As ransomware assaults gained steam within the mid-2010s, Microsoft sought to offer Windows customers and admins instruments to guard their PCs from such assaults. With its October 2017 function replace, the corporate added a function referred to as Controlled Folder Access to Windows 10.On paper, Controlled Folder Access seems like an awesome safety for shoppers, dwelling customers, and small companies with restricted assets. As outlined by Microsoft, “Controlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).”Microsoft goes on to say, “Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.”Folders which can be particularly protected embrace:c:Users<username>Documentsc:UsersPublicDocumentsc:Users<username>Picturesc:UsersPublicPicturesc:UsersPublicVideosc:Users<username>Videosc:Users<username>Musicc:UsersPublicMusicc:Users<username>FavoritesUnintended consequencesSo let’s all roll it out, proper? Well, not so quick. Askwoody discussion board consumer Astro46 lately famous that he’s been attempting to make use of Controlled Folder Access, and it’s been inflicting unintended effects in his use. As he associated: I had assumed that quickly I’d work via the varied entry notifications, and all would cool down. Never occurred. I typically discovered myself coping with some inexplicable drawback with a program not functioning accurately, finally tracing to a denied folder entry. This may not be fairly as unhealthy if I had seen a notification when it occurred. But, generally sure, generally no.And, it appeared that applications I had beforehand given entry approval to have been inflicting issues once more. Because this system up to date, and Controlled Folder Access couldn’t perceive that? Frustration and time misplaced received out over the supposed safety.As the PDQ weblog factors out, there might be unintended effects that will block distant administration instruments and different applied sciences. When you may have enabled Controlled Folder Access, what you will note once you set up software program is the interplay between the safety and the installer course of because the installer makes an attempt to achieve entry to sure folders. You might get prompts akin to “Unauthorized changes blocked” or “Softwarename.exe blocked from making changes. Click to see settings.”When utilizing Controlled Folder Access, chances are you’ll want to make use of it in audit mode fairly than totally allow the method. Enabling Controlled Folder Access in full enforcement mode might end in you spending loads of time working down and including exclusions. There are many anecdotal posts about pc customers having to spend hours monitoring down entry and including exclusions. One such poster (a number of years in the past) discovered that he had so as to add what he thought-about to be regular Microsoft functions akin to Notepad and Paint to the exclusion course of. Tracking down problemsUnfortunately, as a result of the consumer interface is minimal, the principle approach managed folder conflicts are found on standalone workstations is through alerts that seem within the system tray when a folder is protected and an utility is making an attempt to entry the placement. Alternatively, you may entry the occasion logs, however earlier than you may evaluate the small print, you need to import an occasion xml file.As famous in Microsoft’s Tech Community weblog, you need to obtain the analysis bundle file and extract cfa-events.xml to your obtain folder. Or you may copy and paste the next traces to a Notepad file and put it aside as cfa-events.xml:<QueryChecklist> <Query Id=”0″ Path=”Microsoft-Windows-Windows Defender/Operational”> <Select Path=”Microsoft-Windows-Windows Defender/Operational”>*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select> <Select Path=”Microsoft-Windows-Windows Defender/WHC”>*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]</Select> </Query></QueryChecklist> Now import this xml file into your occasion viewer so you may extra simply view and type the Controlled Folder Access occasions. Type occasion viewer within the Start menu to open the Windows Event Viewer. On the left panel, below Actions, choose Import customized view. Navigate to the place you extracted cfa-events.xml and choose it. Alternatively, copy the XML straight. Select OK.Next, look within the occasion log for the next occasions:5007 Event when settings are modified1124 Audited managed folder entry occasion1123 Blocked managed folder entry occasionYou’ll wish to give attention to 1124 in case you are in audit mode or 1123 in case you’ve totally enabled the Controlled Folder Access for testing. Once you evaluate the occasion logs, it ought to showcase the extra folders that you could alter to ensure that your functions to totally perform.You might discover that some software program wants entry to extra recordsdata that you simply weren’t anticipating. Therein lies the difficulty with the device. While Microsoft has many functions already authorized, and thus they may work simply fantastic with Controlled Folder Access enabled, different or older functions might not work effectively. It’s typically been shocking to me which recordsdata and folders want no changes and which do require changes.Similar to Attack Surface Reduction Rules, that is a kind of applied sciences that I want had a greater standalone interface for particular person workstations. While companies with Defender for Endpoint can evaluate the problems pretty simply, standalone workstations nonetheless need to depend on messages that pop up within the system tray.Bottom lineIf you depend on Defender on your antivirus wants, take into account evaluating Controlled Folder Access for extra ransomware safety. However, my suggestion is to really consider, not simply deploy it. You’ll wish to allow it in audit mode and take your time reviewing the affect. Depending in your functions, chances are you’ll discover it extra impactful than you suppose.For these with Defender for Endpoint, you may allow Controlled Folder Access as follows: In Microsoft Endpoint Configuration Manager, go to Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard. Select Home after which Create Exploit Guard Policy. Enter a reputation and an outline, choose Controlled folder entry, and choose Next. Choose whether or not to dam or audit modifications, permit different apps, or add different folders, and choose Next.Alternatively, you may handle it with PowerShell, Group Policy, and even registry keys. In a community state of affairs, you may handle the functions you add to the trusted record by utilizing Configuration Manager or Intune. Additional configurations might be carried out from the Microsoft 365 Defender portal.Often, there’s a steadiness between the dangers of assaults and the affect of safety programs on computer systems. Take the time to guage the steadiness and whether or not this has a suitable overhead on your wants.
Copyright © 2022 IDG Communications, Inc.