Win10 Fall Creators Update “Controlled folder access” anti-ransomware feature is live

Topic

New Reply

Catalin Cimpanu at Bleepingcomputer details the way to turn the feature on. I haven’t played with it yet, but Kevin Beaumont (@GossiTheDog) reports th
[See the full post at: Win10 Fall Creators Update “Controlled folder access” anti-ransomware feature is live]

Reply | Quote

Replies

I use Vipre anti-virus software.  The protected folders option under windows defender security center/virus threat protection/virus threat protection settings is greyed out.  no way to turn it on that I can find.  any suggestions?

Reply | Quote

Chances are you need to be an administrator to be able to make the changes within the Windows Defender Security Center. Otherwise, it could be that Vipre made some changes within your system that caused the option to be greyed out for you.

One way around that would be to use the Group Policy Management Console to make the change to enable the folder protection.That method could be how Vipre made the change in the first place, aside from, maybe, a registry edit of some kind.

However, to be able to use Group Policy Management Console/Editor, I believe you need to be an administrator on the computer AND you need to be running Windows 10 Pro or Enterprise. I don’t think the Group Policy manager/editor is available on the other editions of Windows 10.

I invite any of the MVP’s to correct my statement above if any of it is wrong, for which I offer my sincerest apologies in advance.

Reply | Quote

Group Policy editor is not available to Home versions.

1 user thanked author for this post.

woody

Reply | Quote

It’s not clear in the documentation, but – just as for the rest of the new WDEG (Windows Defender Exploit Guard) this feature requires that Windows Defender be your primary active/real time protection.  See this thread here on AskWoody for more information:

https://askwoody.com/forums/topic/enable-attack-surface-reduction-in-win10-1709/

Also see this Microsoft page for requirements and restrictions on this and the rest of the new feature set introduced in WDEG on Win 1709:

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard

The basic four new risk mitigation/blocking features on WDEG should be available for free to anyone running Windows 10 1709 Home, Pro, ENT and EDU editions – assuming you are using WD as your AV solution.

There are additional features for large organization management with more robust security mitigations available in addition to these four in the upcoming (still not for sale) ATP suite:  a corporate edition of Windows Defender.

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection

Note that in Home, the only method to turn some of these features on is via PowerShell.  There is no native UI . . . yet.  For Pro and up admins can use the ATP console on Azure, Local or Domain GP or PowerShell to manage all the new features and settings.

An aside:  Vipre promised a similar feature some time ago in their Premium Business offering, but I have not seen that it has been released yet.  Not relevant to us anymore, as that version failed too many of our critical tests for a stable network.

Our business has been using Vipre across multiple clients for many years now, but we are phasing it out over the next two years.  Windows Defender has become our most interesting prospective replacement because of it’s increased risk reduction features in Windows Pro/Ent 1709.

The reason we are moving away from Vipre?  We do not want their so-called Premium edition, and the basic AV edition is going away.  As of this October, you could still renew — for one last time — any existing business site account already on basic, but all new sites are being forced to the kitchen sink edition.  Additionally my ThreatTrack (Vipre) sales rep stated that all future renewals after the end of this year will be moved to the Premium edition.

 

~ Group "Weekend" ~

2 users thanked author for this post.

AlexEiffel, MrBrian

Reply | Quote

“Protect your files and folders from unauthorized changed by unfriendly applications.”

I couldn’t help but chuckle at that typo. Y’know, I’ve always thought of Microsoft as being a perfectionist company, since during my time with XP, Vista, and Windows 7 I have never spotted a single typo in any of their products. Shows you how quality control really has gone down the drain for these guys.

Reply | Quote

Without my having looked this particular feature over at all yet, I’ll make a couple of comments…

It saddens me to see vendors concentrating ever more on “what to do after malware gets into your system” while neglecting “how to keep it from ever getting in”.

Consider the costs of “protecting” your files from access by “unfriendly applications”.

Beyond the obvious additional resources spent checking every access (remember, you paid extra for a faster computer)…

Who says what’s unfriendly and what’s not? Is there a list of “friendly” applications? If so, who manages it? Maybe your old standard Win32 application could be deemed “unfriendly”… It would be unfriendly to those wishing to make money selling you new software from the Microsoft store, right?

Will legitimate things you want to do to your files be blocked in the future? What is your time, to be spent working around such blocks, worth? Will you be able to do as good a job after having been distracted with such workarounds?

When the measures purportedly in place to “protect your security” add up to reduced functionality / reduced usability, question whether those measures really do you any good, and especially question the assumed conditions making those measures “necessary”.

-Noel

4 users thanked author for this post.

Ascaris, EstherD, lurks about, Elly

Reply | Quote

Apparently, you must not have any employees. You may do well at prevention, but a lot of users don’t. I say if it actually works, it’s a welcome addition.

Reply | Quote

The concern is not about employees but control of the system. Who is deciding what programs get these access privileges is an important point. For a business, I would think being able to set a white list that can even installed and blocking everything else is good idea for a business. Any program not on the white list can not be installed or access the hard drive. But is the list curated internally or is curated by MS or someone else.

Reply | Quote

I wonder if it will just be like UAC on Steroids lol.

1 user thanked author for this post.

lurks about

Reply | Quote

I agree on the principle of prevention, but I welcome efforts like this one from MS; that feature is the only one on the 14 “best of” list that someone posted elsewhere on this site that I would really be interested in with regard to the Fall Creator’s Update.  Do all you can to prevent malware from getting on the PC, but don’t put all the eggs in that one basket either; have a plan B in case there is an exploit of some sorts that gets past plan A.  Since MS has no power to engineer a smarter user, they’re limiting the damage he can do.  Anti-lock brakes are a great thing, but it doesn’t mean that cars don’t need airbags.  If the prevention systems fail (and everything fails some of the time), the mitigation systems are the next line of defense.

In this case, MS seems to be providing what its users are asking for, kind of.  People are complaining about the upcoming cancellation of EMET, so MS is moving some of the features into Windows 10 itself.  That isn’t a perfect solution to the problem, since even if they moved ALL of the functionality of EMET into 10, the majority of Windows users (those who do not use 10) aren’t helped at all by that, which is by design of course.  If you drill deep enough, you can always find some cynicism in every decision MS makes, but it’s still a nice change to see them trying to use carrot rather than stick to get people into 10.  Of course, that carrot is behind a minefield, several fences with concertina wire, and a moat with alligators in it, but at least it shows they know it’s a possibility.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

2 users thanked author for this post.

AlexEiffel, MrBrian

Reply | Quote

A good plan B involves backup. Do you have your network and computer systems working all night? If not, why not?

To no one in particular here…

When I read about stuff like this “Controlled folder access” I imagine a system becoming so burdened with defensive measures that nothing productive can be done with it. I have seen systems actually taken to such extremes. On a related note, not long ago I was looking at a Win 10 v1709 system with 120 processes running – just to support an idle desktop.

Hey, perfect computer security would be to unplug everything entirely, right? No malware would ever run. Easy peasy.

Ever hear the phrase, “the operation was a success but the patient died”?

Employees can and should be educated about security, and other means exist that do a great deal to keep malware out.

If someone has employees who are downloading infected games etc. from Torrent or wherever and infecting their work systems, is that a technical problem or a management problem?

In all fairness I can’t say that Microsoft is completely neglecting to try to keep malware out; they have created things like SmartScreen, though it’s unnecessarily cloud-integrated and the temptation is very great for them to corrupt it for their own benefit (ever have Smartscreen block a legitimate application you’re trying to sell?), not to mention use the data about what web sites you visit to market things to you. They of course want everyone to believe the only safe place to get software is – you guessed it – the Microsoft Store.

Please don’t get me started on the efficacy of the abomination known as UAC.

Trying to protect a system from itself is quite often just as ridiculous as it sounds.

-Noel

Reply | Quote

What exactly do you mean by “first generation — with caveats” Woody?

M$ certainly isn’t the first to provide this “feature”, I’ve been using folder protection against ransomware provided in Trend Micro’s Internet Security software for over a year.

Reply | Quote

anonymous wrote:

I use Vipre anti-virus software. The protected folders option under windows defender security center/virus threat protection/virus threat protection settings is greyed out. no way to turn it on that I can find. any suggestions?

went into group policy editor.  surprise, surprise, surprise.  it’s only available on windows server v10 1709.   why not for every version???

john

John W Zerkel

Reply | Quote

jwhiz56 wrote:

went into group policy editor.  surprise, surprise, surprise.  it’s only available on windows server v10 1709.   why not for every version???

Maybe because protected folders feature is only in v10 1709 ? 🙂

Reply | Quote

Introducing Windows Defender Application Control

Reply | Quote

A cursory reading of the W10 Defender changes in the W10 FCU leaves me wondering if the apparent integration and possible loss of control over the Windows firewall put third party antivirus/malware software providers at a disadvantage. Most third party software provides its own firewall and would ‘turn off’ or take control of the Windows firewall once installed. I assume I am missing something in all of these changes but, does anyone think there might be an issue presented for the third party security software?

Reply | Quote

Many of the third party Security Suites now turn off the Windows Firewall and Windows Defender. If this is no longer possible it certainly will be an issue for third party software.

I wonder if it will raise the question of monopoly, particularly with the Europeans, as did IE and Media Player. The only way I can see them getting around that would be the User as a Thin Client and the OS actually running in virtual machines on the MS servers. I think that is where MS is heading – you will have the equivalent of a dumb terminal and access everything in the MS Cloud.

Reply | Quote