Windows 10 Gets Anti-Ransomware Feature

John Lister's picture

Microsoft is adding a new feature to Windows 10 that could make it harder for ransomware to lock up files. It could be useful, but is certainly not a complete defense.

The feature, called "Controlled Folder Access," is part of the Windows Defender security tool and is already being tested by users who've volunteered for advanced access to Windows 10 updates.

The idea is that specific folders can be protected which means that only specified applications or programs can create, alter or delete files in those folders. This includes encrypting the files, which is the key tactic ransomware uses to try to force the computer's owner to pay up.

User Must Approve Apps

It looks like Microsoft is going for a "whitelisting" approach, which means that applications will be blocked by default and only those the user has specifically approved will be able to make changes to the folder. Some common, trusted applications will be whitelisted automatically. If an application not on the list tries to make a change, Windows will not only block it from doing so, but will display an on-screen warning to the user.

By default the most commonly used folders in Windows such as Documents and Desktop will be protected. Users will be able to manually add other folders to be protected.

People in the testing program need to actively switch on the feature. It's not yet confirmed if this will be the case when the update goes to general users, though it sounds like a feature that would usually be on by default.

Legit Applications Could Be Loophole

The tactic won't stop all ransomware. One limitation is that malware could hijack vulnerabilities in approved applications, for example by running macros in Microsoft Word. It also won't protect against recent attacks that target the Master File Table (MFT), which is effectively the index of a computer's hard drive and is necessary for it to work properly. (Source: arstechnica.com)

Controlled Folder Access is one of several security updates being tested for both Windows and the Microsoft Edge browser. The other updates are largely about making sure that if a security flaw is exploited, any damage can be contained and thus cause minimal problems. (Source: windows.com)

What's Your Opinion?

Does Controlled File Access sound like a welcome idea to you? Would you be happy to set up the choice of protected folders and approved apps? Or is there a risk the feature would be too disruptive as happened with User Access Control in Windows Vista?

Rate this article: 
Average: 5 (11 votes)

Comments

Dennis Faas's picture

When Windows Vista debuted User Access Control (UAC), it was a real pain to get passed all those prompts asking "Are you sure you want to run this?" Since then, however, Windows has improved quite a bit and many of the prompts (often related to system tasks) don't appear as much - I think it has to do with digitally signed programs (which work through certificates) being the reason.

Controlled File Access sounds like a good idea - but it will likely take some tweaking, and surely will be a bit of a pain set up at first. But, once it's set up, it should work without much interaction.

jamies's picture

A key entry in the article is
"It also won't protect against recent attacks that target the Master File Table (MFT),"
So the only safe systems management is to have a backup facility that has multiple ( historic) versions of media that is only re-attached to the system when it can be deleted.

Now I recently noticed that Easeus TODO is supposed to do backups to Onedrive
However - the 1TB of 1Onedrive that I got with my Office subscription runs at under 4GB a day - so backup a 150GB OS partition - say 50 days to upload the files using the Microsoft facility and (with my 6GB a day incremental update, maybe 2 days for each daily incremental update.)
I asked Easeus support if the backup process used it's own facility that would work faster than the MS interface - and the response was basically "try it yourself"
OK - I do have the 1TB - but those without the subscription will not be able to try the process themselves without spending (maybe 100) for the storage volume needed for a backup and then committing their system to maybe being at 90% usage for several days, or maybe many weeks.

So, currently, I cannot recommend Easeus TODO as a backup to cloud facility.
Although that technique is a possible way of dealing with crypto-malware.

So - back to Microsoft's offerings and proposal . .*. . . . . . . . . . . . . . .
Yup - 1 star and using system resources

I have been advocating for many years that Microsoft should provide some protection for users against malware.
Their current built-in backup (System Image) and File History are both open to simple go-to-the-folder exploits, and File-History cannot even be relied on to backup all files from the specified folders.

In my view there is a serious opening in the current Windows design in that there are not enough user levels within the Windows OS.
----------
There should be an Install level id that also manages updates to the OS and backups
The files and folders it controls and manages should only be changeable by processes ID's with that level of authority - and it should be a requirement that that level of access be only acquirable by a user at startup time.
Not the first user login for this startup - no access allowed.
So - no browser process or user initiated .exe .scr .co. etc process can provide any access to that ID's protected folders and files - and those should be in a separate fenced-off area of the drive. and maybe also control separate areas of other drives that can be used for the storage of backups.

Sounds like a heavy load on developers - but - there is now the System partition and UEFI - so why not a Windows Partition as well
---------
Then there should be the current install-Admin level (maybe designated system admin)needed to make changes to the facilities that can be considered part of the users working environment as well as
Add normal 'Admin' level users and manage any file/folder ownership changes that are not being done by the file/folder owners.
That would also be required to install any facility that would be considered a system management utility - including password managers.
BUT NOT able to go online except to individually authorised from the installing-id level.
---------
Then the current admin authorised users - able to manage normal users and install applications that work with user data files BUT are not allowed to change the OS level files and processes.
---------
And - then the not 'privileged' user - browsers, emails and games & office type activities including downloads etc. but NOT installs
---------
So at least 4 levels of access
1 Does OS install and maintenance need boot to get to be one of that levels user
2 Does maintenance of NOT-the-OS facilities and user level install creation removal maintenance.
3 Does Apps installs and configuration & able to act as a user (4)
4 The user's working environment
---------
That would mean that normal work users 4 & 3 would not have access to the OS and it's files.
And the special logon for level 1 would mean that there would NOT be a means for level 1,2 or 3 to install or run any process without the person at the keyboard being aware of the system being changed.

Yes - restarts to the level 1 process would be an annoyance - but much of what MS is sending as updates are not the sort of thing that would need that - other than what would be run as a scheduled - at startup task
Get fixes - with the user allowed to defer that process as many user session restarts as they can be bothered to re-state defer.
Get updates - & features - with the user allowed to defer that process for up to a week, for as many weeks as they want.
Get severe security level problem fixes and malware profiles fixes - defer at logon for up to 4 hours

With the user allowed to request the system proceed with any of the deferred sets at any later time in the day's work.

So - the user has control of the system maintenance - but has to regularly assert that control.

The system has control of the OS and excludes the general 'system user' level users from that.

The senior level user (3) can perform the tasks that effect the system user level' but not the OS level

-------------

Basically run the level 3 & 4 in the equivalent of a virtual system.

-------------

ecash's picture

Wouldnt it be nice...
IF programs Stay'd in their OWN dirs??
And a Background task that WATCHES for any interactions Between or jumping INTO another programs DIR.
But even on the Old days, windows LET/ALLOWED the interaction of programs..
reading, isnt a problem.. ITS the copy Back to the same dir.
Its merging programs that REALLY dont need to Merge. Reading DATA from another section is nothing if you wish to ADD it to another file, as its NOT using the same names and jumping OUT of its OWN DIR..

Any action of EXECUTABLE CODE,should be locked up and Scanned and Held in 1 location..
Which has been a problem I have since MS let Windows execute HTML and PPS from inside EMAIL..
If youwant it to Execute. LOCK IT UP let windows scan it and THEM run it..any time it TRIES to gether info/data/... from your system, it would be shut down.

threeball's picture

In my estimation most InfoPackets subscribers are damned if they do, damned if they don't. I am glad my security already blocks r/ware, so I won't immediately have to decide whether to participate in this.

Dennis Faas's picture

Don't be fooled by security programs that claim to block ransomware. It may block a small portion that it can recognize (and only if it recognizes it), but it won't detect exploits in the operating system that allow remote code execution which then allow for infection to occur. Please note the difference. No security program can save you 100% of the time.

threeball's picture

You are totally correct Dennis, did not mean to imply I trust either Avast Internet nor MBAM Premium to block all r/ware, though 1 of them does stop them from reposting their page, I then exit after turning Modem off and block the site trying to infect me in Avast site-block. Thanks for your input, it is well respected by me. Travis