Is Controlled Folder Access worth trying?

  • Yes

    Votes: 20 69.0%
  • No

    Votes: 9 31.0%
  • Total voters
    29

plat1098

Level 21
Verified
Here's a question: If CFA doesn't block something harmless from opening, I'm not confident it'll block something when it really counts. I made an example: CFA completely blocked Bandicam from recording but didn't block HWINFO64, just throws a message after the fact.


So, is it as strong a case to keep it enabled? It's not as annoying as it was pre-2004 but still has its moments....
 

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
Here's a question: If CFA doesn't block something harmless from opening, I'm not confident it'll block something when it really counts. I made an example: CFA completely blocked Bandicam from recording but didn't block HWINFO64, just throws a message after the fact.


So, is it as strong a case to keep it enabled? It's not as annoying as it was pre-2004 but still has its moments....
I think that if you are using Microsoft Defender it's a strong part of the overall package and you should enable it.
It did very well against ransomware in the HUB.
 

security123

Level 24
Verified
Here's a question: If CFA doesn't block something harmless from opening, I'm not confident it'll block something when it really counts. I made an example: CFA completely blocked Bandicam from recording but didn't block HWINFO64, just throws a message after the fact.


So, is it as strong a case to keep it enabled? It's not as annoying as it was pre-2004 but still has its moments....
You misinterpreted the result. The request from HWINFO64 is blocked, but the program works without/ is only restricted
 

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
You misinterpreted the result. The request from HWINFO64 is blocked, but the program works without/ is only restricted
I understand the issue for @plat1098 here.
You are never completely sure what to do.
The program worked fine but is restricted.
Do you need to unblock it for the program to work completely or is it fine this way?
Things like this make me nervous when using CFA.
 

oldschool

Level 55
Verified
Here is one example form CD thread. It is for ASR rule "Block lsass.exe ...." but the way WD alert functions is similar in CFA. See italicized sentence:


Vasudev said:
View attachment 211065
@Andy Ful Suddenly WD blocks Wise Uninstaller's Uninstall monitor module saying lsass.exe minor risk rule was applied.
You have activated the custom settings or 'Child Protection', with the ASR rule:
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
I do not know for what reason UnMonitor.exe wants to interfere with lsass.exe, it should not.
If you are certain that the application is clean and safe, then it is OK. The alert does not mean that all actions of UnMonitor.exe are blocked, but only access to lsass.exe, so probably you can ignore it. This ASR rule can alert for some other monitoring legal applications, so it is Disabled in ConfigureDefender "Defender high settings''.
 

plat1098

Level 21
Verified
Thanks for the replies so far. I want to make it very clear: this is NOT a critique of Microsoft. This is questioning the efficacy of Controlled Folder Access within a given scenario. Can this concept be absorbed and future replies tailored accordingly, please? Thanks! :mad:

The alert from CFA contains the following text:

hwinfocfa.png


What is that block instance supposed to affect in HWINFO? Like I said, to my eyes all sensors were recorded and seemingly functioning in real time. RAM timings were recorded as usual. System Summary, CFA took even longer to alert, but all info was shown in the HWINFO boxes. And that is why I said I may go elsewhere for a reply. The dev of HWINFO has a forum, I'll check it out later.

My point: I thought it was all or nothing when it came to CFA. Here: an alert and the program runs anyway, SEEMINGLY unchecked.
 

oldschool

Level 55
Verified
My point: I thought it was all or nothing when it came to CFA. Here: an alert and the program runs anyway, unchecked.
I have a similar issue when running Aomei Backupper: an alert but the program runs successfully. I have backups that I've used without issue. Andy can explain better than I, but it is poor implementation. AFAIK it is not "all or nothing."
 

plat1098

Level 21
Verified
What I'm wondering is if CFA is too slow to block for certain programs. Here's an example from personal experience: Some time ago, OSArmor couldn't block legacy Edge from opening if Edge was enabled to run in the background. It would throw an alert as if a block happened but legacy Edge would open unhindered and function perfectly.

So another point I'm making: just because you get an alert, it apparently doesn't mean squat in some cases. Which leads back to my original dilemma; is it worth keeping enabled? I'll need more info and will try to get that elsewhere.

If I'm aware of contingencies like this, I can make better decisions about what to keep or discard on my machine. In OSA's case it was a matter of toggling certain background apps running in the bkgrd to OFF and it's a keeper, then. Here, I'm not so sure.
 

SeriousHoax

Level 29
Verified
Malware Tester
What I'm wondering is if CFA is too slow to block for certain programs. Here's an example from personal experience: Some time ago, OSArmor couldn't block legacy Edge from opening if Edge was enabled to run in the background. It would throw an alert as if a block happened but legacy Edge would open unhindered and function perfectly.

So another point I'm making: just because you get an alert, it apparently doesn't mean squat in some cases. Which leads back to my original dilemma; is it worth keeping enabled? I'll need more info and will try to get that elsewhere.

If I'm aware of contingencies like this, I can make better decisions about what to keep or discard on my machine. In OSA's case it was a matter of toggling certain background apps running in the bkgrd to OFF and it's a keeper, then. Here, I'm not so sure.
It's worth keeping it enabled. I don't understand the concept of CFA blocking changes to memory but the main function of CFA is to block apps from modifying files in the protected folders and it does that job well. You should take a closer look at the distinction of notification messages of CFA blocking. In your case of Bandicam, it probably writes its recording into the documents folder so it was blocked from recording. This is related to writing into the folder, not related to making changes to the memory.
Here's an example that I just reproduced. I made Internet Download Manager to save a downloaded files into one of my custom added protected folder and it was blocked immediately from writing into the folder i.e. CFA is working as intended (y)
1.png

P.S. This is an insider build of Windows hence the difference in Windows Security icon and redesigned notification box.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter

oldschool

Level 55
Verified
It's worth keeping it enabled. I don't understand the concept of CFA blocking changes to memory but the main function of CFA is to block apps from modifying files in the protected folders and it does that job well. You should take a closer look at the distinction of notification messages of CFA blocking. In your case of Bandicam, it probably writes its recording into the documents folder so it was blocked from recording. This is related to writing into the folder, not related to making changes to the memory.
Excellent explanation, my friend! The "changes to memory" vs. "blocking apps from modifying folders" is the crucial distinction. I don't really understand how CFA is supposed to protect memory.

That appears to be a trivial bypass used to encrypt. Too easy ....
 

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
Top