Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Windows Security

Windows 10's 'Controlled Folder Access' Anti-Ransomware Feature Is Now Live (bleepingcomputer.com) 157

A reader shares a BleepingComputer report: With the release of Windows 10 Fall Creators Update last week, the "Controlled Folder Access" that Microsoft touted in June is now live for millions of users. As the name hints, the Controlled Folder Access feature allows users to control who can access certain folders. The feature works on a "block everything by default" philosophy, which means that on a theoretical level, it would be able to prevent ransomware when it tries to access and encrypt files stored in those folders. The benefits of using Controlled Folder Access for your home and work computers are tangible for anyone that's fearful of losing crucial files to a ransomware infection.
This discussion has been archived. No new comments can be posted.

Windows 10's 'Controlled Folder Access' Anti-Ransomware Feature Is Now Live

Comments Filter:
  • First Exploit (Score:5, Interesting)

    by Calydor ( 739835 ) on Monday October 23, 2017 @10:28AM (#55417685)

    First exploit will take that feature, lock out USER from doing anything, and pop up a ransomware screen.

    • by rtb61 ( 674572 )

      Technically locking out the user is not a design exploit but a design feature. With M$ as the main administrator user of any windows 10 installation (as the owner you are no longer the administrator just the pretend one), will use it to upload and store programs which they claim for convenience you can instantly access when you pay for them or just to be even more helpfull they can lock you out when you stop paying rent on your own hardware. This is not a security feature for you, this is a control feature

  • Not sure... (Score:4, Interesting)

    by djbckr ( 673156 ) on Monday October 23, 2017 @10:29AM (#55417689)
    How does this work? If "you" somehow allow access to the ransom-ware by clicking something you shouldn't, and the folder is owned by "you" - does this help? And if you are being asked for access to something "you" own on a regular basis, does this actually work?
    • It appears to whitelist applications that can modify files in the designated folders. Hopefully it is smart enough that renaming the virus to notepad.exe won't let it in...
      • If there's whitelists, there will have to be ways to put new applications on the whitelists. (I would have a great deal of difficulty if I couldn't run vim on all text files, for example, but it's not something most people want on their Windows machines.) That looks like one additional button to get the user to click on.

        So, I inherently distrust it.

        • by tepples ( 727027 )

          If there's whitelists, there will have to be ways to put new applications on the whitelists.

          Of course there is. An application's developer pays Microsoft a recurring fee for services that include reviewing each version of the application and hosting the application and its updates in Microsoft's repository.

          (Source: Any article describing Windows 10 S)

    • This is more similar to something like SELinux and AppArmor.

      e.g.: some attachments that you clicked on in your e-mail client, even if run as your credentials, should NOT have a valid reason to write anywhere on your folders (and attachements should not be run to begin with).

      e.g.: any sub-process launched by the browser should only exclusively have the rights to write into the cache and download folder, and not anything else, even if they still inherit your session (even if the sub processes aren't changing

    • I'm periodically asked "Do you want to run ransomware.exe?" to which I happily answer "yes". Then a daily crontab does "rm -rf ~/.wine"
      • by amorsen ( 7485 )

        You trust wine as a sandbox? That is... courageous.

        • by tepples ( 727027 )

          I don't trust Wine as a sandbox, given that the entire file system is mounted by default under Z:. It's a bit easier to trust running untrusted executables in a separate user account.

    • Which user owns a folder is irrelevant on an application level permission. You could run the application as administrator and it wouldn't make a difference. Defender will prevent the *process* from writing to the folder unless it's white listed.

      E.g. You may want MS Word and Libre Office Writer to access your folder called "word documents", and absolutely no other application. That won't stop you copying, pasting, moving, etc. But it will stop totallynotransomware-actuallynakedbritney.jpg.scr.exe from access

  • by Anonymous Coward on Monday October 23, 2017 @10:38AM (#55417751)

    On VMS you could never overwrite a file. File system would by default always keep all the previous versions of it. Ransomware action like that would just result in having additional, encrypted, versions of your files.

    • by Anonymous Coward

      Actually VMS did let you overwrite the file.

      You just had to specify which version to overwrite.

      And if the directory had a version limit of 1, then it happened automatically.

    • You can bet that if Microsoft tries to actually seriously implement a log-structured (e.g.: actually decided to use UDF beyond optical and portable flash media) or copy-on-write filesystem (e.g.: ZFS and BTRFS on NT kernels) that supports version control, they'll botch it and there will be an exploit found making the older copies also editable by a non-admin user (the ransomware could purge the older copies and only leave the encrypted version).

    • On VMS you could never overwrite a file. File system would by default always keep all the previous versions of it. Ransomware action like that would just result in having additional, encrypted, versions of your files.

      That should be true of macOS's "versioned" files, too. Although it appears to be an Application-Specific feature, rather than an OS-wide thing, although reportedly, there is wide Application support for it.

      http://osxdaily.com/2015/06/16... [osxdaily.com]

    • Your simple decade old solution would crash the system when it runs out of HDD space. Volume Shadow copy has been available for Windows for a decade too, but it doesn't solve the problem and is not better than a backup (actually in some scenarios it is worse).

    • Nope. By default it kept 50 versions.

      I vaguely recall names like : [ADE.Aerodynamics.CFD]flow2d.for;31

    • that solution works but your devouring storage space. For a little while high capacity hard drives were making that moot, but lately Users are getting low capacity SSDs now meaning we're back to square one and space is at a premium again. I have a working folder that's managed to grow to 4 gigs over the years full of text files, database backups, documents and the like. And my dev VMs start at 4 gigs and go up.
    • by EvilSS ( 557649 )

      On VMS you could never overwrite a file. File system would by default always keep all the previous versions of it. Ransomware action like that would just result in having additional, encrypted, versions of your files.

      Windows has a similar feature however it's not infinite, it only keeps a finite copy of previous versions. That's why most ransomware does multiple write operations to push the unencrypted version out of the previous versions cache.

  • Fundamentally if I can do something using my user level privilege, any code I execute can do it. These ransomware exploit a flaw in security and create a local process. Depending on the vulnerability it runs with root or user level privilege. So it should be able to do everything I do, including removing protection for some folders. In fact now it does not have to scan the whole computer to find valuable files. It needs to only look at protected folders.

    So how does this work?

    • by vux984 ( 928602 )

      "So how does this work?"

      I would guess it uses UAC elevation to grant permission to the app to the protected folder.

  • I mean command line tools. Do you have to give permission to everything, like copy.exe?
    • Presumably, the OS would be smart enough to whitelist it's own executables automatically, so you'd only be setting up third-party apps that need to access your protected directories (My_Docs or whatever; if you try and protect your whole hard-drive then all that extra setup is on you.)
    • Who the heck uses copy.exe?

      Most normal users will access their documents with a limit of: explorer.exe, word.exe, excel.exe, powerpoint.exe, and some image editor. That covers 90% of users out there.

  • My opinion would have been a heck of a lot more useful for Microsoft to roll out a versioning file system. That would have provided more value to customers and end up being way more useful in every way vs piling on new access control regimes and expecting people to use it for real this time.

    Would be interesting to hear what if anything prevents an attacker from modifying search path environment variables or user registry or CLI parameters to convince software to load custom add-on haxor.dll's and then laun

    • by EvilSS ( 557649 )
      Microsoft has a versioning tool: Shadow copy. It can keep previous versions of files. The problem is that malware authors know this, so they will open/write/close the file over and over to flush the clean copies out of the previous versions cache.
    • My opinion would have been a heck of a lot more useful for Microsoft to roll out a versioning file system.

      They did that with Windows XP SP2. However it would be far from useful for every change to increase the amount of disk space used.

      NTFS + Volume Shadow Copy, ZFS, btrfs, they all have one thing in common here, I disable the versioning on all of them. Backups are for backups, clouds are for clouds, git is for versioning, snapshotting / versioning filesystems are for wasting diskspace as quickly as humanly possible.

      • git is for versioning

        Then what is for versioning of large non-textual files, such as large GIMP, Photoshop, or Audacity projects? Git isn't really built to handle big binaries. And what is for protecting your private Git repositories from unauthorized modification by ransomware?

      • They did that with Windows XP SP2. However it would be far from useful for every change to increase the amount of disk space used.

        From what I understand there is a static change count limit rendering shadow copy worthless for prevention of ransomware.

        It would be necessary to configure minimum time and granularity guarantees when you setup a folder. One might say I want to be able to go back to previous state at any point in time over the past year, month, week... whatever and I want to keep at least one change every hour, day, week..etc allowing incremental deltas to be progressively eliminated to reduce cost.

        Once configured feature

        • What's the going rate for a 6TB drive these days?

          Quoting $ ignores the problem of data management. Apple's time machine is an easy solution, but every other implementation of versioning filesystem is a management nightmare for users and that nightmare gets larger as sizes increase.

          I believe it would have been more productive had Microsoft given users the tools and let them decide for themselves rather than piling on yet another set of access controls and expecting them to be used for real this time.

          Do you not realise that access controls and versioning are two different things that just happen to overlap in a small area? Are you also saying that since you're using ZFS snapshotting that AppArmor and SELinux are pointless?

  • Seriously, most of that kind of malware runs as *YOU*. If you have full access to it, it will be able to encrypt the files. Am I missing something?

    • Protection relies on what application is allowed to access what folder (plus, of course, the user ACLs to the files)
    • by EvilSS ( 557649 )

      Seriously, most of that kind of malware runs as *YOU*. If you have full access to it, it will be able to encrypt the files. Am I missing something?

      Yes, you are missing quite a lot actually.

  • Why should apps have access to all folders by default and then (only now) there is a feature to restrict certain folders? Why should most apps access anything except their own data? Android/iOS/OSX/Web have been like this forever, what is taking so long for Windows?

    • by tepples ( 727027 )

      Why should most apps access anything except their own data?

      If I save a document in LibreOffice Writer, and I want to preview it in Word Viewer or send it to someone in my mail user agent, what procedure would you recommend to grant Word Viewer or my mail user agent access to it?

      • by iamacat ( 583406 )

        System file open dialog or UI drag and drop will have no problem opening the file and granting a temporary permission to access it. Or LibreOffice can call an API to share a file with user's choice of an app. That's how it works everywhere.

        • by tepples ( 727027 )

          Have fun dragging and dropping all the source code files from your text editor to your build tool every time.

  • >The benefits of using Controlled Folder Access for your home and work computers are tangible for anyone that's fearful of losing crucial files to a ransomware infection.

    This is ridiculous in the extreme. Anyone fearful of losing their files for any reason should be backing them up on a regular basis! So perhaps this new feature prevents files being encrypted in a ransomware attack, but what if the disk fails? Or any number of other issues?

    Come on people, get a clue!

    • One of the problems with backups is many people keep their backup drive connected, either directly or over a LAN. Ransomware can encrypt those files, too.
  • Blocked from access by all programs by default? So I go to photoshop and hit open and the open file dialog box is blocked from accessing any folder anywhere in my user directory? That's helpful. Is that really how this works or is this more like "nothing can get past the UAC" type of BS?
    • Yes, it's very helpful. Think of it when your phone says 'Program X would like to access your photos/camera/location services/microphone/address book/whatever.'

      It's ACL by program, rather than by login.

  • Its just a way to have you mark your interesting files to steal from you. Just like deleting a comment
  • No, I didn't read the article, but why should I when this sounds really dumb? Why not protect the entire drive instead of protecting parts of it!? If you have a method for the former, why not do it for the latter and leave it at that? Also how is this fundamentally different than the access/security settings for files and subdirectories that have existed in NTFS for decades?
    • by amorsen ( 7485 )

      Because the vast majority of files on most PCs are completely standard system or program files that no one really cares about getting encrypted. Fixing them is just a reinstall away, and the traditional ACL's are likely to prevent the wrong kind of access anyway.

      The only stuff that's worth protecting is precisely the photo album and the documents folder and the genealogy database and similar. The system does not know which programs should be touching each directory, only the user knows. With Controlled Fold

  • Either I don't understand how it works or it can be circumvented by gaining the SYSTEM level privileges (and most Windows users say "yes" to all UAC warnings so getting the said privileges is not that difficult).
    • UAC warnings are pretty much non-existent in Windows 10. Everything requires manually setting permissions through a control panel. There's no more simply "click yes to screw yourself" button.

      As for privileges, this isn't about ACLs on the filesystem. Think of it like a virus scanner. The virus scanner doesn't care if you try to execute something as Administrator, it still gets in there first. Only rather than looking for viruses in this case it looks at which process is trying to access the disk and blocks

  • Because "humans" will end up saying "yes" to about everything.
    Free game.
    Free browser.
    Similar named application.
    There is no way to aid "idiots" who do not keep at least one backup of their relevant data.

  • ... instead of filesystem locations (or in addition to)
    A ransomware needs to read and write tons files rapidly to be "effective".That's usually how people get first signals:"my pc get very slow"

  • Truly, they are an industry pioneer.

  • Windows/system32/drivers/etc/hosts it's hit or miss each time I go looking for it. The ETC directory doesn't show half of the time.

To do two things at once is to do neither. -- Publilius Syrus

Working...