Today we will discuss another new security feature released in Windows 10 Fall Update 1709, which is controlled access to the folder. This feature was introduced primarily as a step to try to stop or contain ransomware attacks on end clients by protecting specific folders from unauthorized access by malicious applications or processes.
This protection is in real time and will instantly block such malicious activity and give you an immediate warning message in your desktop notifications.
When you enable the controlled access feature to the folder, it will protect specific folders by default such as your desktop, documents, favorites, images and videos. However, you can add any other folder to protect yourself.
If you received a notification that an application was blocked, you have access to one of your protected folders. You can allow this application if you know its use and you are sure that it is a legitimate commercial application.
How to enable Controlled Folder Access:
This protection is in real time and will instantly block such malicious activity and give you an immediate warning message in your desktop notifications.
When you enable the controlled access feature to the folder, it will protect specific folders by default such as your desktop, documents, favorites, images and videos. However, you can add any other folder to protect yourself.
If you received a notification that an application was blocked, you have access to one of your protected folders. You can allow this application if you know its use and you are sure that it is a legitimate commercial application.
How to enable Controlled Folder Access:
- From the Windows Defender Security Center - Virus and Threat Protection settings (Check below screen shots)
- After Clicking on the Virus and Threat Protection Settings - scroll down to the Controlled Folder access and enable it.
- Click on Protected folders to give you list for current default protected folders or click Allow an app through Controlled folder access to allow legitimate app that might not be known to Microsoft and is getting blocked.
Configuring Group Policy to enable Controlled Folder Access:
- You can use powershell as usual to enable controlled folder access and for enterprise users group policy can be implemented by editing the Computer Configuration - Policies - Administrative Templates - Windows Components - Windows Defender Antivirus - Windows Defender Exploit Guard - Controlled Folder Access
- Please remember to extend your AD Group policy templates with the new 1709 templates as mentioned in part 1 of this series.
- To enable it you need to edit the "Configure Controlled Folder Access" settings as shown below, either to enable it or keep in Audit mode (Changes to protected folder will be allowed but audited which means you can view these changes in the Event logs)
- The other two settings is to add another protected folder other than the default ones and to allow specific app to access the protected folder.
How to view Controlled Folder Access Events:
- Download the Exploit Guard Evaluation Package (Zip folder that need to be extracted)
- Open Event Viewer - Action - Import Custom View
- Open the downloaded Evaluation Package and pick cfa-events.xml
- Confirm the selection and add it to the custom view
- It will appear under the Event Viewer custom view as shown below
- Upon checking some logs, i noticed that the Controlled folder access blocked Adobe to make a change on a file on my desktop and here comes the value of the Audit mode. Adobe is a legitimate application and i have PDF files that need to be edited on the desktop. If Audit mode was set, the change/edit will be done however i will be notified in the logs to later on add Adobe as approved app to the list of apps in the controlled folder Access.
Controlled Folder Access (CFA) is another useful tool introduced in Windows 10 1709 tackling mainly Ransomware problems. Hope you enjoyed this post and see on the next feature.
For more information on the first blog post please check the below Link
0 Comments
