A recent update for Windows 1809 must have totally revamped the Protected folders feature.
I just enabled this feature again, and I didn't get any blocks. I couldn't believe my eyes. I checked my settings, I checked that the exclusion list was empty, and I just was not getting the blocks that I always got before.
In fact, it has a new text:
"Most of your apps will be allowed by Controlled folder access without adding them here. Apps determined by Microsoft as friendly are always allowed."
Interesting.
I noticed that three ASR rules:
- "Block JavaScript or VBScript from launching downloaded executable content",
- "Use advanced protection against ransomware",
- "Block executable files from running unless they meet a prevalence, age, or trusted list criteria",
can block most script trojan droppers, so it is hard to download and execute ransomware payload.
The first blocks attacks via Windows Script Host scripts, the second can mitigate PowerShell scripts.
The last one also works, but nobody knows how exactly.
The exception is when someone has installed MS Office - in that case the attacker can use the script with "Word.Application" or "Excel.Application" objects which are actually not caught both by ASR rules and Controlled Folder Access.
So the WD anti-ransomware protection = Controlled Folder Access + ASR rules.
Controlled Folder Access alone, can protect user Desktop and Start menu entries against many malware (except advanced ransomware), which simply try to copy/replace there the malicious files (for example shortcuts with malicious commandlines).
Edit.
For protecting Start menu and Quick Launch entries, some folders have to be added to the protected folders in CFA, for example:
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned
