Say goodbye to ransomware with Windows 10 Fall Creators Update

[trparky]

Yes, ransomware will be a thing of the past with Windows 10 Fall Creators Update thanks to something called "Controlled Folder Access" in Windows Defender.

Windows 10 will hide your important files from ransomware soon | The Verge

Microsoft is making some interesting security-related changes to Windows 10 with the next Fall Creators Update, expected to debut in September. Windows 10 testers can now access a preview of the changes that include a new controlled folder access feature. It’s designed to only allow specific apps to access and read / write to a folder. If enabled, the default list prevents apps from accessing the desktop, pictures, movies, and documents folders.

“Controlled folder access monitors the changes that apps make to files in certain protected folders,” explains Dona Sarkar, head of Microsoft’s Windows Insiders program. “If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt.”

The new controlled folder feature is designed to protect against viruses and ransomware from locking machines out of certain folders. Ransomware has hit the headlines recently as WannaCry and Petya wreak havoc on older Windows machines worldwide. Microsoft is also including exploit protection into its Windows Defender software in Windows 10, which should help prevent viruses and malware from exploiting vulnerabilities in the first place.

These are protections for your files against ransomware at the kernel and Windows Defender level. Rest easy, your files are safe.

About damn time Microsoft!

 

[Halo3Addict]

Didn't the recent attacks encrypt the MBR? Not sure how this is supposed to stop that, but it's a nice addition I guess.

 

[Ahhzz]

I wonder if that would help against the new notPetya, which takes aim at the bios level...

"
NotPetya encrypts the Master File Table (MFT) on compromised PCs before discarding this key, other experts point out.

"‪#Petya‬ actually deletes its own MFT encryption key, making decryption virtually impossible, even for the author. ‪#NotRansomware‬," said Rik Ferguson, VP of security research at Trend Micro."

Didn't the recent attacks encrypt the MBR? Not sure how this is supposed to stop that, but it's a nice addition I guess.

beat me to it , went to verify my recall.

 

[Papahyooie]

Yet again, looks like more security theater.

 

[Solaris17]

Yes, ransomware will be a thing of the past with Windows 10 Fall Creators Update thanks to something called "Controlled Folder Access" in Windows Defender.

Windows 10 will hide your important files from ransomware soon | The Verge



These are protections for your files against ransomware at the kernel and Windows Defender level. Rest easy, your files are safe.

About damn time Microsoft!

lol

 

[trparky]

I'm about to load it myself in a VM and actually test it out. I have a test program written in VB.NET and once installed I'm going to find out if this unknown program will be able to touch said files.

 

[dorsetknob]

Yet again, looks like more security theater.

And the Vw and malware Boys are Stocking up on pop corn Ready for "Act 2"

 

[Laki89]

About damn time Microsoft!

Microsoft do that for years
Just this time uses radical methods

 

[Ebo]

Its just a matter of time until the purbs find out a way to get pass that.

 

[Solaris17]

Its just a matter of time until the purbs find out a way to get pass that.

Cat and Mouse. you got it. Security is best practiced in layers (depth) not a one off solution implemented into windows defender or any other utility.

Your door lock is only as good as the frame.

 

[dorsetknob]

Your door lock is only as good as the frame.

And the lock is only good if the locksmith can be Trusted ( and wilkileaks dont get hold and blab the info from you know/suspect who).

 

[Ahhzz]

And the lock is only good if the locksmith can be Trusted ( and wilkileaks dont get hold and blab the info from you know/suspect who).

And that's a completely naive hope to have. The security segments of our government have proven again and again that they believe in a NOBUS policy, which is ridiculous.

 

[dorsetknob]

And that's a completely naive hope to have

You think i trust Them !!!
Oh my god that's Funny "You must have overdosed on popcorn"
You need the" Hughy cure"

 

[RejZoR]

So, we'll be forced to use Defender to get this functionality. No thanks.

 

[qubit]

They'll find a way round it. There's no magic bullet for security. If it can be accessed it can be hacked.

 

[trparky]

I wrote a test program in C# with the following code...

        private void btnOverwrite_Click(object sender, EventArgs e)
        {
            openFileDialog1.Title = "Choose a file to be overwritten";

            if (openFileDialog1.ShowDialog() == DialogResult.OK) {
                try {
                    System.IO.StreamWriter streamWriter = new System.IO.StreamWriter(openFileDialog1.FileName, false);
                    streamWriter.Write("I have been overwritten! HAHAHA!");
                    streamWriter.Close();

                    MessageBox.Show(this, "File \"" + openFileDialog1.FileName + "\" has been overwritten!");
                }
                catch (Exception ex) {
                    MessageBox.Show(this, ex.Message + "\n" + openFileDialog1.FileName);
                }
            }
        }

        private void btnDeleteFile_Click(object sender, EventArgs e)
        {
            openFileDialog1.Title = "Choose a file to be deleted";

            if (openFileDialog1.ShowDialog() == DialogResult.OK) {
                try {
                    System.IO.File.Delete(openFileDialog1.FileName);
                    MessageBox.Show(this, "File \"" + openFileDialog1.FileName + "\" has been deleted!");
                }
                catch (Exception ex) {
                    MessageBox.Show(this, ex.Message + "\n" + openFileDialog1.FileName);
                }
            }
        }

It's rather simple in its code but it does what I need for the situation. This is the result...



Windows prevented it because my program is not a "trusted" program so access to that folder is denied. Since this is in the beta phase things aren't going to work perfectly (you need to whitelist programs to allow access) but I figure that eventually this feature will allow trusted programs from known vendors or digitally signed programs to be automatically whitelisted.

 

[EarthDog]

Meh, this is likely still easy to get through... but hey, one more door is one more door.

 

[trparky]

but hey, one more door is one more door.

Well isn't that good? With the way that ransomware has become such a problem one more way to prevent this kind of attack is more than welcome.

 

[rtwjunkie]

So, we'll be forced to use Defender to get this functionality. No thanks.

Come on, man! If the idiots at MS can figure out how to make Defender protect against this, don't you think the pros who actually work antimalware companies for a living can do it too?

 

[trparky]

I'm surprised that no one else has thought about this kind of protection. It seems like such an easy idea, at least on the surface. I'm sure that injecting kernel code to prevent this kind of access is probably a lot harder.

 

[DeathtoGnomes]

I can see this as a way for m$ to prevent users from disabling the bloatware, like Cortana and OneDrive, from actually being disabled or deleted. Imagine having your personal files remotely locked with and nothing you can do about it, ever.

 

[R-T-B]

Meh, this won't protect against anything that reads/writes to the filesystem using it's own userspace driver, but nice gesture I guess.

I can see this as a way for m$ to prevent users from disabling the bloatware, like Cortana and OneDrive, from actually being disabled or deleted. Imagine having your personal files remotely locked with and nothing you can do about it, ever.

AFAIK, it's not encrypting your data. It's basically enhanced filesystem permissions. You could just boot linux in this instance and get your files...

 

[trparky]

If the blocking system is being implemented at the kernel level even a userspace driver would be blocked (at least in theory) since everything has to go through the kernel and the NTFS file system driver.

 

[R-T-B]

If the blocking system is being implemented at the kernel level even a userspace driver would be blocked (at least in theory) since everything has to go through the kernel and the NTFS file system driver.

Nope. Not everything has to go through the NTFS filesystem driver. How do you think FAT32 or similar operates?

Raw writes to the disk are allowed in windows. They have to be. Otherwise partitioning tools and the like would never work. All one needs to do is take one of the freely available open source NTFS drivers and walla, access. I specifically specified userspace as the kernel would treat it as an application, and grant it access to the raw disk.

 

[Vya Domus]

A necessary action , but don't say goodbye to ransomewere yet. Nothing will ever fix lack of common sense by the user. And that shit is what opens up all of these opportunities for malware in the first place most of the times , not obscure security holes , which will exist as well no matter what as long as you have a certain degree of freedom with what software can do.