How Microsoft's Controlled Folder Access can help stop ransomware

Part of Windows Defender in recent updates of Windows 10 and Windows Server, Controlled Folder Access can prevent malware from accessing or changing designated files.

windows defender
Thinkstock

Microsoft added a cool, new feature to Microsoft Windows client and server products. Controlled Folder Access gives you another way to mitigate the impact of ransomware. Of course, you should enable with careful testing and custom configuration because it will likely block legitimate programs, some of which could be critical to your computer or organization.

Added with the Windows 10 Fall Creators Update in 2017 now in Windows Server 2019, Controlled Folder Access is another welcomed, built-in (but not-enabled-by-default) Windows security feature to help prevent ransomware from damaging your files and folders. It even prevents unauthorized writes to disk sectors and files stored in memory. In a nutshell, Controlled Folder Access will try to prevent “unsafe” applications from modifying protected files, folders and files stored in memory. The default protected folders include Windows system files and the built-in, common default document and content folders.

How does Microsoft define “unfriendly”?

Microsoft says Controlled Folder Access, when enabled, prevents changes to protected files and folders by unauthorized and unfriendly programs. I can’t find technical details of what “unfriendly” means, but friendly applications appear to include the major Microsoft programs and many other major vendor programs.

My best guess is that legitimate, popular programs signed by trusted digital certificates is one evaluated trait of a “friendly” program. I’m also not sure what Windows system files and folders are included, but it appears to be at least all the normal areas you would think of (e.g., \Windows, \Windows\System32) and even includes the user’s desktop. It would be great if Microsoft gave us an easy way to verify what is and isn’t included.

For testing, I downloaded some randomly selected third-party file manipulating programs, such as AESCrypt. I didn’t run any real ransomware programs, as others have done that type of testing, and I was testing on one of my own computers (and not in a virtual machine). I used KnowBe4's free ransomware simulator program, which simulates over 20 different ransomware techniques. It was definitely not treated as friendly.

(Disclaimer: I work at KnowBe4.)

How to manually enable and configure Windows Controlled Folder Access

You can enable Windows Controlled Folder Access using group policy (under the Windows components, Windows Defender Antivirus, Windows Defender Exploit Guard, Controlled folder access leaf), PowerShell (Set-MpPreference -EnableControlledFolderAccess Enabled), and participating mobile device management (MDM) configuration service providers such as Microsoft Intune.

Open the Windows Defender Security Center and the choose the “Virus & threat protection” option.

windows defender security center Microsoft

Selec "Virus & threat protection" from Windows Defender Security Center

Then choose the “Ransomware protection” option at the bottom.

virus and threat protection Microsoft

Select "Ransomware protection"

Click on the “Off” option under “Controlled folder access” to enable and turn it on. Answer “Yes” to any resulting user account control prompt.

ransomware protection enabled Microsoft

Toggle-on Controlled folder access from the Ransomware protection screen

 

Note: If the Controlled folder access option does not appear, you might not have applied the necessary updates or your Windows computer’s security might be under the control of your company’s administrators (using group policy or another installed anti-malware program).

Warning: If you disable Windows Defender’s real-time protection, it also disables Controlled Folder Access.

Once you’ve enabled Controlled Folder Access, click on the “Protected folders” option to select which folders you do or don’t want to include. If enabled for the first time or left unmodified since enabling, it will be pre-populated with common Windows content storage folders, which you cannot delete from the list. You can add more local or remote folders (such as OneDrive).

protected folders Microsoft

Pre-populated protected folders

When Controlled Folder Access is enabled via the GUI, it enables all protection features for folders, files, memory and disk sectors. When using group policy, you can enable or disable disk sector protection independently of the other features, or enable audit-only mode.

Note: The list of protected folders does not include all folders that Controlled Folder Access protects. It does not include any of the default, built-in Windows system folders (however that is defined). Protected memory areas definitely aren’t defined, but my guess is that the only memory areas protected are those containing copies of the files of protected folders.

Click on the “Add a protected folder” to add more folders to the list.  

Be aware that legitimate, but unauthorized applications could be blocked from modifying files or even memory areas during what you think are legitimate installs and operations. You might get a warning message that it was blocked, but the program will often say that it successfully completed the install or operation without indicating that an action it tried to perform was blocked. You should not trust a blocked install or operation as having been 100 percent completed. If this was a legitimate program you want to trust, add it as an allowed app and redo the install or operation again. Not doing so can leave that operation in an uncompleted, critical state.

To define which applications may access the protected folders, click on the “Allow an app through Controlled folder access” option. It is not populated by any visible apps at first, even though Microsoft definitely has many previously allowed, trusted, programs.

allow an app Microsoft

Click on "Allow an app through Controlled folder access"

Now click on the “Add an allowed app” option to allow applications to access the controlled folders.

add an allowed app Microsoft

Click on "Add an allowed app"

Browse and select a new application to allow. If you have the most recent Windows 10 update, you can tell Windows to add the most recently blocked application. As best as I can tell, the programs you manually add are done so using file path options only. It does not include other common whitelisting options such as digital signatures or trusted certificates.

When you add a new authorized app, the GUI console looks like the figure below.

allowed app listing Microsoft

Console showing allowed apps that were added

Once Controlled Folder Access is enabled, if you go back to the option under Windows Defender, the GUI will have changed to be similar to the below example, which indicates it is already enabled.

controlled folder access after activation Microsoft

Controlled Folder Access screen after you enable it

Windows Defender notifications and event logs

Attempts of programs to manipulate (or add) files to protected folders can result in both console and event log messages. Below is an example of the message Windows will display if an unauthorized application tries to manipulate files in a protected folder.

windows defender notification of unauthorized app Microsoft

Windows Defender notification of unauthorized changes to folder

The following example indicates that an unauthorized program tried to manipulate files stored in memory from a protected folder.

windows defender unauthorized changes message Microsoft

Windows Defender notification of unauthorized changes to memory

These console messages do not include a lot of detail, including some of the bare essentials you would need to troubleshoot the event. Luckily, more details appear in the Windows event logs under the Windows Defender source, especially events 1123 (blocked changes to folders, files, or disk sectors) and 1127 (blocked changes to memory). Examples are shown below.

windows events log 1 Microsoft
windows event log 2 Microsoft

Examples of Windows Defender event logs

If you enable Controlled Folder Access, aggressively monitor these event logs, as you might find a legitimate program blocked that you were not previously aware of. In my case, multiple legitimate Dell maintenance programs included and enabled by default by Dell were blocked. I had seen the console messages, but they were displayed along with the messages I expected to see with my other testing and were lost in the noise. Had I not checked my event logs, I probably would have missed the false-positive blocks and not have known legitimate programs were being blocked.

When you add a new authorized application, it generates an Event ID 5007 event under the Windows Defender source, as shown below:

windows event id Microsoft

Event ID for new authorized app

Note: The Old value field will always be blank regardless of whether a previous additional authorized application was or wasn’t added. You can’t rely on it to determine what applications were or were not previously added.

Tip: If you are worried about too many false-positive blocks of legitimate applications, enable Controlled Folder Access in “audit mode” first to test. You can configure audit mode using group policy as shown in the figure below.

windows defender audit mode Microsoft

Windows Defender audit mode 

Cautionary Controlled Folder Access tales

You should understand several issues before enabling Controlled Folder Access, beyond it accidentally blocking legitimate programs from working as intended. These include:

Silent blocking

I did read of an issue where Controlled Folder Access blocks unauthorized access to a Windows system folder even though it did not warn the user that it did so. I tried to emulate the scenario without having the exact testing facts, and Windows always indicated a change was blocked. Sometimes the block was not done by Controlled Folder Access, but through another Windows security mechanism like File Virtualization). Be aware that testing by other people indicates this symptom.

Ransomware is not terminated

Windows Controlled Folder Access does not terminate unauthorized programs. It just blocks the attempt of the program in real-time against listed protected folders. The program may still be active, and if ransomware, may still even try to lock your computer and display the normal ransom screen. It’s far from ideal, but Controlled Folder Access is not designed to be a full anti-malware solution.

Your anti-malware program, whatever it is, is still the first defense to block ransomware from executing. Of course, you can prevent your anti-malware program from needing to be tested by not getting tricked into running a Trojan file and keeping your system fully patched.

Many ways to get around Controlled Folder Access

Controlled Folder Access can be hacked, including by the methods mentioned in this article, but that shouldn’t take away from what additional, free protection it does give a Windows user trying to mitigate the threat of ransomware.

Controlled Folder Access is a welcomed Windows feature, and it is yet another control that can help fight ransomware. It should not be implemented without careful testing and monitoring to ensure that critical legitimate programs are not automatically blocked. Also, as we know, no amount of technical controls, alone, can defeat ransomware, any other malware program, or hackers. You must always implement defense in depth by also training your end-users to avoid getting successfully tricked into running ransomware in the first place, but Windows Controlled Folder Access is another arrow in the quiver.

Copyright © 2018 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations