How Microsoft's Controlled Folder Access can help stop ransomware

Part of Windows Defender in recent updates of Windows 10 and Windows Server, Controlled Folder Access can prevent malware from accessing or changing designated files.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Microsoft added a cool, new feature to Microsoft Windows client and server products. Controlled Folder Access gives you another way to mitigate the impact of ransomware. Of course, you should enable with careful testing and custom configuration because it will likely block legitimate programs, some of which could be critical to your computer or organization.

Added with the Windows 10 Fall Creators Update in 2017 now in Windows Server 2019, Controlled Folder Access is another welcomed, built-in (but not-enabled-by-default) Windows security feature to help prevent ransomware from damaging your files and folders. It even prevents unauthorized writes to disk sectors and files stored in memory. In a nutshell, Controlled Folder Access will try to prevent “unsafe” applications from modifying protected files, folders and files stored in memory. The default protected folders include Windows system files and the built-in, common default document and content folders.

How does Microsoft define “unfriendly”?

Microsoft says Controlled Folder Access, when enabled, prevents changes to protected files and folders by unauthorized and unfriendly programs. I can’t find technical details of what “unfriendly” means, but friendly applications appear to include the major Microsoft programs and many other major vendor programs.

My best guess is that legitimate, popular programs signed by trusted digital certificates is one evaluated trait of a “friendly” program. I’m also not sure what Windows system files and folders are included, but it appears to be at least all the normal areas you would think of (e.g., \Windows, \Windows\System32) and even includes the user’s desktop. It would be great if Microsoft gave us an easy way to verify what is and isn’t included.

For testing, I downloaded some randomly selected third-party file manipulating programs, such as AESCrypt. I didn’t run any real ransomware programs, as others have done that type of testing, and I was testing on one of my own computers (and not in a virtual machine). I used KnowBe4's free ransomware simulator program, which simulates over 20 different ransomware techniques. It was definitely not treated as friendly.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.