Advice Request Controlled Folder Access in May 2020 Update?

[shmu26]

I have used the Controlled Folder Access (aka Windows Defender Antivirus Ransomware Protection) in earlier builds, but turned it off due to being unable to whitelist applications properly.

In the latest Windows 10 May 2020 Update (Version 2004), is it worth re-visiting?

I tried it on 2004 and it worked great. It did not block any legitimate actions, except when I tried to run a HP installer to set up a printer. It's easy enough to turn it off once in a blue moon if you need to do something unusual.

 

[SeriousHoax]

Quick info on my test results: memory doesn't help but luckily my comments in the summary as in the dynamic test report.
As you can see files were not encrypted in protected folders but some were on desktop...so WD detected this sample too late (some files on desktop were encrypted) but CFA worked and protected files in protected folders.


File encrypted: yes, but not in protected folders (*WD blocked encryption but too late for desktop files)
Final status: System infected-> files encrypted

Dynamic test:
fun.bat- files in protected folders were not encrypted, but on desktop.

The thing is, WD didn't detect that ransomware by signatures or any behavioral module, it only blocked modification of protected folders which would've happened for any programs that's not whitelisted, ransomware or not. Too late would mean that WD eventually detected the ransomware later but couldn't protect some files. So the term "too late for desktop files" is not accurate in this case. If it was a post infection based behavioral detection then the term "too late" would've been correct. This is the reason some members had confusion about the outcome of that test.
So, I just cleared that up in my initial comment that "desktop" is not part of protected folders anymore so it's normal for files to be encrypted in desktop or any other folders per se except protected folders.

Controlled Folder Access has to be the dumbest, most broken feature in existence. Ben trying it since it's first debut years ago and it's just as useless as it was back then. Microsoft claims they use whitelists so that known good programs have access to things but bad don't yet I still have to find this "whitelist". Since the beginning it was constantly whining over super popular things like Steam accessing game files in Documents. Whining about Paint.NET doing the same. In fact it has been whining over EVERYTHING accessing Documents folders. It was always so god damn annoying I've always disabled it. Guess how much changed in all these years. NONE. It's the same useless annoying garbage it was on day 1.

This is correct that Microsoft says that they whitelist trusted programs but in reality they don't and they should clear this out. Microsoft tries to play safe here because nowadays a lot malwares abuse trusted processes including lolbins to encrypt files and if those files were whitelisted by MS then protected folders would fail. Eg: if you check F-Secure's result on the hub, you would see quite a few times its protected folders failed to protect files from ransomwares because the abused file was trusted by F-Secure. This is the reason some AVs don't even include this protected folders function. There's basically two ways to do this, one is similar to F-Secure, whitelist trusted files and the second one is what Microsoft does, block everything except manually whitelisted. The later is definitely more annoying but far more secured approach.