Controlled Folder Access

[mc2fool]

I'm wondering about the experiences of folks who have turned on Controlled Folder Access.

It sounds like a good idea but from what I've read there do seem to be some problems with it, the major one being that when it stops the program you're running writing a file to a controlled folder, your only options (assuming you did indeed want it to write that file there) are to either write the file somewhere else or turn off CFA altogether. There's no UAC or firewall style popup to let you say "let it through", and adding the program to the exception list doesn't have any effect on the current running invocation of the program.

Writing the file elsewhere, exiting the program, copying the file to where you originally wanted it, and adding the program to the exception list for the next time is clearly a faff, albeit not too bad for a simple case of, say, an editor that just edits and writes a single file. However, I was wondering how much grief it could cause for much more complex programs (e.g. installers), so, having Win 10 Pro I decided that I'd turn on CFA in "audit only" mode, under which is doesn't prevent anything but sticks an entry in the system logs whenever it would have prevented a write, had it been turned on fully.

I've left it that was for a few weeks and the following is the list of programs it would have blocked. Some are surprising (I haven't changed the allowed list at all).

C:\Perl64\bin\                                             perl.exe                              
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\     AcroRd32.exe                          
C:\Program Files (x86)\Adobe\Adobe Bridge\                 Bridge.exe                            
C:\Program Files (x86)\Adobe\Adobe Help Center\            ahc.exe                               
C:\Program Files (x86)\Adobe\Adobe Photoshop CS2\          Photoshop.exe                         
C:\Program Files (x86)\Aimersoft\Video Converter Ultimate\ VideoConverterUltimate.exe            
C:\Program Files (x86)\BUFFALO\NASNAVI\                    nassche.exe                           
C:\Program Files (x86)\Common Files\Adobe\Updater\         AdobeUpdater.exe                      
C:\Program Files (x86)\CyberLink\Power2Go10\               IsoViewer10.exe                       
C:\Program Files (x86)\ImgBurn\                            ImgBurn.exe                           
C:\Program Files (x86)\KeePass Password Safe 2\            KeePass.exe                           
C:\Program Files (x86)\MICROS~1\Office\                    FRONTPG.EXE                           
C:\Program Files (x86)\Microsoft Office\Office\            EXCEL.EXE                             
C:\Program Files (x86)\Microsoft Office\Office\            FRONTPG.EXE                           
C:\Program Files (x86)\PerlEdit\                           pe.exe                                
C:\Program Files (x86)\VideoLAN\VLC\                       vlc.exe                               
C:\Program Files\Google\Drive\                             googledrivesync.exe                   
C:\Program Files\Macrium\Reflect\                          reflectbin.exe                        
C:\Program Files\PDFCreator\                               PDFCreator.exe                        
C:\Program Files\Waterfox\                                 waterfox.exe                          
C:\Users\<me>\AppData\Local\Programs\Sync\                 sync-taskbar.exe                      
C:\Users\<me>\AppData\Local\Programs\Sync\                 sync-worker.exe                       
C:\Users\<me>\AppData\Local\Temp\                          _iu14D2N.tmp                           *
C:\Users\<me>\AppData\Local\Temp\is-6MLPT.tmp\             aimer-video-ultimate_full523.tmp       *
C:\Users\<me>\Downloads\                                   aimer-video-ultimate_setup_full523.exe *
C:\Windows\                                                explorer.exe                          !?!?! Uh!
C:\Windows\System32\                                       browser_broker.exe                    
C:\Windows\System32\                                       cmd.exe                               
C:\Windows\System32\                                       CompMgmtLauncher.exe                  
C:\Windows\System32\                                       mmc.exe                               
C:\Windows\System32\                                       msiexec.exe                           
C:\Windows\SysWOW64\                                       msiexec.exe

Now, the event logs only specify the folder the program was blocked writing to, not the file, and I don't know what I was doing at the time of each. The * ones I recognise as part of an install and I wonder what the effects would have been if CFA had been turned on in full.

Explorer.exe is really surprising, it was blocked writing to %userprofile%\Desktop and there is only one log entry for it.

Cmd.exe, while understandable, is a real nuisance as I have .bat jobs that copy various files around at system startup for various reasons that I don't really want to put elsewhere, so not sure what I'd do about that.

[syrio]

I turned it on, as it seemed like a good idea, but it ended up being a pain, and I turned it off shortly after. I wouldn't recommend that anyone try turning it on in its current form.

The article you link to is spot on in its criticisms.

I might have stuck with it if the UI had been better. If it had clearly displayed which program had been blocked from writing and then allowed me to click on the warning to add the program to the exceptions list.

Good idea, but poor implementation. A shame, because it would be a good idea to limit the spread of ransomware, but the average user isn't really going to be able to cope with it.

[Infrasonic]

I've been using it since launch without any major issues, I think I've manually whitelisted two third party app exclusions since then.
I don't tend to run loads of third party apps though, mostly it's stock W10, so that may affect the outcome.

[Breelander]

I've been using it since launch without any major issues, I think I've manually whitelisted two third party app exclusions since then...

Me too, though my whitelist is up to about eight apps now. The main blocks are on saving to the user's folder or saving the 'recently opened' jumplists to your AppData. Took a couple of weeks to whitelist all I used, after which it keeps out of my way.

The Notification area tells you exactly which executable was blocked, so you know what needs to be whitelisted. If you miss the notification it's also recorded in the Event Log. Open Event Viewer, look in:

Application and Service Logs > Microsoft > Windows > Windows Defender > Operational.

It's recorded as Event ID 1123. You can use the 'Filter current log...' in the Actions pane on the right to find it quickly.

[Infrasonic]

I've been using it since launch without any major issues, I think I've manually whitelisted two third party app exclusions since then...

Me too, though my whitelist is up to about eight apps now. The main blocks are on saving to the user's folder or saving the 'recently opened' jumplists to your AppData. Took a couple of weeks to whitelist all I used, after which it keeps out of my way.

The Notification area tells you exactly which executable was blocked, so you know what needs to be whitelisted. If you miss the notification it's also recorded in the Event Log. Open Event Viewer, look in:

Application and Service Logs > Microsoft > Windows > Windows Defender > Operational.

It's recorded as Event ID 1123. You can use the 'Filter current log...' in the Actions pane on the right to find it quickly.

I went back and checked, it was actually only one 1123 alert (x3) for Dropbox.exe back on February 09/10th this year.

It may just be the volume of 'local' writes that is the difference, I was already set up not to do many in the first place (because of the existing ransomware issue), whereas a higher user will probably trigger the folder protection more often.

I was reading last week about a third party app that has been designed for making W10 controlled folder whitelisting admin far easier to manage, but I can't remember where I saw it.

[Itsallaguess]

I was reading last week about a third party app that has been designed for making W10 controlled folder whitelisting admin far easier to manage, but I can't remember where I saw it.

There's a PowerShell script available that will parse the event log for ID:1123 events and offer a little interactive tool where you can then enable some of the programs -

Allow all blocked apps to Controlled folder access (interactively) using PowerShell

Redditor /u/gschizas has come up with a neat little PowerShell script which parses the event log (entries with ID: 1123 which is the “Blocked Controlled folder access” event) to gather the list of apps blocked by Windows Defender’s Controlled folder access. The script then offers to whitelist all or selected programs from the listing.

http://www.winhelponline.com/blog/use-c ... -defender/

(The top half discusses the Controlled Folder Access functionality itself, and then further down gives instructions on the use of PowerShell either on an individual basis, or using the above tool.)

Cheers,

Itsallaguess

[Infrasonic]

There's a detailed tutorial and discussion / solutions thread on this over at Windows Ten Forums...https://www.tenforums.com/tutorials/878 ... -10-a.html

[mc2fool]

I've been using it since launch without any major issues, I think I've manually whitelisted two third party app exclusions since then.
I don't tend to run loads of third party apps though, mostly it's stock W10, so that may affect the outcome.

The last seven on my "audited" list are stock W10, and some of the others are programs you'd expect to be pre-whitelisted (e.g. Acrobat Reader).

I suspect I'd be getting a lot more blocks if I added the cloud-synced folders where I do most of my work to the protected folders list. And I'm still not sure what to do about .bat jobs ... adding cmd.exe to the whitelist seems a less than optimal idea. It'd be good if one could whitelist only specific .bat files.

[Breelander]

... adding cmd.exe to the whitelist seems a less than optimal idea....

...and unnecessary...

... It'd be good if one could whitelist only specific .bat files.

It's not the .bat files as such, it's the commands they use - and then only if they try to change things in a protected folder. My 'homebrew' backup batch file does that, it changes the archive attribute on the user files as it backs them up. I've whitelisted RoboCopy.exe and attrib.exe to allow it to work as before.

[mc2fool]

... adding cmd.exe to the whitelist seems a less than optimal idea....

...and unnecessary...

You'll note that cmd.exe is what is in my "audit blocked" list...

... It'd be good if one could whitelist only specific .bat files.

It's not the .bat files as such, it's the commands they use ... I've whitelisted RoboCopy.exe and attrib.exe to allow it to work as before.

And the commands in my .bat files are ones implemented by cmd.exe itself, which is why that's what appears in the list . But it's a point, I could always replace the cmd.exe commands with equivalents that run separate programs, e.g. xcopy for copy, etc.

Of course, that does open things up for a malicious .bat file (or other dos invocation) to xcopy (or RoboCopy) stuff around, so it really would be best if one could whilelist those only when invoked from specific sources...

[Infrasonic]

Since the latest W10 update (1803) I've had to whitelist five more .exe', one of which is taskhostw.exe which is Windows/system32.

[Infrasonic]

Whitelisted C:\Windows\System32\svchost.exe this morning.

[colboy]

Also been asked to whitelist several programs including svchost after the latest win10 update. Most of these programs worked OK with controlled folders before. svchost is a windows exe and win10 has a problem with it?

[Infrasonic]

Also been asked to whitelist several programs including svchost after the latest win10 update. Most of these programs worked OK with controlled folders before. svchost is a windows exe and win10 has a problem with it?

Maybe MS are just ar*e covering by making us whitelist these .exe'. If you get an infection via that route you can't blame them...
Personally I'd much prefer it if there was a 'one off' option for manually allowing on a case by case basis, that way if something unexpected tries to write you can refuse and then review, allowing it next time if happy that it was legit.

Global whitelisting leaves you open to an exploit via the whitelist...

[production100]

I tried to use it to protect all drives except the C drive on the basis that I hold all of my data on other drives and if the C drive is corrupted I can restore it from a backup held on one of the protected drives.

It is still causing me 'unauthorised changes blocked' messages as it protects the memory from various windows files, such as taskhostw.exe - a standard windows programme. There is no way to turn off the protection of the desktop and memory, which I do not want.

All in all not a good implementation - in fact typical of Microsoft - basically a good idea implemented without being properly tested. A bit like windows 10 in fact... Let the users do the testing and fix the issues when they feel like it; if they feel like it.

Chris

[Infrasonic]

It is still causing me 'unauthorised changes blocked' messages as it protects the memory from various windows files, such as taskhostw.exe - a standard windows programme. There is no way to turn off the protection of the desktop and memory, which I do not want.

Whitelist it if you want to in Defender, I have.

[Breelander]

It is still causing me 'unauthorised changes blocked' messages as it protects the memory from various windows files, such as taskhostw.exe - a standard windows programme. There is no way to turn off the protection of the desktop and memory, which I do not want.

Whitelist it if you want to in Defender, I have.

While I have seen the memory notification a few times, I haven't actually seen it preventing the task concerned from working as intended. I haven't bothered to whitelist any of them if it's just changes to memory that's being blocked, they seem to work normally despite that. I only need to whitelist an exe if it is a folder access notification.

[Infrasonic]

At last...https://www.tenforums.com/tutorials/878 ... ost1460694

[Breelander]

At last...

I was rather puzzled by by your link - then realised you probably meant to link to this post https://www.tenforums.com/tutorials/878 ... ost1460694

As you say, it's about time!

[Infrasonic]

At last...

I was rather puzzled by by your link - then realised you probably meant to link to this post https://www.tenforums.com/tutorials/878 ... ost1460694

As you say, it's about time!

Both links take me to the same post, which is the one I intended. Weird...