Anti-ransomware in Windows 10: Windows Defender Exploit Guard-Controlled Folder Access


Applies to:

Windows Server 2019

Windows 10 1809

Windows 10 1803

Windows 10 1709


Updated Mar. 3rd, 2019.


A few years ago (~3 years), I was waiting in the waiting room for my annual dental check-up.  The receptionist called me over and asked if I could help her with her Windows 7 SP1 machine where something had popped up.  It just happened that she unknowingly clicked on a link that had a ransomware payload…


Did the Windows 7 SP1 machine not have an antivirus?  Yes, it did have a 3rd party AV installed, but it didn’t have a ‘new’ definition.  Take a look at how the modern version of WD AV is able to “Block at First Sight” using Cloud Protection (which uses Machine Learning (ML), Artificial Intelligence (AI), Behavioral Monitoring (BM), and much more).


Long story short, I was able to salvage her Windows 7 SP1 machine, due to 1 flaw on the ransomware.  That 1 flaw on modern ransomwares have been taken care of by the bad personas.  And nowadays they (ransomware) look for mapped drives and network shares for maximum payload damage.

Fast forward to Oct of 2017 with the release of Windows 10 1709 and now as Oct of 2018 with Windows Server 2019, we now have an anti-ransomware functionality built-in.

Security Administrators, tired of the opportunistic ransomwares?
Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders.

Untitled


Windows Defender Exploit Guard: Controlled Folder Access, do I need Windows Defender Antivirus (WD AV)?

The answer is yes, you need WD AV to be enabled.


[What is Windows Defender Exploit Guard – Controlled Folder Access?]

Enable controlled folder access

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard



[What does WD Exploit Guard:  Controlled Folder Access block against?]

Ransomware: A declining nuisance or an evolving menace?

https://www.microsoft.com/security/blog/2017/02/14/ransomware-2016-threat-landscape-review/

Ransomware operators are hiding malware deeper in installer packages

https://www.microsoft.com/security/blog/2017/03/15/ransomware-operators-are-hiding-malware-deeper-in-installer-packages/

WannaCrypt ransomware worm targets out-of-date systems

https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/


Windows 10 Creators Update provides next-gen ransomware protection

https://www.microsoft.com/security/blog/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/


New ransomware, old techniques: Petya adds worm capabilities

https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/


Windows 10 platform resilience against the Petya ransomware attack

https://www.microsoft.com/security/blog/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/

Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation

https://www.microsoft.com/security/blog/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/

Stopping ransomware where it counts: Protecting your data with Controlled folder access

https://www.microsoft.com/security/blog/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access/

Defending against ransomware using system design

https://www.microsoft.com/security/blog/2017/11/06/defending-against-ransomware-using-system-design/

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017
https://www.microsoft.com/security/blog/2018/01/10/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017/


Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene
https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Ransomware-1H-2017-review-Global-outbreaks-reinforce-the-value/ba-p/117707



[So why Windows Defender Exploit Guard: Controlled Folder Access?]



Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/



[Test / Deploy WD Exploit Guard:  Controlled Folder Access]

Evaluate controlled folder access

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access


Controlled Folder Access - Windows Defender Testground

https://demo.wd.microsoft.com/Page/CFA2


Allow a blocked app in Windows Security

https://support.microsoft.com/en-us/help/4046851/windows-10-allow-blocked-app-windows-security




List of attack surface reduction events such as for WD EG CFA:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-attack-surface-reduction-events


Use custom views to review in Event Viewer to review WD EG CFA:

XML for controlled folder access events

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#xml-for-controlled-folder-access-events

Thanks,

Yong


P.S.  Related blog posts:


Windows 10: Windows Defender (WD) Antivirus (AV)

https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-server-2016-windows-server-2019-antivirus-av/


Windows 10: Windows Defender Exploit Guard-Exploit Protection

https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-defender-exploit-guard-exploit-protection/


Windows 10: Windows Defender Exploit Guard-Attack Surface Reduction rules

https://blogs.technet.microsoft.com/yongrhee/2019/02/24/windows-10-windows-defender-exploit-guard-attack-surface-reduction-rules/


Windows 10: Windows Defender Exploit Guard-Network Protection

https://blogs.technet.microsoft.com/yongrhee/2019/02/26/windows-10-windows-defender-exploit-guard-network-protection/


Skip to main content