Q&A Windows 10 has a built-in ransomware block, you just need to enable it

The_King

Level 8
Verified
Aug 2, 2020
393
Found these articles surprising, I was aware of Controlled folder access for years and it seems many windows users were not. Since the Windows OS has the highest amount of Ransomware attacks globally it maybe a good idea to have this protection feature enabled.

Windows 10 comes with its own baked-in antivirus solution called Windows Defender, and it is enabled by default when setting up a new PC. At the very least, that affords you some basic protection against the many malware threats out in the wild. But did you know there is an added optional layer that can keep your pictures, videos, work documents, and other files safe in the event of a ransomware infection? The caveat is that you have to manually enable ransomware protection in Windows 10.

Or more specifically, a feature called 'Controlled folder access.'

A big hat-tip to Forbes for pointing this out, because this is not something I was aware existed. To enable it, type 'Ransomware protection' in the Windows search bar, or take the long way by navigating to Settings > Update & Security, click on Open Windows Security, click on Virus & threat protection, then scroll down and click on Manage ransomware protection.

Are you protected? Windows ransomware protection basics


Unbeknownst to many consumer users of Windows, Microsoft offers built-in ransomware protection as part of Windows Defender, found under Virus & Threat Protection.

RSW 2021.jpg
 
Last edited:

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,448
did you know there is an added optional layer that can keep your pictures, videos, work documents, and other files safe in the event of a ransomware infection
Might seem cherry picking for some, but it's actually very important. Safe, is a incorrect word! The word " safer " is what this extra layer will add to a system/machine. Huge difference because it don't exist any 100% Bullet proof solutions/tweaks etc. Not turn on and using the machine is though pretty safe. 🙃

The OneDrive enable and setup advice I for sure agree with.
 

monkeylove

Level 6
Mar 9, 2014
270
One possible reason why it is turned off by default is because many users may have difficulty figuring out why they're unable to access their documents, etc., and company will be swamped by complaints.

It's also possible that at some point malware developers might be able to develop software that might be similar to those considered safe by the OS and then access protected folders that way.

Given that, the company will have to work harder on its security program to deal with both issues, and more.
 

Spawn

Administrator
Verified
Staff member
Jan 8, 2011
21,053
With me OneDrive is not relevant, I have several TB of lossless music (painstaking ripped over many weeks) & 16 years of Photographs - Multiple external drives is the only backup option & protection against ransomware.
You may still be able to utilise Controlled Folder Access by adding the external drive locations to the Protected folders. The next time you connect the drives, those drives should remain protected.

Have not tested to confirm.

The OneDrive enable and setup advice I for sure agree with.
Unfortunately, OneDrive's Ransomware detection and recovery requires a subscription after the first attempt.
 

nicos181987

Level 1
Jul 25, 2021
9
The "Controlled folder access" feature in Windows 10 (and 11) is useless, because it blocks even Microsoft services and programs. Besides, you have to manually add each folder/program to the exclusion list, but the most annoying part is that Windows doesn't specify precisely which process was blocked.

I hoped that in Windows 11 Microsoft would have improved the feature, but it's not happened.
 

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,081
The "Controlled folder access" feature in Windows 10 (and 11) is useless, because it blocks even Microsoft services and programs. Besides, you have to manually add each folder/program to the exclusion list, but the most annoying part is that Windows doesn't specify precisely which process was blocked.

I hoped that in Windows 11 Microsoft would have improved the feature, but it's not happened.
Controlled folder access is indeed a very annoying feature. I have tried it several times, and I always turn it off in the end, because it is just too aggravating, it blocks too much.
 

nicos181987

Level 1
Jul 25, 2021
9
Controlled folder access is indeed a very annoying feature. I have tried it several times, and I always turn it off in the end, because it is just too aggravating, it blocks too much.

I did the same. And I would be using just Windows Defender plus Heimdal Thor Foresight if controlled access folder would be useful, but it's not.
 
  • Like
Reactions: Nevi and shmu26

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,153
Hahaha... I'm running it under Configure Defender, and today it blocked Windows Update. This is a suckworthy feature.
Are you sure that it blocked the update? I noticed some blocks too some time ago (blocked disk sectors access, Id = 1127), but the update has been installed successfully. CFA can also alert occasionally on some Windows processes (like MoUsoCoreWorker.exe). Generally, I did not notice any negative impact of these blocks. I do not use CFA on my computer, but it is enabled for a long time (over two years) on my family computers without any exclusions and any issues. Despite the blocks, everything works well (including all Windows Updates).

I think that one should take care of the software that can access the disk at a low level (some backup applications, advanced disk cleaners, disk formatting/disk recovery applications, etc.) and simply ignore anything else.

Edit.
CFA can be sometimes irritating, but any security based on restricting access to protected disk sectors will produce similar issues. The issues related to CFA are probably less painful compared to similar anti-ransomware solutions.
 
Last edited:

Telos

Level 21
Verified
Content Creator
Jan 29, 2017
1,080
Are you sure that it blocked the update?
In context...
yzeobyP.png


This really is annoying. And there seems to be no consistency. What worked over the past week, suddenly becomes a problem. For example today I was dinged with excel.exe, and the Macrium Reflect executable... both of which I have been using daily without complaint from WD.

Controlled Folder Access is worse than a car alarm. It badly needs a training mode, or a means to bulk whitelist existing apps. These daily false positive alerts are outrageous when one must stop their activity, and open CD or WD to whitelist the "offender" and then relaunch the intercepted executable.
 
Last edited:

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,153
Controlled Folder Access is worse than a car alarm. It badly needs a training mode, or a means to bulk whitelist existing apps. These daily false positive alerts are outrageous when one must stop their activity, and open CD or WD to whitelist the "offender" and then relaunch the intercepted executable.

There is a general problem with security that restricts access to protected disk sectors.
I would suggest you disable CFA on your machine if it alerts frequently. You can make a disk image with Macrium Reflect and restore protected disc areas (if needed). There is no need to suffer.
I think that Macrium Reflect did something in your system that makes CFA overreactive. CFA is rather silent (for changes in the memory) when one does not use applications that require low-level disk access.(y)

Edit.
You can also relax and use the advice from my previous post. Take the CFA alert as a reminder: "Hey, I am still here to protect you".:)
 
Last edited:

Telos

Level 21
Verified
Content Creator
Jan 29, 2017
1,080
Nobody needs to create an allow exclusion for memory blocks by controlled folders. Memory blocks break nothing.
Well, that's just wonderful to know. So why is it alerting for a non-critical issue? Such is worse than a false positive.

For software that uses low-level disk access, it can be sometimes a problem ...
Ah.... so it is important.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,153
So why is it alerting for a non-critical issue?

Such alerts can be useful for some people (administrators). The CFA is simple and free security - It cannot differentiate between critical and non-critical events. If you are infected, then the usual non-critical event can be critical. But, for most users, the CFA alerts are not useful so one can ignore them.
Anyway, it is much safer to use CFA and ignore alerts, than not using it at all. The exceptions are alerts of applications that can access the disk on the low level and applications that are used to change/save files in the protected folders.

I do not think that CFA will be more convenient soon, so if one is irritated by CFA, then it is better to use something else.
 
Top