Advice Request Controlled Folder Access in May 2020 Update?

Please provide comments and solutions that are helpful to the author of this topic.

Is Controlled Folder Access worth trying?

  • Yes

    Votes: 20 66.7%
  • No

    Votes: 10 33.3%

  • Total voters
    30

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Here's a question: If CFA doesn't block something harmless from opening, I'm not confident it'll block something when it really counts. I made an example: CFA completely blocked Bandicam from recording but didn't block HWINFO64, just throws a message after the fact.



So, is it as strong a case to keep it enabled? It's not as annoying as it was pre-2004 but still has its moments....
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
Here's a question: If CFA doesn't block something harmless from opening, I'm not confident it'll block something when it really counts. I made an example: CFA completely blocked Bandicam from recording but didn't block HWINFO64, just throws a message after the fact.



So, is it as strong a case to keep it enabled? It's not as annoying as it was pre-2004 but still has its moments....

I think that if you are using Microsoft Defender it's a strong part of the overall package and you should enable it.
It did very well against ransomware in the HUB.
 
F

ForgottenSeer 85179

Here's a question: If CFA doesn't block something harmless from opening, I'm not confident it'll block something when it really counts. I made an example: CFA completely blocked Bandicam from recording but didn't block HWINFO64, just throws a message after the fact.



So, is it as strong a case to keep it enabled? It's not as annoying as it was pre-2004 but still has its moments....

You misinterpreted the result. The request from HWINFO64 is blocked, but the program works without/ is only restricted
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415
You misinterpreted the result. The request from HWINFO64 is blocked, but the program works without/ is only restricted
I understand the issue for @plat1098 here.
You are never completely sure what to do.
The program worked fine but is restricted.
Do you need to unblock it for the program to work completely or is it fine this way?
Things like this make me nervous when using CFA.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
So, is it as strong a case to keep it enabled?
Yes. Keep it enabled.

CFA alerts don't distinguish between "block", "audit" or generic notifications. I asked Andy about this. For example, if I make a change to WD settings manually via Powershell, CFA alerts showing explorer protected from powershell.exe. It is poor implementation of the alerts.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
Here is one example form CD thread. It is for ASR rule "Block lsass.exe ...." but the way WD alert functions is similar in CFA. See italicized sentence:


Vasudev said:
View attachment 211065
@Andy Ful Suddenly WD blocks Wise Uninstaller's Uninstall monitor module saying lsass.exe minor risk rule was applied.
You have activated the custom settings or 'Child Protection', with the ASR rule:
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
I do not know for what reason UnMonitor.exe wants to interfere with lsass.exe, it should not.
If you are certain that the application is clean and safe, then it is OK. The alert does not mean that all actions of UnMonitor.exe are blocked, but only access to lsass.exe, so probably you can ignore it. This ASR rule can alert for some other monitoring legal applications, so it is Disabled in ConfigureDefender "Defender high settings''.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Thanks for the replies so far. I want to make it very clear: this is NOT a critique of Microsoft. This is questioning the efficacy of Controlled Folder Access within a given scenario. Can this concept be absorbed and future replies tailored accordingly, please? Thanks! :mad:

The alert from CFA contains the following text:

hwinfocfa.png


What is that block instance supposed to affect in HWINFO? Like I said, to my eyes all sensors were recorded and seemingly functioning in real time. RAM timings were recorded as usual. System Summary, CFA took even longer to alert, but all info was shown in the HWINFO boxes. And that is why I said I may go elsewhere for a reply. The dev of HWINFO has a forum, I'll check it out later.

My point: I thought it was all or nothing when it came to CFA. Here: an alert and the program runs anyway, SEEMINGLY unchecked.
 

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
My point: I thought it was all or nothing when it came to CFA. Here: an alert and the program runs anyway, unchecked.
I have a similar issue when running Aomei Backupper: an alert but the program runs successfully. I have backups that I've used without issue. Andy can explain better than I, but it is poor implementation. AFAIK it is not "all or nothing."
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
What I'm wondering is if CFA is too slow to block for certain programs. Here's an example from personal experience: Some time ago, OSArmor couldn't block legacy Edge from opening if Edge was enabled to run in the background. It would throw an alert as if a block happened but legacy Edge would open unhindered and function perfectly.

So another point I'm making: just because you get an alert, it apparently doesn't mean squat in some cases. Which leads back to my original dilemma; is it worth keeping enabled? I'll need more info and will try to get that elsewhere.

If I'm aware of contingencies like this, I can make better decisions about what to keep or discard on my machine. In OSA's case it was a matter of toggling certain background apps running in the bkgrd to OFF and it's a keeper, then. Here, I'm not so sure.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,868
What I'm wondering is if CFA is too slow to block for certain programs. Here's an example from personal experience: Some time ago, OSArmor couldn't block legacy Edge from opening if Edge was enabled to run in the background. It would throw an alert as if a block happened but legacy Edge would open unhindered and function perfectly.

So another point I'm making: just because you get an alert, it apparently doesn't mean squat in some cases. Which leads back to my original dilemma; is it worth keeping enabled? I'll need more info and will try to get that elsewhere.

If I'm aware of contingencies like this, I can make better decisions about what to keep or discard on my machine. In OSA's case it was a matter of toggling certain background apps running in the bkgrd to OFF and it's a keeper, then. Here, I'm not so sure.
It's worth keeping it enabled. I don't understand the concept of CFA blocking changes to memory but the main function of CFA is to block apps from modifying files in the protected folders and it does that job well. You should take a closer look at the distinction of notification messages of CFA blocking. In your case of Bandicam, it probably writes its recording into the documents folder so it was blocked from recording. This is related to writing into the folder, not related to making changes to the memory.
Here's an example that I just reproduced. I made Internet Download Manager to save a downloaded files into one of my custom added protected folder and it was blocked immediately from writing into the folder i.e. CFA is working as intended (y)
1.png

P.S. This is an insider build of Windows hence the difference in Windows Security icon and redesigned notification box.
 

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,698
It's worth keeping it enabled. I don't understand the concept of CFA blocking changes to memory but the main function of CFA is to block apps from modifying files in the protected folders and it does that job well. You should take a closer look at the distinction of notification messages of CFA blocking. In your case of Bandicam, it probably writes its recording into the documents folder so it was blocked from recording. This is related to writing into the folder, not related to making changes to the memory.
Excellent explanation, my friend! The "changes to memory" vs. "blocking apps from modifying folders" is the crucial distinction. I don't really understand how CFA is supposed to protect memory.

That appears to be a trivial bypass used to encrypt. Too easy ....
 

ErzCrz

Level 23
Verified
Top Poster
Well-known
Aug 19, 2019
1,222
I probably should use CFA though H_C recommended would to the initial blocking of any rogue file anyway so I'm still on the fence on this one.
 

Gandalf_The_Grey

Level 84
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,415

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top