnableControlledFolderAccess Disabled
It does need to be ran as Administrator, but that's trivial to work around.
It's a false sense of security, if any. Educating users is still the best cure.
"It does need to be ran as Administrator, but that's trivial to work around."How is that trivial to work around? Users on Windows 10 won't have admin access without at least a warning prompt to elevate access.
You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button? Or the one that defaults to the "allow" button being selected, which gets "clicked" when the user presses their space button. Which is not very often really, only every 4-5 characters typed or so....
Not knowing how the permissions mechanism works, but my plan to defeat it would be 1) to bombard the user with prompts (making the reason sound safe enough, eg "Mostwonderousfreebackup.exe needs to access your data to protect it, allow (yes/no)?" in the expectation that they'll hit "yes" (what turned UAC into just another Useless Annoying C...) or b) use a trojan that acts much like A.
Now, a versioning system that can detect wholesale changes to user's files and maybe take action (without having a simple yes/no prompt the user can make go away quickly but something that sticks around and explains itself fairly carefully - no I don't know how this can be achieved sorry!) , and make sure that the previous copy of the user's files cannot be touched - that would be good. Of course a quick defeat to that is to fill the HDD with stuff so there's no space left.
Maybe the versioning software can send the file that's making the changes back to HQ (and other places, ie competing AV firms) for analysis, and hold it's execution till cleared?
Unfortunately any security system that requires the average user to select "no" several times a day is doomed to failure.
"You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button?"
Only if they have admin rights. Most corporate users wont. This cant beat a determined idiot with admin rights, but it's a good start....
"You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button?"Only if they have admin rights. Most corporate users wont. This cant beat a determined idiot with admin rights, but it's a good start....
I suspect there may be some management issues there as well.. (ie manager demanding certain things be allowed which shouldn't).
"Except here the group policy disables UAC as the C-Level kept complaining about the pop-ups..."You let USERS have admin rights?! And then disable the safeguards?! Good luck with staying in business...
Typically, if you don't let C-level types have their way, they send you on your way.
"Typically, if you don't let C-level types have their way, they send you on your way."
And typically companies have processes and policies around admin rights that you get fired for ignoring. I have worked in many many varied companies and NEVER do standard user accounts get admin rights. If a C-type REALLY needs admin access then it's via a separate admin login with no profile / email etc so that you just use it when admin is actually required. Someone in your company isn't managing their users properly and you have a weak security policy and processes.
As I said, good luck with staying in business...
And typically companies have processes and policies around admin rights that you get fired for ignoring.
Ah yes, the old "I'll fire THE BOSS because I'm IT and therefore bigger than he is. Hello Jake, never knew you to post AC! :)
If a C-type REALLY needs admin access then it's via a separate admin login with no profile / email etc so that you just use it when admin is actually required.
"What? I don't want to bother with that. My time is important, I don't want to stuff around logging out and back in. Give me permanent admin access or you're fired and I'll get someone in who can do what they're told!". Or words to that effect.
As I said, good luck with staying in business...
Many of these companies still seem to be surviving quite well actually. YOU, however, would be out at best at the next contract renewal if you don't let some of these people get their own way.
It works better if you realise they missed the log out/log back in the setup help. Didn't check if it applies changed folder lists but it doesn't update your app whitelist without it. Cue much annoyance.
Also if you're using a 'select folder' file dialog it will just silently fail to write. No warning. Be careful.
Yes, I read the article, had a look and it's greyed out. Even the normally pretty useless "Microsoft Community" (Where shills meet to defend the mother ship) has this documented. To use this protection you have to rely only on the less safe MS AV. It's the IT equivalent of saying "Take off your condom and use the rhythm method".
I always have a sinking feeling when I read about falling creators.
Will they ever land?
With luck they'll land somewhere in Red, and I do mean 'red', mond.
Insert lyrics from 'Beautiful Streamer' or 'Blood on the Risers' here. http://home.hiwaay.net/~magro/parasongs.html
Airborne!
Will hijack your browser or Outlook or some other whitelisted application and use it to encrypt your folders. It isn't as if those applications don't always have a lengthy list of patches every month, finding such an attack will be pretty easy.
I don't see this as a long term solution, it is fixing last year's problem while the malware guys are already working on next year's nasties.
"Will hijack your browser or Outlook or some other whitelisted application and use it to encrypt your folders. "
You have posted this in reply to a comment that Outlook wasn't one of the whitelisted apps.
Presumably the whitelisted apps have to be digitally signed and will lose their white-listing if they import DLLs that aren't also approved. There's no reason why this can't be made watertight. It doesn't look to be using anything that hasn't been part of the Windows kernel for about a decade. Having said that, I will grant you that whether it is actually effective is another matter.
So if this feature is for Defender and Defender is supplied with Windows and Windows 7 is still supported will Microsoft get sued if someone gets ransomware that would have been stopped by something they didn't add to Windows 7 because they are trying to get everyone on Windows 10?
I'm making the assumption this is not being added to Windows 7.
A new feature that adds security and fixes a problem that allows ransomware to propagate on a machine.
If the OS was secure then it wouldn't be needed however it is therefore it's a fix to a problem.
Lets say a variant of ransomware infects Windows 7 machines but not Windows 10 due to this "feature", you could argue that Microsoft was negligent in not adding this to Windows 7 leaving users vulnerable as they are obliged to supply security fixes.
You say tomato, I say potato.
'Windows Defender' on Win 7 is a useless application which tries and fails to do something about spyware. 'Windows Defender' on Win 8 and later, including Win 10, is an application of quite limited use which attempts to do something about malware in general, including spyware, but which is not the best antimalware app ever made. There are notable differences between Defender on Win 8/8.1 and Defender on Win 10; this feature is merely one more. Defender on Win 8 was built on the bones of Microsoft Security Essentials, for Win 7. They are not the same application. Defender on Win 10 has the same name but is not the same application as Defender on Win 8/8.1. If you want the features of Defender on Win 10, you have to be running Win 10. In other words, no, this won't be backported to Security Essentials on Win 7. And, no, this won't be backported to Defender on Win 8/8.1. Go ahead and sue. You will lose.
.... when I disable its "feature" to send files automatically to MS without my approval? If you show a warning icon when users disable "features" that may send out proprietary and sensitive information, users will start to ignore the icon even when there's a real threat.
Yes, it could. I'm probably 12 hours too late for this post to be seen, but here goes:
Screenshot 1: https://i.imgur.com/dnIkfvs.png
Here, I have just turned off Automatic Sample Submission. Notice how the Defender tray icon is showing a warning icon, along with an alert in the main Defender Security Centre window.
Critically, clicking the "Dismiss" link by the alert does not just dismiss the alert from the Security Center window: it also dismisses the warning icon from the system tray.
Screenshot 2: https://i.imgur.com/AjHPfxB.png
Notice how Automatic Sample submission is still set to "Off", yet the tray icon has a happy little green tick icon on it again.
Aaah, peace!
Intended as a serious question so please be gentle with me.
I was under the impression that it was common for the attack to use the user's credentials so I don't understand how this could be as secure as you suggest. Does this simply act as an internal firewall based on connecting application?
I would assume so.
I have no idea as I'm not Technical... ah, well, sometimes I am. But I would guess, just as clicking "resource monitor" shows the actual program making the file request, this also works on the program level?
Though as noted above, it may just be one more step in the escalation to control the malware needs, it now needs to hijack another program in addition to credentials.
Its an application firewall. Doesn't matter what credentials are used, even if you have permission on the files. If the application isn't allowed, it doesn't get access.
Its like the application sand boxing in say android but for file access only. The application needs permission to access the files, doesn't matter that the user running the application has access.
I don't know, but if I were asked to implement such a feature then here's how I'd do it.
Windows access control already understands the notion of high, medium and low "integrity". That is, whether a piece of code (rather than the user) is trustworthy. This is how they implement UAC. So, on each of the directories that you want to protect, you add a access control entry (ACE) denying write access to some lowly level of integrity.
Window Defender then hooks into the module loader and arranges that each new process has that lowly level of integrity (in its process token) unless it was whitelisted. It also hooks DLL loading so that adding an untrusted DLL to a trusted process changes the integrity level. (Small loophole there: if you've opened a file and then load the library, you probably still have access via that handle. Perhaps someone at MS has written the additional code required to close that loophole.)
The result is that most processes only have read access to Desktop and Documents (or wherever) but a few whitelisted processed have write access. Enforcement is via the tried and trusted (for 25 years) mechanism of validating access of tokens against lists of ACEs.
Update: I should probably state explicitly that although the usual situation is for all processes that run "as you" to have "your" credentials, the Windows kernel is quite happy to juggle with different versions of "you" and access control is actually done based on the identity (token) of each process.
Sure because 'the user' (nice patronising term there) will know all about the Windows Defender Security Center App won't they? They'll know exactly what arcane switch to flick, what password is needed, and they'll entirely understand why they can no longer save shortcuts on the desktop.
And we wonder why IT people get a bad rep.
This post has been deleted by its author
A file systems which allow snapshots is an effective protection against malwares encrypting network shares files. Enable automatic snapshots every n minutes, and when you spot a ransomware, you can go back in time (after you cleared the infection, of course) faster than having to restore a backup.
Of course, it would be better to minimize the users having write access to any given share/folder, and maybe use a better way to share documents (i.e. something with auditing and versioning, for example), not easily accessible by a ransomware. A "free-for-all" approach is never sensible.
That's why I explicitly said "network shares files", where an attacker access is fairly more limited. If the remote file system is also a non Windows one (i.e. ZFS on a FreeBSD system, for example), it becomes harder for the attacker. It's another layer of protection.
Finally got the update installed. Bit busy and the numerous reboots booting into Linux when I'm not there to tell it not too slowed me down.
It lets me protect folders on my NAS but not apply the setting to the whole NAS. I need to apply it to each folder. But in answer the answer to the original question - yes - you can apply the protection to network locations.
Finally got the update installed. Bit busy and the numerous reboots booting into Linux when I'm not there to tell it not too slowed me down.
One of the reasons I seldom boot into Windows anymore. It will've decided some driver needs changing, or I've made a drastic hardware change like put the mouse in the wrong USB port (the one I plugged it into last week instead of earlier this week) or some other event that so seriously affects things that it wants a reboot. And when I reboot it takes a few minutes for Windows to shut down (I love showing off 11-15 second shutdowns in Linux with a ton of programs open!) so I wander away, hoping to be back to catch it.
I found Grub Customizer, which has let me set the Grub time to 5 minutes (I would love a don't automatically boot OS option), so at least I have some hope of intercepting the normal boot-into-Linux and letting Windows start the next stage of it's 5xrebootforminorchanges cycle.
Nice to know that network shares can be protected. Don't suppose the system defaults to protecting stuff though does it?
It works for OneDrive. Well the way I have it set up on this machine anyway. On this machine to write to OneDrive it writes to a local drive which then syncs to OneDrive. I can apply the setting to the OneDrive folder in explorer (which in a physical sense is a local folder. So yes works (on this machine).
Need to update my laptop at some point. I don't store all OneDrive files locally on the laptop so that might be different.
This post has been deleted by its author
Not worth persisting with to protect your actual-data then, just because one thing got blocked?
A big part of the hate directed at 8/8.1/10, a big part of the reasons given why people resist switching to secure OS's etc etc is that it "breaks their workflow".
People tend to hate things that make their jobs harder. Many also like a new feature and want to use it, but until they get the time to get it working right they turn it off.
Somtimes time is worth more than faffing about with MS settings and fighting yet another change to the way Windows works. Also why I use Mate instead of other systems - I like functions Gnome2 had which were removed in 3.
Upvoted you cos you talk sense - however one of the reasons I can't make the switch to Linux is it breaks my workflow.
I'm keeping my fingers crossed for no major UI changes in Windows. Just clean up the rough edges still hanging around after the 8 debacle. Its not friendly having both the old XP / 7 interfaces and the new 8/8.1/10 interfaces popping in randomly. The new ones suck pretty hard for anything except basic on/off switches.
Upvoted you cos you talk sense - however one of the reasons I can't make the switch to Linux is it breaks my workflow.
Thanks :)
I switched slowly myself. I started it on some serverstuff I was doing, and slowly moved it over. I had some type of terminal program (maybe cygwin) that would led me ssh into the server. I started using it more and more with Ubuntu 8, and IIRC for a while I had the ultimate in dual-boot - 2 computers side-by-side!.
What sold me was the first time I went to use my epson printer/scanner on Linux. Stood up to turn the printer on, sat back at the computer, and there was a prompt saying it was ready. No driver searches, no wait while the OS finds drivers, just done and ready to work.
Of course, back then computers were a tiny fraction of my normal working life, so I had it easy.
(Oh, and as I said I still stick with something Gnome2-like because that's what I like - I'm comfortable in KDE and Cinamon, but the UI on the latest Fedora also made it my shortest-lived VM :) )
I'm keeping my fingers crossed for no major UI changes in Windows. Just clean up the rough edges still hanging around after the 8 debacle. Its not friendly having both the old XP / 7 interfaces and the new 8/8.1/10 interfaces popping in randomly. The new ones suck pretty hard for anything except basic on/off switches.
Yeah they do waste a LOT of screen real estate! Efficient UI design DOESN'T involve having 3 words and one on/off slider per screen!
So when you turn on Deny permissions and users still can get access to it, this is more secure? Have seen this happen SO many times. REGARDLESS of inheritance, if you use deny permission on that group, they should not have access, yet randomly, sometimes they do.
The superiority of Unix is the simplicity of the file permissions that do exactly what you tell them to do.
This is the stuff that Dave Cutler brought to the party, 25 years ago. I've seen various ways of getting the configuration wrong, but I've never seen the configuration not being enforced properly.
If you are a big fan of the original UNIX model then you can stick to that subset, although UNIX doesn't anymore so perhaps it wasn't quite so great.
"if you use deny permission on that group, they should not have access, yet randomly, sometimes they do."
Not on Windows they don't.. Deny always overrides any access. I have done hundreds of tests as part of a compliance project on various Windows versions and its rock solid. If users have access then they are not in a group with a deny group.
Not on Windows they don't.. Deny always overrides any access. I have done hundreds of tests as part of a compliance project on various Windows versions and its rock solid.
You call "You do not have permission to access this (file/folder/drive). Click here to permanently get full access rights" 'rock solid'?
I've performed thousands of test, and found the Windows security model... Actually, no that's not true, I've never found the Windows security model because it does not exist!
"You call "You do not have permission to access this (file/folder/drive). Click here to permanently get full access rights" 'rock solid'?"
LOL @ complete lack of understanding of ACLs. To be able to do that you need admin rights, AND the admin account needs to have rights to "take ownership" to the files in question.
By default if you have admin rights, of course you can change permissions. However you can easily deny even the admin account access to files and folders if you need to. Which is something that the inflexible and more primitive *nix ACL model cant manage for root...
"You call "You do not have permission to access this (file/folder/drive). Click here to permanently get full access rights" 'rock solid'?"LOL @ complete lack of understanding of ACLs. To be able to do that you need admin rights, AND the admin account needs to have rights to "take ownership" to the files in question.
You're an MS shillsupporter and you challenge others on security?
And no, you clearly have a complete lack of understanding of MS's complete lack of security. I'm talking a LIMITED account with no admin rights on a Win7 (and I think I've seen this on 8) where the kids wanted to access something in another account (admin or not), they click the folder, get told they don't have permissions "click here to permanently get permission to access this folder",
We're talking home users so the MS craptastic and generally rather broken ACL's don't exactly come into it do they? Default MS settings, to be as insecure as possible and and when that's not insecure enough, to automatically and permanently give full access to whoever asks.
"The superiority of Unix is the simplicity of the file permissions that do exactly what you tell them to do."
Windows ACLs are more granular and have more options so it's much easier to achieve exactly what you want than on *Nix. Also it has more advanced features like constrained relegation and discretionary access control that you simply can't do with *Nix without installing complex third party products. You clearly don't know the subject matter very well...
This post has been deleted by its author
How difficult could it be for Microsoft to implement something that checked if multiple files have been written to in the same folder (perhaps with different extensions) by the same process and block write acess until white listed? Surely not rocket science?
That way, all folders would be protected.
So to work, it has to know which applications are allowed write to the trusted folders. I guess initially only the Microsoft ones, like MS Office. So a macro virus (or succesful phishing) targeting Word or Excel can bypass this easily.
By the way, this sounds like a limited version of Linux AppArmor.
I couldn't say about performance (can't check with Home edition) but surely the problem is that almost every program wants to write at least something to disk. So if you protect C: you need to allow every program access and if every program has access, there's no protection at all.
I suppose one option would be to protect everything except %APPDATA% but that doesn't provide much protection above the standard because almost everything that's not in there or documents needs admin permission anyway (and if you're running as admin, you can just turn off the protection).
""why selected folders?
And not entire drives?""
Because then you would have to white list a much larger range of binaries which would defeat the whole objective of keeping applications allowed to write to the controlled areas of the disk to a minimum?!
Not to mention that there shouldn't be any data that you care about outside of the default locations.
Not to mention that there shouldn't be any data that you care about outside of the default locations.
So.. You shouldn't have backups because e:\backup is not a default location?
Why should it matter where I stick my data? Or is MS still a bit dumb in the concept of not everyone does everything the same?
You are delighted that Microsoft is apparently unable to whitelist their own apps?
Would it not rather suggest that the whitelisting criteria are sufficiently difficult to get right that the number of false positives will be huge, which in turn will cause the vast majority of users to disable this feature?
So my sysadmin turned this on on my computer so I don't need to fear ransomware anymore. Only one snag: this handy little photo editor I downloaded from the interwebs couldn't access my files in Documents anymore. No worries, though, I just created a new folder Documents2 and put all my files there! Am I a computer wiz or what?
No. You are the kind of doofus that the feature is designed to obstruct. A computer wiz would have provided sufficient evidence to their sysadmin that the handy little photo editor was legit and should be added to the whitelist.
In the meantime, you've created a nice little sandbox called Documents2 and when you next download some ransomware it will only be that sandbox that gets toasted. "Documents" will be fine.