![](\"https:\/\/images.techhive.com\/images\/article\/2014\/04\/caution-sign-116154295-100264796-primary.idge.jpg?auto=webp&quality=85,70\"\/)
<\/p>\n
Credit to Author: Susan Bradley| Date: Tue, 05 Jul 2022 07:29:00 -0700<\/strong><\/p>\n As ransomware attacks gained steam in the mid-2010s, Microsoft sought to give Windows users and admins tools to protect their PCs from such attacks. With its October 2017 feature update, the company added a feature called Controlled Folder Access<\/a> to Windows 10.<\/p>\n On paper, Controlled Folder Access<\/a> sounds like a great protection for consumers, home users, and small businesses with limited resources. As defined by Microsoft, \u201cControlled folder access helps protect your valuable data from malicious apps and threats, such as ransomware. Controlled folder access protects your data by checking apps against a list of known, trusted apps. Supported on Windows Server 2019, Windows Server 2022, Windows 10, and Windows 11 clients, controlled folder access can be turned on using the Windows Security App, Microsoft Endpoint Configuration Manager, or Intune (for managed devices).\u201d<\/p>\n Microsoft goes on to say, \u201cControlled folder access works by only allowing trusted apps to access protected folders. Protected folders are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, and so on, are included in the list of controlled folders.\u201d<\/p>\n Folders that are specifically protected include:<\/p>\n So let\u2019s all roll it out, right?\u00a0 Well, not so fast. Askwoody forum user Astro46<\/a> recently noted that he\u2019s been trying to use Controlled Folder Access, and it\u2019s been causing side effects in his use. As he related:<\/p>\n As the PDQ blog<\/a> points out, there can be side effects that may block remote management tools and other technologies. When you have enabled Controlled Folder Access, what you will see when you install software is the interaction between the protection and the installer process as the installer attempts to gain access to certain folders. You may get prompts such as \u201cUnauthorized changes blocked\u201d or \u201cSoftwarename.exe<\/em> blocked from making changes. Click to see settings.\u201d<\/p>\n When using Controlled Folder Access, you may need to use it in audit mode rather than fully enable the process. Enabling Controlled Folder Access in full enforcement mode may result in you spending a lot of time running down and adding exclusions. There are many anecdotal posts about computer users having to spend hours tracking down access and adding exclusions. One such poster<\/a> (several years ago) found that he had to add what he considered to be normal Microsoft applications such as Notepad and Paint to the exclusion process.<\/p>\n Unfortunately, because the user interface is minimal, the main way controlled folder conflicts are discovered on standalone workstations is via alerts that appear in the system tray when a folder is protected and an application is attempting to access the location. Alternatively, you can access the event logs, but before you can review the details, you have to import an event xml file.<\/p>\n As noted in Microsoft\u2019s Tech Community blog<\/a>, \u00a0you have to download<\/a> the evaluation package file and extract cfa-events.xml to your download folder. Or you can copy and paste the following lines to a Notepad file and save it as cfa-events.xml<\/em>:<\/p>\n Now import this xml file into your event viewer so you can more easily view and sort the Controlled Folder Access events. Type event viewer<\/strong> in the Start menu to open the Windows Event Viewer. On the left panel, under Actions, select Import custom view<\/em>. Navigate to where you extracted cfa-events.xml and select it. Alternatively, copy the XML directly. Select OK<\/em>.<\/p>\n Next, look in the event log for the following events:<\/p>\n You\u2019ll want to focus on 1124 if you are in audit mode or 1123 if you\u2019ve fully enabled the Controlled Folder Access for testing. Once you review the event logs, it should showcase the additional folders that you need to adjust in order for your applications to fully function.<\/p>\n You may find that some software needs access to additional files that you weren\u2019t expecting. Therein lies the issue with the tool. While Microsoft has many applications already approved, and thus they will work just fine with Controlled Folder Access enabled, other or older applications may not work well. It\u2019s often been surprising to me which files and folders need no adjustments and which do require adjustments.<\/p>\n Similar to Attack Surface Reduction Rules, this is one of those technologies that I wish had a better standalone interface for individual workstations. While businesses with Defender for Endpoint can review the issues fairly easily, standalone workstations still have to rely on messages that pop up in the system tray.<\/p>\n If you rely on Defender for your antivirus needs, consider evaluating Controlled Folder Access for additional ransomware protection. However, my recommendation is to truly evaluate, not just deploy it. You\u2019ll want to enable it in audit mode and take your time reviewing the impact. Depending on your applications, you may find it more impactful than you think.<\/p>\n For those with Defender for Endpoint, you can enable Controlled Folder Access as follows: In Microsoft Endpoint Configuration Manager, go to Assets and Compliance > Endpoint Protection > Windows Defender Exploit Guard<\/em>. Select Home<\/em> and then Create Exploit Guard Policy<\/em>. Enter a name and a description, select Controlled folder access<\/em>, and select Next<\/em>. Choose whether to block or audit changes, allow other apps, or add other folders, and select Next<\/em>.<\/p>\n Alternatively, you can manage it with PowerShell, Group Policy, and even registry keys<\/a>. In a network scenario, you can manage the applications you add to the trusted list by using Configuration Manager or Intune. Additional configurations can be performed from the Microsoft 365 Defender portal.<\/p>\n Often, there is a balance between the risks of attacks and the impact of security systems on computers. Take the time to evaluate the balance and whether this has an acceptable overhead for your needs.<\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Susan Bradley| Date: Tue, 05 Jul 2022 07:29:00 -0700<\/strong><\/p>\n As ransomware attacks gained steam in the mid-2010s, Microsoft sought to give Windows users and admins tools to protect their PCs from such attacks. With its October 2017 feature update, the company added a feature called Controlled Folder Access<\/a> to Windows 10.<\/p>\nc:Users<username>Documents<\/code>c:UsersPublicDocuments<\/code>c:Users<username>Pictures<\/code>c:UsersPublicPictures<\/code>c:UsersPublicVideos<\/code>c:Users<username>Videos<\/code>c:Users<username>Music<\/code>c:UsersPublicMusic<\/code>c:Users<username>Favorites<\/code><\/p>\n<QueryList><\/code><\/p>\n\u00a0 <Query Id=\"0\" Path=\"Microsoft-Windows-Windows Defender\/Operational\"><\/code><\/p>\n\u00a0\u00a0 <Select Path=\"Microsoft-Windows-Windows Defender\/Operational\">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]<\/Select><\/code><\/p>\n\u00a0\u00a0 <Select Path=\"Microsoft-Windows-Windows Defender\/WHC\">*[System[(EventID=1123 or EventID=1124 or EventID=5007)]]<\/Select><\/code><\/p>\n\u00a0 <\/Query><\/code><\/p>\n<\/QueryList><\/code><\/p>\n5007\u00a0\u00a0\u00a0\u00a0 Event when settings are changed<\/code><\/p>\n1124\u00a0\u00a0\u00a0\u00a0 Audited controlled folder access event<\/code><\/p>\n1123\u00a0\u00a0\u00a0\u00a0 Blocked controlled folder access event<\/code><\/p>\n<\/p>\n