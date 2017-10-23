Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
Windows Security

Windows 10's 'Controlled Folder Access' Anti-Ransomware Feature Is Now Live (bleepingcomputer.com) 60

Posted by msmash from the take-note dept.
A reader shares a BleepingComputer report: With the release of Windows 10 Fall Creators Update last week, the "Controlled Folder Access" that Microsoft touted in June is now live for millions of users. As the name hints, the Controlled Folder Access feature allows users to control who can access certain folders. The feature works on a "block everything by default" philosophy, which means that on a theoretical level, it would be able to prevent ransomware when it tries to access and encrypt files stored in those folders. The benefits of using Controlled Folder Access for your home and work computers are tangible for anyone that's fearful of losing crucial files to a ransomware infection.

Windows 10's 'Controlled Folder Access' Anti-Ransomware Feature Is Now Live More | Reply

Windows 10's 'Controlled Folder Access' Anti-Ransomware Feature Is Now Live

Comments Filter:

  • Isn't this just like having a home directory where others aren't allowed write access to your files?

    I can't help but wonder why it took Windows 2 decades to correct the default umask on user files.

    • Re:Um... Isn't this just default Linux permissions (Score:4, Informative)

      by JcMorin ( 930466 ) on Monday October 23, 2017 @11:30AM (#55417699)
      The new feature is not permission by users but permission by an application running. The virus, most of the time, run under your own credentials.
      • So the user will be asked a number of times (probably once per appli / folder) if they agree to allow that appli to access that folder, then when they see the fake "Adobe something wants to access your folder" they will be used to automatically Yes it.

        • Re: (Score:2)

          by ljw1004 ( 764174 )

          So the user will be asked a number of times (probably once per appli / folder) if they agree to allow that appli to access that folder, then when they see the fake "Adobe something wants to access your folder" they will be used to automatically Yes it.

          No. RTFA. They will see an error dialog that says "Access is denied. Use File>SaveAs to save under a different location or name." The only way to enable it is (1) opt in via the control panel, (2) chose apps via the control panel.

      • That sounds a lot more sensible: Windows NT has had ACLs (much richer than the default UNIX model and similarly expressive to NFSv4 / POSIX ACLs) since day one, but the ACLs have been per user, not per (user, program) pair. The NT kernel supports this kind of ACL policy, but it's never been exposed via the UI (Chromium uses it for sandboxing, constraining different binaries to different parts of the FS).

        It's very useful if it's paired with a sensible default policy and a sensible UI. You can implement

    • The file permissions on Windows filesystems are far more granular and not just based on an xxx field of bitmaps like on vintage OSes like Unix.

      What I would like to see for the defanging of ransomware is a way to permanently disable filesystem encryption unless it is re-enabled by a very-restricted-access tool, i.e. filesystem encryption can be permanently disabled on a system and re-enabling it requires a local admin account running in Safe Mode to re-enable plus answer a prompt at reboot.

      Encryption and sim

      • permanently disable filesystem encryption

        Just because the Windows libraries are a convenient way to encrypt, they're just the low-hanging fruit. If this became difficult to use, they'd just use another library to encrypt the file contents. Malware can easily include this if needed.

      • The file permissions on Windows filesystems are far more granular and not just based on an xxx field of bitmaps like on vintage OSes like Unix.

        Non-vintage Unix don't rely exclusively on xxx field bitmap neither.

        Modern unix filesystems do support ACL for more complex access control.
        Modern features like SELinux and AppArmor also help having application-level control.

        What I would like to see for the defanging of ransomware is a way to permanently disable filesystem encryption unless it is re-enabled by a very-restricted-access tool

        And how would that prevent a ransomware from implementing its own encryption ?
        (e.g.: moving all data it can manage to get access to into a huge password-encrypted .ZIP file ?)

    • No, it's not the same. Windows already has proper permissions for user directories since Windows NT. The issue is that ransomware runs under the same uid as yourself, so if you can access your own file, then the ransomware program can access those same files. This new feature makes it so that even if the uid has access, you can specify ADDITIONAL restrictions, like which exe is permitted to do so. So some ransomware.exe, even with your uid, will be unable to make changes.

      There is no such ability in Linu

      • Re: (Score:2)

        by amorsen ( 7485 )

        There is no such ability in Linux or *nix, since ACLs are solely based on uid and not the name of the executable with your uid.

        Yes there is. There are even two in Linux, SELinux and AppArmor.

        However, there is no easy-to-use GUI to administer it per-user, which means that you rely on the way-too-permissive default policy for most programs. This could have been done years ago technically, since SELinux and AppArmor are both quite old, but no one had the right idea apparently.

    • Nope. By the sound of things, this is more akin to the sandboxing feature present in apps sold via the Mac App Store. The apps are running under your permissions, just as they always have, but they now need to request and be granted permission to access new folders. Basically, just as mobile OSes require that an app request and receive permission before it can use the camera, the mic, or your location, Windows is, from what the summary sounds like, now requiring that apps request permission to access specif

    • Re: (Score:2)

      by guruevi ( 827432 )

      In Windows, everything runs under your users' account and almost everything else runs as root. This is similar to setting the noexec flag on the users' home partition, something that has also existed a long time.

  • First exploit will take that feature, lock out USER from doing anything, and pop up a ransomware screen.

  • Not sure... (Score:3)

    by djbckr ( 673156 ) on Monday October 23, 2017 @11:29AM (#55417689)
    How does this work? If "you" somehow allow access to the ransom-ware by clicking something you shouldn't, and the folder is owned by "you" - does this help? And if you are being asked for access to something "you" own on a regular basis, does this actually work?
    • It appears to whitelist applications that can modify files in the designated folders. Hopefully it is smart enough that renaming the virus to notepad.exe won't let it in...

      • If there's whitelists, there will have to be ways to put new applications on the whitelists. (I would have a great deal of difficulty if I couldn't run vim on all text files, for example, but it's not something most people want on their Windows machines.) That looks like one additional button to get the user to click on.

        So, I inherently distrust it.

    • This is more similar to something like SELinux and AppArmor.

      e.g.: some attachments that you clicked on in your e-mail client, even if run as your credentials, should NOT have a valid reason to write anywhere on your folders (and attachements should not be run to begin with).

      e.g.: any sub-process launched by the browser should only exclusively have the rights to write into the cache and download folder, and not anything else, even if they still inherit your session (even if the sub processes aren't changing

    • I'm periodically asked "Do you want to run ransomware.exe?" to which I happily answer "yes". Then a daily crontab does "rm -rf ~/.wine"

  • simple, decade old solution (Score:5, Interesting)

    by Anonymous Coward on Monday October 23, 2017 @11:38AM (#55417751)

    On VMS you could never overwrite a file. File system would by default always keep all the previous versions of it. Ransomware action like that would just result in having additional, encrypted, versions of your files.

    • You can bet that if Microsoft tries to actually seriously implement a log-structured (e.g.: actually decided to use UDF beyond optical and portable flash media) or copy-on-write filesystem (e.g.: ZFS and BTRFS on NT kernels) that supports version control, they'll botch it and there will be an exploit found making the older copies also editable by a non-admin user (the ransomware could purge the older copies and only leave the encrypted version).

    • On VMS you could never overwrite a file. File system would by default always keep all the previous versions of it. Ransomware action like that would just result in having additional, encrypted, versions of your files.

      That should be true of macOS's "versioned" files, too. Although it appears to be an Application-Specific feature, rather than an OS-wide thing, although reportedly, there is wide Application support for it.

      http://osxdaily.com/2015/06/16... [osxdaily.com]

  • Fundamentally if I can do something using my user level privilege, any code I execute can do it. These ransomware exploit a flaw in security and create a local process. Depending on the vulnerability it runs with root or user level privilege. So it should be able to do everything I do, including removing protection for some folders. In fact now it does not have to scan the whole computer to find valuable files. It needs to only look at protected folders.

    So how does this work?

    • Re: (Score:2)

      by vux984 ( 928602 )

      "So how does this work?"

      I would guess it uses UAC elevation to grant permission to the app to the protected folder.

  • I mean command line tools. Do you have to give permission to everything, like copy.exe?
    • Presumably, the OS would be smart enough to whitelist it's own executables automatically, so you'd only be setting up third-party apps that need to access your protected directories (My_Docs or whatever; if you try and protect your whole hard-drive then all that extra setup is on you.)

  • My opinion would have been a heck of a lot more useful for Microsoft to roll out a versioning file system. That would have provided more value to customers and end up being way more useful in every way vs piling on new access control regimes and expecting people to use it for real this time.

    Would be interesting to hear what if anything prevents an attacker from modifying search path environment variables or user registry or CLI parameters to convince software to load custom add-on haxor.dll's and then laun

  • Seriously, most of that kind of malware runs as *YOU*. If you have full access to it, it will be able to encrypt the files. Am I missing something?

    • Protection relies on what application is allowed to access what folder (plus, of course, the user ACLs to the files)

  • Why should apps have access to all folders by default and then (only now) there is a feature to restrict certain folders? Why should most apps access anything except their own data? Android/iOS/OSX/Web have been like this forever, what is taking so long for Windows?

    • Logical indeed. But other apps should be written that way. I'm not sure if this is always true on Windows. Don't see why Mac OS X is better. Files in /Users/username also accessable by every app.

  • >The benefits of using Controlled Folder Access for your home and work computers are tangible for anyone that's fearful of losing crucial files to a ransomware infection.

    This is ridiculous in the extreme. Anyone fearful of losing their files for any reason should be backing them up on a regular basis! So perhaps this new feature prevents files being encrypted in a ransomware attack, but what if the disk fails? Or any number of other issues?

    Come on people, get a clue!

    • One of the problems with backups is many people keep their backup drive connected, either directly or over a LAN. Ransomware can encrypt those files, too.
  • Blocked from access by all programs by default? So I go to photoshop and hit open and the open file dialog box is blocked from accessing any folder anywhere in my user directory? That's helpful. Is that really how this works or is this more like "nothing can get past the UAC" type of BS?
  • Its just a way to have you mark your interesting files to steal from you. Just like deleting a comment
  • No, I didn't read the article, but why should I when this sounds really dumb? Why not protect the entire drive instead of protecting parts of it!? If you have a method for the former, why not do it for the latter and leave it at that? Also how is this fundamentally different than the access/security settings for files and subdirectories that have existed in NTFS for decades?

Slashdot Top Deals

Never let someone who says it cannot be done interrupt the person who is doing it.

Close