Advice Request Windows 10 has a built-in ransomware block, you just need to enable it

[codswollip]

If you do need it, then you create an allow exclusion.

Hardly earth shaking. But when you have to do this every day, for everyday usage, it is less than helpful. For over 20 years, I've never has CFA protection, and have not been affected by its absence.

It's much like a malfunctioning doorbell that must you attend to, only to find your porch empty. Surely you are familiar with the term "cry wolf"... Well, that is what we have here. Poorly implemented protection. Should a real alert ever arise, the auto-response will be to whitelist it.

Even the basic protection DanB's fine program provides, offers a whitelist scan for user approval. Surely Microsoft could make a protective tool useful.

When I first got the wuauclt alert, my reaction was WTH is that? After googling around, it seemed innocuous, though essential, and I made an exception... a complete waste of time, and an interruption of video editing I was engaged. I can't imagine how "joe average user" will even understand all the false flags that CFA throws.

Good for you that you find immense satisfaction in this "feature"... I'me just a few days from disabling this "protection".

 

[Andy Ful]

..
It's much like a malfunctioning doorbell that must you attend to, only to find your porch empty. Surely you are familiar with the term "cry wolf"... Well, that is what we have here. Poorly implemented protection. Should a real alert ever arise, the auto-response will be to whitelist it.
..

Please remember that on many computers CFA does not work like on yours. For example, I never saw CFA blocks for wuauclt.exe and generally, CFA is very silent on my family computers. This is also probably true for computers that do not use 3rd party disk tools and several applications that can have write access to protected folders. It is not true that CFA is a "cry wolf" or it is a poorly implemented protection. The truth is that it is by design simple protection which will not be useful for many people. The CFA alert is more like a shop bell than a security camera monitoring system. The sound of the bell does not mean that someone is going to rob the shop. Many shops still use shop bells, but it is nonsense to use them in supermarkets.

 

[plat]

There are also mainstream users here like me who would like something more user-friendly and smarter. Why must we users do everything--starting with whitelisting? CFA needs some machine-learning/AI to become a more useful utility.

I don't use it because it's annoying. Plain and simple.

 

[Andy Ful]

CFA needs some machine-learning/AI to become a more useful utility.

The machine-learning/AI is already implemented in Defender. It covers also ransomware detection and it can be extended by using ASR rules. It will be hard to extend the ML/AI approach to CFA. The ML/AI approach is based on blacklisting and CFA is based on whitelisting. These are complementary solutions. The CFA is only an addition to already existent security.
CFA cannot be made smarter in the usual way by learning in the cloud. This would decrease its protection. It is probably possible to use a kind of local AI that could learn/remember the normal activity on the computer from the unusual/suspicious one. But, this is a solution for next-generation computers (maybe).

 

[plat]

CFA cannot be made smarter in the usual way by learning in the cloud. This would decrease its protection.

How so? I'm curious, Andy Ful. We want and need this security feature but paradoxically, it's user-unfriendly. So we do without or turn to other programs.

Microsoft with its trillion-plus bucks can't throw a few of those bucks at the Defender engineers? It's like your car has this proprietary GPS system that steers you in the wrong direction 1 out of every three times. You really want this feature but it comes with too much of a burden. So you either go without or spend time and money getting an alternative.

It's a waste. How many Windows users actually enable CFA for the long term? It's rhetorical, of course, but I kinda would like to know.

 

[monkeylove]

That's why it's disabled by default. Use something else until they make it better.

 

[Andy Ful]

How so? I'm curious, Andy Ful. We want and need this security feature but paradoxically, it's user-unfriendly. So we do without or turn to other programs.

Microsoft with its trillion-plus bucks can't throw a few of those bucks at the Defender engineers? It's like your car has this proprietary GPS system that steers you in the wrong direction 1 out of every three times. You really want this feature but it comes with too much of a burden. So you either go without or spend time and money getting an alternative.

All that you have written is also true for using seatbelts in cars. CFA or Whitelisting is like using seatbelts. The seatbelts are with us for many years and they are still inconvenient (Why????!!!!).
The situation with seatbelts is even worse, because using them is forced (in many countries) by traffic regulations.
So, let's try answering a more urgent question "why car producents do not try to improve the seatbelts?"
This problem of seatbelts was solved many years ago in science fiction (force field).

It's a waste. How many Windows users actually enable CFA for the long term? It's rhetorical, of course, but I kinda would like to know.

How many users had used seatbelts before using them was forced by regulations? Not many.
I think that most people do not enable CFA for similar reasons. I would also say, that not using CFA is not as a bad idea as not using seatbelts.

Using local AI/ML (or other methods) to finetune CFA would be similar to using intelligent force field seatbelts.
If I correctly remember there are some commercial security solutions on the market (Nyotron Paranoid) that can be adjusted locally (not AI/ML) to remember (and whitelist) the "NORMAL" behaviors and activities of legal users on the particular computer or network. Other activities/behaviors (even non-malicious) in this particular environment are blocked.

 

[Andy Ful]

The malware detection based on signatures/heuristics/ML/AI is very good but it is also limited by design. It requires "Big data" and relies on malicious/anomalous content. The problem is that malware evolves and can successfully mimic the legal/benign content. Nowadays the malicious behavior follows often from the context. The context cannot be properly recognized in the cloud via limited telemetry and privacy restrictions. Such malware can be better prevented by whitelisting methods applied locally.
The stronger prevention follows from the whitelisting which is strongly adjusted to the particular computer. This creates diversity which is a big problem for malware, similarly to the diversity of immune systems of different species (goldfish will not die from COVID infection). That is why something like Nyotron Paranoid can be very efficient protection.

Edit.
In the Home environment, the whitelisting methods can be important for children, happy clickers, and casual users. Normally, the anti-ransomware protection based on signatures/heuristics/ML/AI is enough for most users. It is true that some users will be infected anyway, but chances for that are very low (probably similar to chances of death in a car accident).

 

[Andy Ful]

Yes. It is impossible to find some information about MoUsoCoreWorker blocks. Microsoft simply does not know how to help users or does not care about them. If one would like to ask for help about CFA or ASR on the answers.microsoft.com website, then I can say that the advisors know very little about these advanced settings. One of the advisors even thought that applying Defender's settings via PowerShell is a kind of hacking.

Except for the MT forum, any useful practical information about ASR rules can be found only in a few articles, for example:

Microsoft Defender Attack Surface Reduction Recommendations

Palantir’s Infosec team shares their tips and best practices

medium.com

I did not found any useful practical article about CFA problems. One can find more practical tips on this thread (or some other MT threads) than after spending many hours with Google. Even several Microsoft documents wrongly describe the events related to CFA (Id=1127 is often skipped).

 

[oldschool]

It does not even generate an alert in the Windows Defender GUI. ... The block event only appears in Windows events log. Nothing broken and therefore I do not care about the block and go about my merry way.

This is how I use it after realizing how CFA works. If it's not broken, don't fix it! People complain without understanding or intuiting how it works.

 

[The_King]

For those using OneDrive, be aware of the following option, making files online only. It was enabled by default on my system and
means that certain files will not be available on your system if you do not have internet access! This can be a big problem for some users.
I have this option disabled now. Instructions on how to disable and more info in the link below.

Save space with OneDrive​

With OneDrive Files On-Demand, you can:

• Save space on your device by making files online only
• Set files and folders to be always available locally on your device
• See important information about files, such as whether they are shared
• See thumbnails of over 300 different file types even if you don’t have the required application installed to open it

Your files will have these statuses in File Explorer:

Save disk space with OneDrive Files On-Demand for Windows - Microsoft Support

Learn how to use OneDrive Files On-Demand to sync your OneDrive files and save disk space in Windows 10.

support.microsoft.com

 

[codswollip]

Controlled Folder Access...INTRUDER ALERT INTRUDER ALERT INTRUDER ALERT

 

[Andy Ful]

Controlled Folder Access...INTRUDER ALERT INTRUDER ALERT INTRUDER ALERT

It is strange because no one ever reported such behavior. ConfigureDefender currently does not directly do anything in %userprofile%. The older version did write the Defender Security Log, but in %Userprofile%\Appdata\Local\Temp. This alert is suspicious.

1. Is your ConfigureDefender digitally signed? What version do you use?
2. What did you do in ConfigureDefender just before this alert?
3. Did you add any exclusion related to the Favorites folder just before the alert?
4. Could you post the info related to this event from ConfigureDefender Security Log?

Thank you.

 

[Andy Ful]

I suspect that some external process (Windows native or some application) can inject the code into ConfigureDefender, and next this code writes something into your Favorites folder. This can be a link to ConfigureDefender or something else. You can inspect your Favorites folder to see what happened.
By the way, you probably noticed that CFA works in Audit mode?

 

[codswollip]

1. Is your ConfigureDefender digitally signed? What version do you use?
2. What did you do in ConfigureDefender just before this alert?
3. Did you add any exclusion related to the Favorites folder just before the alert?
4. Could you post the info related to this event from ConfigureDefender Security Log?

1. How would I do that? Under "Properties/Details"

2. I have no way of knowing. I grew tired of the alerts and changed CFA to "Audit". It was only when I went in to see what new alerts had accumulated that I saw this.

3. No. I was in Audit mode.

4. That screen clip was from CD Security log. Here's the entire section:

Spoiler

 

[Andy Ful]

1. How would I do that? Under "Properties/Details"

https://www.ghacks.net/2018/04/16/how-to-verify-digital-signatures-programs-in-windows/

If the file is digitally signed (Open Source Developer, Andrzej Pluta) then it is OK.
For some unknown reason, your system triggers many unusual Defender alerts.

 

[codswollip]

If the file is digitally signed (Open Source Developer, Andrzej Pluta) then it is OK.

CFA has a field day with all my SyMenu portable packages. Yesterday Thunderbird got dinged, and CFA hates rclone due to a false positive alert that ws propagated courtesy of FBI.

 

[codswollip]

So I'm wondering... I use O&O ShutUp10. Could it be interfering here? Is the WinOS calling home to the mothership for app approval, and then complaining in the absence of a response?

 

[Andy Ful]

So I'm wondering... I use O&O ShutUp10. Could it be interfering here? Is the OS calling home to the mothership for app approval?

It is possible that in some situations Defender can misinterpret the change of CFA settings from ON to Audit. The Favorites folder is not protected in Audit mode (only alerts are shown) and maybe Defender thinks that ConfigureDefender is responsible. It seems that some other applications or some special Windows settings have to be involved, because I have never heard about such behavior. I could not also reproduce this issue on my computers.

 

[codswollip]

@Andy Ful Is it possible to get a pop-up window option for this rule which allows the user to make an exception on a case-by-case basis? Thanks.