As ransomware attacks gained prominence in the mid-2010s, Microsoft sought to give Windows users and administrators tools to protect their PCs from such attacks. With its October 2017 feature update, the company added a feature to Windows 10 called Controlled Folder Access.
On paper, Controlled Record Access sounds like a great protection for consumers, home users, and small businesses with limited resources. As defined by Microsoft, “Controlled folder access helps protect your valuable data from malicious applications and threats like ransomware. Controlled folder access protects your data by checking applications against a list of known and approved applications. Controlled folder access is supported on Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients and can be enabled using the Windows Security app, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).
Microsoft continues: “Controlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. In general, frequently used folders, e.g. for documents, pictures, downloads, etc., are included in the list of watched folders.
Protected submitted files:
So let’s all use it, shall we? Well, not so fast. Forum user Askwoody Astro46 recently noted that he was trying to use Controlled Folder Access and encountered side effects when using it. As he told:
I had assumed that I would soon be working on the various access notifications and everything would calm down. never happened I’ve often faced an inexplicable problem where a program wouldn’t work properly, ultimately resulting in a folder being denied access. It might not be so bad if I saw a notification when it happened. But sometimes yes, sometimes no.
And it seemed that the programs I had previously granted access to were causing new problems. Because the program was updated and Controlled Folder Access couldn’t find out? Frustration and wasted time triumphed over supposed security.
As the PDQ blog points out, there can be side effects that can block remote management tools and other technologies. If you have controlled folder access enabled, you will see the interaction between the protection and the installation process during software installation when the installer attempts to access specific folders. You may get prompts like “Unauthorized changes blocked” or “softwarename.exe cannot make any changes. Click here to view settings.
If you’re using Controlled Folder Access, you might need to use it in audit mode instead of enabling the process entirely. Enabling controlled folder access in full enforcement mode can waste a lot of time and add exclusions. There are many anecdotal posts about computer users having to spend hours researching access and adding exclusions. One such poster (a few years ago) noted that he needed to add to the process of elimination what he saw as regular Microsoft apps like Notepad and Paint.
Unfortunately, since the user interface is minimal, controlled folder conflicts are mainly detected on standalone desktops through alerts that appear in the taskbar when a folder is protected and an application tries to access the location. You can also access event logs, but before you can view the details you must import an event XML file.
As mentioned in Microsoft’s Tech Community Blog, you need to download the test package file and extract cfa-events.xml to your downloads folder. Or you can copy and paste the following lines into a Notepad file and save as cfa-events.xml:
Now import this XML file into your event viewer so that you can more easily view and sort controlled folder access events. cone Event Viewer in the Start menu to open the Windows Event Viewer. Selected under Actions in the left pane Import a custom view. Navigate to where you extracted cfa-events.xml and select it. You can also copy the XML directly. Choose OK.
Next, check the event log for the following events:
5007 Event when settings are changed
1124 Audited controlled folder access event
1123 Blocked controlled folder access event
You need to focus on 1124 if you’re in audit mode, or 1123 if you’ve fully enabled Controlled Folder Access for testing. After reviewing the event logs, you should see any additional records that you need to customize to make your apps work.
You may find that some software requires access to additional files that you are not expecting. Here lies the problem with the tool. Although many apps have already been approved by Microsoft and therefore work perfectly with Controlled Folder Access enabled, other apps or older apps may not work properly. It has often surprised me which files and folders don’t need customizations and become customizations.
Similar to the attack surface reduction rules, this is one of those technologies where I would have a better standalone interface for individual workstations. While organizations can use Defender for Endpoint to investigate issues with relative ease, standalone desktops still have to rely on notifications displayed in the system tray.
at the end of the line
If you rely on Defender for your antivirus needs, consider controlled folder access for additional ransomware protection. However, my recommendation is to really rate it, not just pass it. You should activate it in surveillance mode and take your time to check the effects. Depending on your uses, you may find it more powerful than you think.
For those who have Defender for Endpoint, you can enable controlled folder access as follows: In Microsoft Endpoint Configuration Manager, allow Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard. Choose a house so what Create an exploit prevention policy. Enter name and description, select Controlled access to filesand select Next. Choose whether to block or audit changes, allow other apps, or add more folders, then choose Next.
Alternatively, you can manage it with PowerShell, Group Policy, and even registry keys. In a network scenario, you can use Configuration Manager or Intune to manage the apps that you add to the trusted list. Additional configurations can be made through the Microsoft 365 Defender portal.
There is often a balance between the risk of attack and the impact of security systems on computers. Take the time to assess the balance and determine if it has an acceptable overhead for your needs.
Copyright © 2022 IDG Communications, Inc.