Advice Request Controlled Folder Access in May 2020 Update?

Please provide comments and solutions that are helpful to the author of this topic.

Is Controlled Folder Access worth trying?

  • Yes

    Votes: 20 66.7%
  • No

    Votes: 10 33.3%

  • Total voters
    30

Gandalf_The_Grey

Level 79
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,844
Much appreciated. (y)
First one I could find from @Solarquest :
Product: Windows Defender, folder control, default settings + Emsisoft Browser security
Static (On-demand scan): 1 /2
Dynamic (On execution): 1*/1
Total: 2*/2
SUD: all samples missed on static
File encrypted: yes, but not in protected folders (*WD blocked encryption but too late for desktop files)
Final status: System infected-> files encrypted
 

oldschool

Level 83
Verified
Top Poster
Well-known
Mar 29, 2018
7,275
Yes, didn't you quoted my post with that test link or are you talking/thinking about something else? :unsure:

Also again, I'm getting confused. Simple Powershell command?
Abused powershell command from the test link:



VirtualBox_Defender Lab_21_06_2020_21_46_08.png



(MISS) Encryption started


VirtualBox_Defender Lab_21_06_2020_21_46_57.png



VirtualBox_Defender Lab_21_06_2020_21_47_45.png



VirtualBox_Defender Lab_21_06_2020_21_49_24.png
 

Gandalf_The_Grey

Level 79
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,844
Abused powershell command from the test link:



VirtualBox_Defender Lab_21_06_2020_21_46_08.png



(MISS) Encryption started


VirtualBox_Defender Lab_21_06_2020_21_46_57.png



VirtualBox_Defender Lab_21_06_2020_21_47_45.png



VirtualBox_Defender Lab_21_06_2020_21_49_24.png
I don't think CFA was used here, only Configure Defender on high settings (mains CFA off).
Another option can be adding PowerShell protection in the form of Simple Windows Hardening, Hard_Configurator or SysHardner or VoodooShield.
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,855
Quoted from post #42 @Gandalf_The-Grey clipped from the findings of Solarquest: "too late for desktop files)
Final status: System infected-> files encrypted "

Thanks very much, this told me all I needed to know. (y)
Didn’t Windows 7 teach us not to store files on the desktop? 🤪 I’ve always hated a cluttered desktop.
 

Gandalf_The_Grey

Level 79
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,844
Quoted from post #42 @Gandalf_The-Grey clipped from the findings of Solarquest: "too late for desktop files)
Final status: System infected-> files encrypted "

Thanks very much, this told me all I needed to know. (y)
You're so very welcome, but I would take another part to quote: yes, but not in protected folders :D
 

SeriousHoax

Level 48
Verified
Top Poster
Well-known
Mar 16, 2019
3,715
"too late for desktop files
Btw, are you referring to this point mainly? In that case, CFA used to have the desktop as protected folders in the past but they removed it from default protected folders almost a year ago at least. I think Solarquest didn't notice that desktop isn't included in the protected folders anymore so he wrote "too late for desktop files". While in reality CFA actually did its job and protected files in the protected folders.
 

Gandalf_The_Grey

Level 79
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,844
Btw, are you referring to this point mainly? In that case, CFA used to have the desktop as protected folders in the past they removed it from default protected folders almost a year ago at least. I think Solarquest didn't notice that desktop isn't included in the protected folders anymore so he wrote "too late for desktop files". While in reality CFA actually did its job and protected files in the protected folders.
We need a more recent test on version 2004...
 

blackice

Level 39
Verified
Top Poster
Well-known
Apr 1, 2019
2,855
Btw, are you referring to this point mainly? In that case, CFA used to have the desktop as protected folders in the past but they removed it from default protected folders almost a year ago at least. I think Solarquest didn't notice that desktop isn't included in the protected folders anymore so he wrote "too late for desktop files". While in reality CFA actually did its job and protected files in the protected folders.
Probably removed due to the volume of warnings people got.
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793

Let's see what the developer says, if anything. If someone thinks of additional questions or better -phrased ones, let me know and I'll add it to the post.

Might be a very simple explanation, but frankly, when it comes to ransomware, there should be no grey areas.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,259
CFA can protect against two different actions:
  1. Modifications or removing files from the protected folders.
  2. Writing directly to disk sectors.
https://getadmx.com/?Category=Windo...lledFolderAccess_EnableControlledFolderAccess

There is a possibility to apply the policy to allow actions of point 1 and block only actions from point 2. So the info about changes in memory is not related to RAM but to disk memory (disk sectors).
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Well, the HWINFO developer responded to my post and what ended up happening was I allowed HWINFO64 thru as a Trusted App. What I didn't know was that there was a "hidden" protected folder called Device\CdRom0 that HWINFO64 tried to access.

This info is obtained from Protection History and you can allow the app in question to be whitelisted directly from there in "Controlled folder access settings."

As usual, another mysterious thing courtesy of Microsoft. 😣 For crying out loud. :rolleyes: But I'm keeping it enabled for now, just need to be aware of off-the-wall things like this. :D
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Btw, are you referring to this point mainly? In that case, CFA used to have the desktop as protected folders in the past but they removed it from default protected folders almost a year ago at least. I think Solarquest didn't notice that desktop isn't included in the protected folders anymore so he wrote "too late for desktop files". While in reality CFA actually did its job and protected files in the protected folders.

Quick info on my test results: memory doesn't help but luckily my comments in the summary as in the dynamic test report.
As you can see files were not encrypted in protected folders but some were on desktop...so WD detected this sample too late (some files on desktop were encrypted) but CFA worked and protected files in protected folders.


File encrypted: yes, but not in protected folders (*WD blocked encryption but too late for desktop files)
Final status: System infected-> files encrypted

Dynamic test:
fun.bat- files in protected folders were not encrypted, but on desktop.
 
Last edited:
F

ForgottenSeer 85179

Quick info on my test results: memory doesn't help but luckily my comments in the summary as in the dynamic test report.
As you can see files were not encrypted in protected folders but some were on desktop...so WD detected this sample too late (some files on desktop were encrypted) but CFA worked and protected files in protected folders.


File encrypted: yes, but not in protected folders (*WD blocked encryption but too late for desktop files)
Final status: System infected-> files encrypted

Dynamic test:
fun.bat- files in protected folders were not encrypted, but on desktop.
Did you add desktop to protected folder? It's no longer protected by default
 
  • Like
Reactions: Protomartyr

RejZoR

Level 15
Verified
Top Poster
Well-known
Nov 26, 2016
699
Controlled Folder Access has to be the dumbest, most broken feature in existence. Ben trying it since it's first debut years ago and it's just as useless as it was back then. Microsoft claims they use whitelists so that known good programs have access to things but bad don't yet I still have to find this "whitelist". Since the beginning it was constantly whining over super popular things like Steam accessing game files in Documents. Whining about Paint.NET doing the same. In fact it has been whining over EVERYTHING accessing Documents folders. It was always so god damn annoying I've always disabled it. Guess how much changed in all these years. NONE. It's the same useless annoying garbage it was on day 1.

If you want good ransomware protection with this method, then use avast!. At least their "controlled folder access" actually uses whitelist and you'll actually rarely see it annoy you over things. So far only FileOptimizer raised a dialog. Nothing else. Like NOTHING ELSE. And now they are even giving Ransomware Shield to free users.

I just can't understand how Microsoft of all companies can't put their ##### together properly. I'd suggest anyone to use this feature to keep their files safer, but not when it's this broken and this annoying. Now i know why it's disabled by default. Where avast!'s Ransomware Shield I can easily recommend anyone using it by default. It's that seamless.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top