Use Windows Defender ATP Controlled Folder Access to protect against malicious edits

Hello everyone,

It’s been a while since my last post, but let’s go wild on a new awesome security feature of the Advanced Threat Protection suite for Windows 10 Enterprise called: “Controlled Folder Access“.

With Petya hitting the world hard earlier this week, while companies were still recovering from the WannaCry malware outbreak, it became clear that we need a more thorough approach for securing our endpoints. It’s absolutely nessecary to educate your end users, but you need to put controls in place to aid in end user protection.

Everyone who’s a Windows 10 Insider with build 16232 will have the ability to use a new control to put reenable end users to gain insights and control of file modifications for their most important files. This control, Controlled Folder Access will allow a user to specify a folder that contains the users’ most important files and it will be instantly protected against unwanted file modifications. This feature is disabled by default. To enable it, first open the Windows Defender Security Center:

Next, click “Virus & Threat Protection” and go to “Virus & Threat Protection Settings”

Now click the slider to enable the function and now we need to do 2 things:

  • Select the folders to be protected
  • Select exclusion processes

By enabling Controlled Folder Access, you basically restrict modifications from all-access to user-controlled modifications. The goal here is to prevent any background processes from altering your files, this is especially interesting with malware trying to corrupt your files. Now imagine having a background tool which would sync your cloud storage files to your local cache folder, you will get a lot of prompts after enabling Controlled Folder Access on your local sync folder. Now fortunately you can specify an executable for that is whitelisted for the protected folder. So let’s configure it. First click the “Protected folders” link in the Controlled Folder Access section and add a folder:

Now go back to the previous page (where you enabled the Controlled Folder Access feature) and click “Allow an app through Controlled folder access”:

Now your files are protected. If you want to test it, just remove the whitelisted application and add a file or folder through your cloud storage web interface. You will get pop-ups such as:

Last but not least: you’ll need consent to a User Account Control prompt in order to protect folders and whitelist applications, hence users must be local administrator on their computers.

Concluding: Controlled Folder Access is a new feature in Windows 10 insider builds, soon to hit GA and will prove to be a valuable addition to Windows’ security stack, mainly focussed on virus and malware effects. But it does come with a price, requiring users to be local administrators.

Leave a reply

Your email address will not be published. Required fields are marked *