Anti-ransomware in Windows 10: Windows Defender Exploit Guard-Controlled Folder Access

Applies to:

Windows Server 2019

Windows 10 1809

Windows 10 1803

Windows 10 1709

Updated Mar. 3rd, 2019.

A few years ago (~3 years), I was waiting in the waiting room for my annual dental check-up. The receptionist called me over and asked if I could help her with her Windows 7 SP1 machine where something had popped up. It just happened that she unknowingly clicked on a link that had a ransomware payload…

Did the Windows 7 SP1 machine not have an antivirus? Yes, it did have a 3rd party AV installed, but it didn’t have a ‘new’ definition. Take a look at how the modern version of WD AV is able to “Block at First Sight” using Cloud Protection (which uses Machine Learning (ML), Artificial Intelligence (AI), Behavioral Monitoring (BM), and much more).

Long story short, I was able to salvage her Windows 7 SP1 machine, due to 1 flaw on the ransomware. That 1 flaw on modern ransomwares have been taken care of by the bad personas. And nowadays they (ransomware) look for mapped drives and network shares for maximum payload damage.

Fast forward to Oct of 2017 with the release of Windows 10 1709 and now as Oct of 2018 with Windows Server 2019, we now have an anti-ransomware functionality built-in.

Security Administrators, tired of the opportunistic ransomwares?
Protects sensitive data from ransomware by blocking untrusted processes from accessing your protected folders.

Untitled

Windows Defender Exploit Guard: Controlled Folder Access, do I need Windows Defender Antivirus (WD AV)?

The answer is yes, you need WD AV to be enabled.

[What is Windows Defender Exploit Guard – Controlled Folder Access?]

Enable controlled folder access
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard

[What does WD Exploit Guard: Controlled Folder Access block against?]

Ransomware: A declining nuisance or an evolving menace?
https://www.microsoft.com/security/blog/2017/02/14/ransomware-2016-threat-landscape-review/

Ransomware operators are hiding malware deeper in installer packages
https://www.microsoft.com/security/blog/2017/03/15/ransomware-operators-are-hiding-malware-deeper-in-installer-packages/

WannaCrypt ransomware worm targets out-of-date systems
https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/

Windows 10 Creators Update provides next-gen ransomware protection
https://www.microsoft.com/security/blog/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/

New ransomware, old techniques: Petya adds worm capabilities
https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

Windows 10 platform resilience against the Petya ransomware attack
https://www.microsoft.com/security/blog/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/

Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation
https://www.microsoft.com/security/blog/2017/06/30/exploring-the-crypt-analysis-of-the-wannacrypt-ransomware-smb-exploit-propagation/

Stopping ransomware where it counts: Protecting your data with Controlled folder access
https://www.microsoft.com/security/blog/2017/10/23/stopping-ransomware-where-it-counts-protecting-your-data-with-controlled-folder-access/

Defending against ransomware using system design
https://www.microsoft.com/security/blog/2017/11/06/defending-against-ransomware-using-system-design/

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017
https://www.microsoft.com/security/blog/2018/01/10/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017/

Ransomware 1H 2017 review: Global outbreaks reinforce the value of security hygiene
https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Ransomware-1H-2017-review-Global-outbreaks-reinforce-the-value/ba-p/117707

[So why Windows Defender Exploit Guard: Controlled Folder Access?]

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware
https://www.microsoft.com/security/blog/2017/10/23/windows-defender-exploit-guard-reduce-the-attack-surface-against-next-generation-malware/

[Test / Deploy WD Exploit Guard: Controlled Folder Access]

Evaluate controlled folder access
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access

Controlled Folder Access - Windows Defender Testground
https://demo.wd.microsoft.com/Page/CFA2

Allow a blocked app in Windows Security
https://support.microsoft.com/en-us/help/4046851/windows-10-allow-blocked-app-windows-security

List of attack surface reduction events such as for WD EG CFA:
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#list-of-attack-surface-reduction-events

Use custom views to review in Event Viewer to review WD EG CFA:

XML for controlled folder access events
/en-us/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard#xml-for-controlled-folder-access-events

Thanks,

Yong

P.S. Related blog posts:

Windows 10: Windows Defender (WD) Antivirus (AV)
https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-server-2016-windows-server-2019-antivirus-av/

Windows 10: Windows Defender Exploit Guard-Exploit Protection
https://blogs.technet.microsoft.com/yongrhee/2019/02/21/windows-10-windows-defender-exploit-guard-exploit-protection/

Windows 10: Windows Defender Exploit Guard-Attack Surface Reduction rules
https://blogs.technet.microsoft.com/yongrhee/2019/02/24/windows-10-windows-defender-exploit-guard-attack-surface-reduction-rules/

Windows 10: Windows Defender Exploit Guard-Network Protection
https://blogs.technet.microsoft.com/yongrhee/2019/02/26/windows-10-windows-defender-exploit-guard-network-protection/