Is Controlled Folder Access worth trying?

  • Yes

    Votes: 20 69.0%
  • No

    Votes: 9 31.0%
  • Total voters
    29

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
Much appreciated. (y)
First one I could find from @Solarquest :
Product: Windows Defender, folder control, default settings + Emsisoft Browser security
Static (On-demand scan): 1 /2
Dynamic (On execution): 1*/1
Total: 2*/2
SUD: all samples missed on static
File encrypted: yes, but not in protected folders (*WD blocked encryption but too late for desktop files)
Final status: System infected-> files encrypted
 

SeriousHoax

Level 29
Verified
Malware Tester
"too late for desktop files
Btw, are you referring to this point mainly? In that case, CFA used to have the desktop as protected folders in the past but they removed it from default protected folders almost a year ago at least. I think Solarquest didn't notice that desktop isn't included in the protected folders anymore so he wrote "too late for desktop files". While in reality CFA actually did its job and protected files in the protected folders.
 

Gandalf_The_Grey

Level 34
Verified
Trusted
Content Creator
Btw, are you referring to this point mainly? In that case, CFA used to have the desktop as protected folders in the past they removed it from default protected folders almost a year ago at least. I think Solarquest didn't notice that desktop isn't included in the protected folders anymore so he wrote "too late for desktop files". While in reality CFA actually did its job and protected files in the protected folders.
We need a more recent test on version 2004...
 

blackice

Level 27
Verified
Btw, are you referring to this point mainly? In that case, CFA used to have the desktop as protected folders in the past but they removed it from default protected folders almost a year ago at least. I think Solarquest didn't notice that desktop isn't included in the protected folders anymore so he wrote "too late for desktop files". While in reality CFA actually did its job and protected files in the protected folders.
Probably removed due to the volume of warnings people got.
 

plat1098

Level 21
Verified

Let's see what the developer says, if anything. If someone thinks of additional questions or better -phrased ones, let me know and I'll add it to the post.

Might be a very simple explanation, but frankly, when it comes to ransomware, there should be no grey areas.
 

Andy Ful

Level 62
Verified
Trusted
Content Creator
CFA can protect against two different actions:
  1. Modifications or removing files from the protected folders.
  2. Writing directly to disk sectors.
https://getadmx.com/?Category=Windo...lledFolderAccess_EnableControlledFolderAccess

There is a possibility to apply the policy to allow actions of point 1 and block only actions from point 2. So the info about changes in memory is not related to RAM but to disk memory (disk sectors).
 

plat1098

Level 21
Verified
Well, the HWINFO developer responded to my post and what ended up happening was I allowed HWINFO64 thru as a Trusted App. What I didn't know was that there was a "hidden" protected folder called Device\CdRom0 that HWINFO64 tried to access.

This info is obtained from Protection History and you can allow the app in question to be whitelisted directly from there in "Controlled folder access settings."

As usual, another mysterious thing courtesy of Microsoft. 😣 For crying out loud. :rolleyes: But I'm keeping it enabled for now, just need to be aware of off-the-wall things like this. :D
 

Solarquest

Moderator
Verified
Staff member
Malware Hunter
Btw, are you referring to this point mainly? In that case, CFA used to have the desktop as protected folders in the past but they removed it from default protected folders almost a year ago at least. I think Solarquest didn't notice that desktop isn't included in the protected folders anymore so he wrote "too late for desktop files". While in reality CFA actually did its job and protected files in the protected folders.
Quick info on my test results: memory doesn't help but luckily my comments in the summary as in the dynamic test report.
As you can see files were not encrypted in protected folders but some were on desktop...so WD detected this sample too late (some files on desktop were encrypted) but CFA worked and protected files in protected folders.


File encrypted: yes, but not in protected folders (*WD blocked encryption but too late for desktop files)
Final status: System infected-> files encrypted

Dynamic test:
fun.bat- files in protected folders were not encrypted, but on desktop.
 
Last edited:

security123

Level 23
Verified
Quick info on my test results: memory doesn't help but luckily my comments in the summary as in the dynamic test report.
As you can see files were not encrypted in protected folders but some were on desktop...so WD detected this sample too late (some files on desktop were encrypted) but CFA worked and protected files in protected folders.


File encrypted: yes, but not in protected folders (*WD blocked encryption but too late for desktop files)
Final status: System infected-> files encrypted

Dynamic test:
fun.bat- files in protected folders were not encrypted, but on desktop.
Did you add desktop to protected folder? It's no longer protected by default
 

RejZoR

Level 14
Verified
Controlled Folder Access has to be the dumbest, most broken feature in existence. Ben trying it since it's first debut years ago and it's just as useless as it was back then. Microsoft claims they use whitelists so that known good programs have access to things but bad don't yet I still have to find this "whitelist". Since the beginning it was constantly whining over super popular things like Steam accessing game files in Documents. Whining about Paint.NET doing the same. In fact it has been whining over EVERYTHING accessing Documents folders. It was always so god damn annoying I've always disabled it. Guess how much changed in all these years. NONE. It's the same useless annoying garbage it was on day 1.

If you want good ransomware protection with this method, then use avast!. At least their "controlled folder access" actually uses whitelist and you'll actually rarely see it annoy you over things. So far only FileOptimizer raised a dialog. Nothing else. Like NOTHING ELSE. And now they are even giving Ransomware Shield to free users.

I just can't understand how Microsoft of all companies can't put their together properly. I'd suggest anyone to use this feature to keep their files safer, but not when it's this broken and this annoying. Now i know why it's disabled by default. Where avast!'s Ransomware Shield I can easily recommend anyone using it by default. It's that seamless.
 
Top