back to article Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta

A below-the-radar security feature in the Windows 10 Fall Creators Update, aka version 1709 released last week, can stop ransomware and other file-scrambling nasties dead. The controlled folder access mechanism within Windows Defender prevents suspicious applications from changing the contents of selected protected folders. …

  1. inmypjs Silver badge

    "controlled folder access"

    You mean protection like Defense+ in the free Comodo Firewall has been giving me for the last decade?

    1. diodesign (Written by Reg staff) Silver badge

      Re: "controlled folder access"

      Defense in depth! :) Anyway, not that many people will want to install anything to do with Comodo on their machines...

      C.

      1. inmypjs Silver badge

        Re: "controlled folder access"

        "not that many people will want to install anything to do with Comodo on their machines..."

        I don't *want* to install anything to do with Microsoft on my machine.

      2. steviebuk Silver badge

        Re: "controlled folder access"

        Genuinely curious. What's wrong with Comodo? Has been fine for me for years and seems quite powerful. I'm aware they've pretty much stolen Process Explorer it would seems with their version that looks shockingly similar. But still been good.

        Only issue is GeekBuddy. That should be avoided and I guess we should be pulling them up just for that alone.

        1. Kiwi
          Paris Hilton

          Re: "controlled folder access"

          Genuinely curious. What's wrong with Comodo?

          Maybe some here don't like it because the initial setting up is (was - last time I used Comodo was in 2008 before I went to mainly Linux) a bit annoying. All that thinking!

          Not like the Windows firewall, which may or may not be turned on (you can't be sure) and just does it's thing, quietly letting anything and everything through protecting you from all them nasties! (at least that's what the marketing dept claim)

          I'd also love to hear someone suggest flaws in Comodo, as my memory of it is good and I may end up suggesting it to someone stuck with Windows - would hate to make their machines even less secure!

    2. Solarflare

      Re: "controlled folder access"

      Although Comodo's original firewall was pretty good, nowadays I wouldn't touch them with a 40ft barge poll if they were on fire*

      *no, i'm not sure why I mixed those two together either, but these things happen.

  2. bombastic bob Silver badge
    Meh

    yet another 'new, shiny' feature that gets a *yawn*

    so how much of a pain IS it to set up everything to be "scramble-proof"? And when will the ransomware be smart enough to "un-do all of that" ?

    I'm guessing that it's NOT password protected with a separate pass-phrase, nor write protected with something that's truly tamper-proof.

    and without much review, we only have Microsoft's claims about its features...

    /me hope it actually works, but I suspect that maybe it's not worth the hype.

    1. Anonymous Coward
      Facepalm

      Re: yet another 'new, shiny' feature that gets a *yawn*

      It can be disabled with the following PS command:

      Set-MpPreference -EnableControlledFolderAccess Disabled

      It does need to be ran as Administrator, but that's trivial to work around.

      It's a false sense of security, if any. Educating users is still the best cure.

      1. Anonymous Coward
        Anonymous Coward

        Re: yet another 'new, shiny' feature that gets a *yawn*

        "It does need to be ran as Administrator, but that's trivial to work around."

        How is that trivial to work around? Users on Windows 10 won't have admin access without at least a warning prompt to elevate access.

        1. Kiwi
          Boffin

          Re: yet another 'new, shiny' feature that gets a *yawn*

          "It does need to be ran as Administrator, but that's trivial to work around."

          How is that trivial to work around? Users on Windows 10 won't have admin access without at least a warning prompt to elevate access.

          You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button? Or the one that defaults to the "allow" button being selected, which gets "clicked" when the user presses their space button. Which is not very often really, only every 4-5 characters typed or so....

          Not knowing how the permissions mechanism works, but my plan to defeat it would be 1) to bombard the user with prompts (making the reason sound safe enough, eg "Mostwonderousfreebackup.exe needs to access your data to protect it, allow (yes/no)?" in the expectation that they'll hit "yes" (what turned UAC into just another Useless Annoying C...) or b) use a trojan that acts much like A.

          Now, a versioning system that can detect wholesale changes to user's files and maybe take action (without having a simple yes/no prompt the user can make go away quickly but something that sticks around and explains itself fairly carefully - no I don't know how this can be achieved sorry!) , and make sure that the previous copy of the user's files cannot be touched - that would be good. Of course a quick defeat to that is to fill the HDD with stuff so there's no space left.

          Maybe the versioning software can send the file that's making the changes back to HQ (and other places, ie competing AV firms) for analysis, and hold it's execution till cleared?

          Unfortunately any security system that requires the average user to select "no" several times a day is doomed to failure.

          1. Anonymous Coward
            Anonymous Coward

            Re: yet another 'new, shiny' feature that gets a *yawn*

            "You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button?"

            Only if they have admin rights. Most corporate users wont. This cant beat a determined idiot with admin rights, but it's a good start....

            1. Kiwi

              Re: yet another 'new, shiny' feature that gets a *yawn*

              "You mean that thing that's on the screen briefly before the user clicks the "make it go away!" button?"

              Only if they have admin rights. Most corporate users wont. This cant beat a determined idiot with admin rights, but it's a good start....

              I suspect there may be some management issues there as well.. (ie manager demanding certain things be allowed which shouldn't).

        2. Anonymous Coward
          Anonymous Coward

          Re: yet another 'new, shiny' feature that gets a *yawn*

          "How is that trivial to work around? Users on Windows 10 won't have admin access without at least a warning prompt to elevate access."

          Except here the group policy disables UAC as the C-Level kept complaining about the pop-ups...

          1. Anonymous Coward
            Anonymous Coward

            Re: yet another 'new, shiny' feature that gets a *yawn*

            "Except here the group policy disables UAC as the C-Level kept complaining about the pop-ups..."

            You let USERS have admin rights?! And then disable the safeguards?! Good luck with staying in business...

            1. Kiwi

              Re: yet another 'new, shiny' feature that gets a *yawn*

              "Except here the group policy disables UAC as the C-Level kept complaining about the pop-ups..."

              You let USERS have admin rights?! And then disable the safeguards?! Good luck with staying in business...

              Typically, if you don't let C-level types have their way, they send you on your way.

              1. Anonymous Coward
                Anonymous Coward

                Re: yet another 'new, shiny' feature that gets a *yawn*

                "Typically, if you don't let C-level types have their way, they send you on your way."

                And typically companies have processes and policies around admin rights that you get fired for ignoring. I have worked in many many varied companies and NEVER do standard user accounts get admin rights. If a C-type REALLY needs admin access then it's via a separate admin login with no profile / email etc so that you just use it when admin is actually required. Someone in your company isn't managing their users properly and you have a weak security policy and processes.

                As I said, good luck with staying in business...

                1. Kiwi

                  Re: yet another 'new, shiny' feature that gets a *yawn*

                  And typically companies have processes and policies around admin rights that you get fired for ignoring.

                  Ah yes, the old "I'll fire THE BOSS because I'm IT and therefore bigger than he is. Hello Jake, never knew you to post AC! :)

                  If a C-type REALLY needs admin access then it's via a separate admin login with no profile / email etc so that you just use it when admin is actually required.

                  "What? I don't want to bother with that. My time is important, I don't want to stuff around logging out and back in. Give me permanent admin access or you're fired and I'll get someone in who can do what they're told!". Or words to that effect.

                  As I said, good luck with staying in business...

                  Many of these companies still seem to be surviving quite well actually. YOU, however, would be out at best at the next contract renewal if you don't let some of these people get their own way.

      2. Anonymous Coward
        Anonymous Coward

        Re: yet another 'new, shiny' feature that gets a *yawn*

        It is another layer of protection. It won't be foolproof, but it is better than not having it.

        One more thing to stop you having to go to your backups. (You do have backups right?)

    2. Anonymous Coward
      Anonymous Coward

      Re: yet another 'new, shiny' feature that gets a *yawn*

      It works better if you realise they missed the log out/log back in the setup help. Didn't check if it applies changed folder lists but it doesn't update your app whitelist without it. Cue much annoyance.

      Also if you're using a 'select folder' file dialog it will just silently fail to write. No warning. Be careful.

  3. Tezfair
    Unhappy

    Hmmmm

    I don't seem to have it, maybe it's because im running a different AV and it's disabled?

    1. Richard Jones 1
      Unhappy

      Re: Hmmmm

      I do use Defender and tried to find it using all the link advice I could trace, but could not find the feature. If it should be there I want to have access and be able to exploit or reject any features as I desire without an automatic "it is [whoever] do not bother" response.

    2. Terry 6 Silver badge

      Re: Hmmmm

      Yes, I read the article, had a look and it's greyed out. Even the normally pretty useless "Microsoft Community" (Where shills meet to defend the mother ship) has this documented. To use this protection you have to rely only on the less safe MS AV. It's the IT equivalent of saying "Take off your condom and use the rhythm method".

      1. Terry 6 Silver badge
        WTF?

        Re: Hmmmm

        Now I'm really confused. (Well done Microsoft). Is this thing greyed out because I have third party AV software running, as Microsoft's own forums ("community") say. Or because it isn't allowed to work in Home editions. Either way, they're a bunch of dicks.

  4. harmjschoonhoven
    WTF?

    Cat and Mouse

    I say no more.

    1. FuzzyWuzzys
      Facepalm

      Re: Cat and Mouse

      So your defeatist apathy is a better option? You'd better read "Maus" if you think a world is better with all Cat.

      ( Yes Godwin invoked by way of a literary reference! )

      1. Destroy All Monsters Silver badge

        Re: Cat and Mouse

        I have actually had my fill of Holocaust Porn in my life, no longer interested.

  5. Nifty Silver badge

    What if an unsecured device and a secure one both have the same Dropbox account (other brands I'd cloud storage are available), what happens when the unsecured one gets ransomware?

    1. Pascal

      The obvious unfortunately. The unsecured one scrambles the files, syncs them to dropbox, from where they get synced back to the secured device. If only the unsecured device could have read-only access to your cloud data...

  6. Tim Brown 1
    Facepalm

    For some reason...

    I always seem to misread Windows 10 Fail creators update.

    1. Chairo
      Angel

      Re: For some reason...

      I always have a sinking feeling when I read about falling creators.

      Will they ever land?

      1. DJSpuddyLizard

        Fall Creator's Update

        Is that for people who create fall [autumn], or is it just released in the fall and you have to be godlike to get it working properly?

      2. WolfFan Silver badge

        Re: For some reason...

        I always have a sinking feeling when I read about falling creators.

        Will they ever land?

        With luck they'll land somewhere in Red, and I do mean 'red', mond.

        Insert lyrics from 'Beautiful Streamer' or 'Blood on the Risers' here. http://home.hiwaay.net/~magro/parasongs.html

        Airborne!

    2. Lord Elpuss Silver badge

      Re: For some reason...

      ”I always seem to misread Windows 10 Fail creators update.“

      How is that misreading?

  7. Dippywood

    "The controlled folder access mechanism within Windows Defender prevents suspicious applications from changing the contents of selected protected folders."

    Turned this on, went to check email. OUTLOOK.EXE is blocked.

    OUTLOOK.EXE??

    Another well thought out feature, then!

    1. Pascal

      That, or your outlook.exe lacks the proper signature, and isn't the one on the whitelist. Scan for virii? :)

      (My Outlook from Office 2013 had no problems writing to my document folders when saving an email attachment after enabling this).

    2. Anonymous Coward
      Anonymous Coward

      So the next evolution of ransomware

      Will hijack your browser or Outlook or some other whitelisted application and use it to encrypt your folders. It isn't as if those applications don't always have a lengthy list of patches every month, finding such an attack will be pretty easy.

      I don't see this as a long term solution, it is fixing last year's problem while the malware guys are already working on next year's nasties.

      1. Ken Hagan Gold badge

        Re: So the next evolution of ransomware

        "Will hijack your browser or Outlook or some other whitelisted application and use it to encrypt your folders. "

        You have posted this in reply to a comment that Outlook wasn't one of the whitelisted apps.

        Presumably the whitelisted apps have to be digitally signed and will lose their white-listing if they import DLLs that aren't also approved. There's no reason why this can't be made watertight. It doesn't look to be using anything that hasn't been part of the Windows kernel for about a decade. Having said that, I will grant you that whether it is actually effective is another matter.

        1. Anonymous Coward
          Anonymous Coward

          Re: So the next evolution of ransomware

          Whitelisting apps and requiring digital signatures? In other words time to welcome Microsoft to an Apple style walled garden, as apps without the signature will be seen as unsafe and to be avoided.

        2. Kiwi
          Trollface

          Re: So the next evolution of ransomware

          There's no reason why this can't be made watertight.

          Well, I can think of one obvious reason.... ;)

    3. Hans 1
      Joke

      See, there, this feature is actually working if it blocks Foutlook.

    4. Anonymous Coward
      Anonymous Coward

      Another well thought out feature, then!

      Even better, you can't turn it off for a folder once it's turned on!

      Great for making entire drives read-only

  8. Anonymous Coward
    Trollface

    Get Real Everyone

    MSFT just wants you to name the important folders to help focus their slurping work for 'the man'

    1. Anonymous Coward
      Anonymous Coward

      Re: Get Real Everyone

      Well, the documents & desktop folders would be the ones for 99.99999% of the Windows using population.

  9. Anonymous Coward
    Anonymous Coward

    So if this feature is for Defender and Defender is supplied with Windows and Windows 7 is still supported will Microsoft get sued if someone gets ransomware that would have been stopped by something they didn't add to Windows 7 because they are trying to get everyone on Windows 10?

    I'm making the assumption this is not being added to Windows 7.

    1. Anonymous Coward
      Anonymous Coward

      What a crock of shit. Win7 has been out of mainstream support for sometime (2 1/2 years).

      No new features, no additional service packs, only security fixes.

      This is a new feature.

      1. Anonymous Coward
        Anonymous Coward

        My mistake, it's security essentials for Windows 7 however it's still touted as Defender for Windows 7.

        So in your opinion you would not class ransomware protection as a security fix?

      2. Doctor Syntax Silver badge

        "No new features, no additional service packs, only security fixes.

        This is a new feature."

        So it's nothing to do with security?

        1. Anonymous Coward
          Anonymous Coward

          A new feature that adds security and fixes a problem that allows ransomware to propagate on a machine.

          If the OS was secure then it wouldn't be needed however it is therefore it's a fix to a problem.

          Lets say a variant of ransomware infects Windows 7 machines but not Windows 10 due to this "feature", you could argue that Microsoft was negligent in not adding this to Windows 7 leaving users vulnerable as they are obliged to supply security fixes.

          You say tomato, I say potato.

      3. Updraft102

        "Win7 has been out of mainstream support for sometime (2 1/2 years).

        No new features, no additional service packs, only security fixes.

        This is a new feature."

        So you think it will be coming to Windows 8.1 then? Still a year and a half of mainstream support on that!

    2. WolfFan Silver badge

      'Windows Defender' on Win 7 is a useless application which tries and fails to do something about spyware. 'Windows Defender' on Win 8 and later, including Win 10, is an application of quite limited use which attempts to do something about malware in general, including spyware, but which is not the best antimalware app ever made. There are notable differences between Defender on Win 8/8.1 and Defender on Win 10; this feature is merely one more. Defender on Win 8 was built on the bones of Microsoft Security Essentials, for Win 7. They are not the same application. Defender on Win 10 has the same name but is not the same application as Defender on Win 8/8.1. If you want the features of Defender on Win 10, you have to be running Win 10. In other words, no, this won't be backported to Security Essentials on Win 7. And, no, this won't be backported to Defender on Win 8/8.1. Go ahead and sue. You will lose.

  10. Anonymous Coward
    Anonymous Coward

    Could Defender stop to show a warning icon...

    .... when I disable its "feature" to send files automatically to MS without my approval? If you show a warning icon when users disable "features" that may send out proprietary and sensitive information, users will start to ignore the icon even when there's a real threat.

    1. gypsythief

      Re: Could Defender stop showing a warning icon...

      Yes, it could. I'm probably 12 hours too late for this post to be seen, but here goes:

      Screenshot 1: https://i.imgur.com/dnIkfvs.png

      Here, I have just turned off Automatic Sample Submission. Notice how the Defender tray icon is showing a warning icon, along with an alert in the main Defender Security Centre window.

      Critically, clicking the "Dismiss" link by the alert does not just dismiss the alert from the Security Center window: it also dismisses the warning icon from the system tray.

      Screenshot 2: https://i.imgur.com/AjHPfxB.png

      Notice how Automatic Sample submission is still set to "Off", yet the tray icon has a happy little green tick icon on it again.

      Aaah, peace!

  11. Kevin Johnston

    Colour me stupid but...

    Intended as a serious question so please be gentle with me.

    I was under the impression that it was common for the attack to use the user's credentials so I don't understand how this could be as secure as you suggest. Does this simply act as an internal firewall based on connecting application?

    1. Anonymous Coward
      Anonymous Coward

      Re: Colour me stupid but...

      I would assume so.

      I have no idea as I'm not Technical... ah, well, sometimes I am. But I would guess, just as clicking "resource monitor" shows the actual program making the file request, this also works on the program level?

      Though as noted above, it may just be one more step in the escalation to control the malware needs, it now needs to hijack another program in addition to credentials.

    2. Anonymous Coward
      Anonymous Coward

      Re: Colour me stupid but...

      Its an application firewall. Doesn't matter what credentials are used, even if you have permission on the files. If the application isn't allowed, it doesn't get access.

      Its like the application sand boxing in say android but for file access only. The application needs permission to access the files, doesn't matter that the user running the application has access.

    3. Ken Hagan Gold badge

      Re: Colour me stupid but...

      I don't know, but if I were asked to implement such a feature then here's how I'd do it.

      Windows access control already understands the notion of high, medium and low "integrity". That is, whether a piece of code (rather than the user) is trustworthy. This is how they implement UAC. So, on each of the directories that you want to protect, you add a access control entry (ACE) denying write access to some lowly level of integrity.

      Window Defender then hooks into the module loader and arranges that each new process has that lowly level of integrity (in its process token) unless it was whitelisted. It also hooks DLL loading so that adding an untrusted DLL to a trusted process changes the integrity level. (Small loophole there: if you've opened a file and then load the library, you probably still have access via that handle. Perhaps someone at MS has written the additional code required to close that loophole.)

      The result is that most processes only have read access to Desktop and Documents (or wherever) but a few whitelisted processed have write access. Enforcement is via the tried and trusted (for 25 years) mechanism of validating access of tokens against lists of ACEs.

      Update: I should probably state explicitly that although the usual situation is for all processes that run "as you" to have "your" credentials, the Windows kernel is quite happy to juggle with different versions of "you" and access control is actually done based on the identity (token) of each process.

  12. Anonymous Coward
    Anonymous Coward

    chmod go-rw

    With added complexity, 30 years on.

    1. Anonymous Coward
      WTF?

      Re: chmod go-rw

      That's right. the user having to do nothing is far more complex then pulling up a shell and applying a command to obscurely named folders.

      And we wonder why IT people get a bad rep.

      1. Anonymous Coward
        Anonymous Coward

        Re: chmod go-rw

        Sure because 'the user' (nice patronising term there) will know all about the Windows Defender Security Center App won't they? They'll know exactly what arcane switch to flick, what password is needed, and they'll entirely understand why they can no longer save shortcuts on the desktop.

        And we wonder why IT people get a bad rep.

    2. Michael B.

      Re: chmod go-rw

      Not at all. This is stopping applications, that are running under your own privileges, from writing to certain locations that they shouldn't be writing to. In your permissions the malware will still get to write to the user's files.

  13. This post has been deleted by its author

  14. Anonymous Coward
    Anonymous Coward

    Network shares etc?

    Wonder how effective it is at protecting mapped drives? That's what typically hurts businesses the most when they've got a departmental share suddenly encrypted.

    1. Anonymous Coward
      Anonymous Coward

      Re: Network shares etc?

      It's a good point. If you apply it to a server, I presume it would lock out the user access, but interesting to see.

      Backups are all well and good, but not when they have suffered delayed encryption as well.

      1. Anonymous Coward
        Anonymous Coward

        Re: Network shares etc?

        Yeah and you don't have an entire department sh*tting themselves because one member of staff have been doubly stupid whilst "working from home"

    2. Anonymous Coward
      Anonymous Coward

      Re: Network shares etc?

      A file systems which allow snapshots is an effective protection against malwares encrypting network shares files. Enable automatic snapshots every n minutes, and when you spot a ransomware, you can go back in time (after you cleared the infection, of course) faster than having to restore a backup.

      Of course, it would be better to minimize the users having write access to any given share/folder, and maybe use a better way to share documents (i.e. something with auditing and versioning, for example), not easily accessible by a ransomware. A "free-for-all" approach is never sensible.

      1. Mark 110

        Re: Network shares etc?

        I'm wondering if you can just apply the protection to the network drive as you would the local drive on your machine. Will give it a go when I get home later.

        1. Mark 110

          Re: Network shares etc?

          Hmmm - no I won't - haven't had the update yet . . . installing now.

      2. Anonymous Coward
        Anonymous Coward

        Re: Network shares etc?

        "A file systems which allow snapshots is an effective protection against malwares encrypting network shares files."

        Windows already takes snapshots / file version backups. That might work for remote file shares, but most Windows ransomware deletes local snapshots!

        1. Anonymous Coward
          Anonymous Coward

          Re: Network shares etc?

          That's why I explicitly said "network shares files", where an attacker access is fairly more limited. If the remote file system is also a non Windows one (i.e. ZFS on a FreeBSD system, for example), it becomes harder for the attacker. It's another layer of protection.

          1. Mark 110

            Re: Network shares etc?

            Finally got the update installed. Bit busy and the numerous reboots booting into Linux when I'm not there to tell it not too slowed me down.

            It lets me protect folders on my NAS but not apply the setting to the whole NAS. I need to apply it to each folder. But in answer the answer to the original question - yes - you can apply the protection to network locations.

            1. Kiwi
              Linux

              Re: Network shares etc?

              Finally got the update installed. Bit busy and the numerous reboots booting into Linux when I'm not there to tell it not too slowed me down.

              One of the reasons I seldom boot into Windows anymore. It will've decided some driver needs changing, or I've made a drastic hardware change like put the mouse in the wrong USB port (the one I plugged it into last week instead of earlier this week) or some other event that so seriously affects things that it wants a reboot. And when I reboot it takes a few minutes for Windows to shut down (I love showing off 11-15 second shutdowns in Linux with a ton of programs open!) so I wander away, hoping to be back to catch it.

              I found Grub Customizer, which has let me set the Grub time to 5 minutes (I would love a don't automatically boot OS option), so at least I have some hope of intercepting the normal boot-into-Linux and letting Windows start the next stage of it's 5xrebootforminorchanges cycle.

              Nice to know that network shares can be protected. Don't suppose the system defaults to protecting stuff though does it?

              1. Mark 110

                Re: Network shares etc?

                Thanks - been meaning to google how to stop Grub doing that to me :-)

  15. thondwe

    OneDrive

    Not sure this works for OneDrive folders yet - pity - guess it'll come in the Xmas Jolly Update...

    1. Mark 110

      Re: OneDrive

      Another one for me to try later. Or are you saying you already tried and failed? Will save me a task if you have.

      1. Mark 110

        Re: OneDrive

        It works for OneDrive. Well the way I have it set up on this machine anyway. On this machine to write to OneDrive it writes to a local drive which then syncs to OneDrive. I can apply the setting to the OneDrive folder in explorer (which in a physical sense is a local folder. So yes works (on this machine).

        Need to update my laptop at some point. I don't store all OneDrive files locally on the laptop so that might be different.

  16. lansalot

    Yay!

    That sounds like a great tool for home users to protect themselves!

    https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-controlledfolderaccessallowedapplications

    Ah wait - not available in Windows 10 Home edition??

    1. elgarak1

      Re: Yay!

      I remember how I felt back when all these different Editions came into being and I read that the backup on Home Edition wouldn't work. Yeah, right, our data is worthless, right? Bloody wankers...

      IIRC, about the same time Apple released Time Machine...

    2. Fuzz

      Re: Yay!

      That's a list of group policies. It's not possible to enable the feature using group policy on Windows Home. You have to go into the settings and flick the switch.

    3. This post has been deleted by its author

  17. kckeane

    Thank you!

  18. James 29

    I tried enabling this, then an hour later was draging a URL from the address bar on Firefox to the desktop t (just an odd way of bookmarking I use sometimes) and Defender stoped it in its tracks. Feature now switched back off (or until I can be botherd to reconfigure it)

    1. lansalot

      so..

      Not worth persisting with to protect your actual-data then, just because one thing got blocked?

      1. Kiwi
        Boffin

        Re: so..

        Not worth persisting with to protect your actual-data then, just because one thing got blocked?

        A big part of the hate directed at 8/8.1/10, a big part of the reasons given why people resist switching to secure OS's etc etc is that it "breaks their workflow".

        People tend to hate things that make their jobs harder. Many also like a new feature and want to use it, but until they get the time to get it working right they turn it off.

        Somtimes time is worth more than faffing about with MS settings and fighting yet another change to the way Windows works. Also why I use Mate instead of other systems - I like functions Gnome2 had which were removed in 3.

        1. Mark 110

          Re: so..

          Upvoted you cos you talk sense - however one of the reasons I can't make the switch to Linux is it breaks my workflow.

          I'm keeping my fingers crossed for no major UI changes in Windows. Just clean up the rough edges still hanging around after the 8 debacle. Its not friendly having both the old XP / 7 interfaces and the new 8/8.1/10 interfaces popping in randomly. The new ones suck pretty hard for anything except basic on/off switches.

          1. Kiwi

            Re: so..

            Upvoted you cos you talk sense - however one of the reasons I can't make the switch to Linux is it breaks my workflow.

            Thanks :)

            I switched slowly myself. I started it on some serverstuff I was doing, and slowly moved it over. I had some type of terminal program (maybe cygwin) that would led me ssh into the server. I started using it more and more with Ubuntu 8, and IIRC for a while I had the ultimate in dual-boot - 2 computers side-by-side!.

            What sold me was the first time I went to use my epson printer/scanner on Linux. Stood up to turn the printer on, sat back at the computer, and there was a prompt saying it was ready. No driver searches, no wait while the OS finds drivers, just done and ready to work.

            Of course, back then computers were a tiny fraction of my normal working life, so I had it easy.

            (Oh, and as I said I still stick with something Gnome2-like because that's what I like - I'm comfortable in KDE and Cinamon, but the UI on the latest Fedora also made it my shortest-lived VM :) )

            I'm keeping my fingers crossed for no major UI changes in Windows. Just clean up the rough edges still hanging around after the 8 debacle. Its not friendly having both the old XP / 7 interfaces and the new 8/8.1/10 interfaces popping in randomly. The new ones suck pretty hard for anything except basic on/off switches.

            Yeah they do waste a LOT of screen real estate! Efficient UI design DOESN'T involve having 3 words and one on/off slider per screen!

  19. js6898

    Turned it on, went to edit a .txt file on my desktop (using notepad), wouldn't let me save the changed .txt file back onto the desktop. Turned it off and then I could save the file.

    1. Anonymous Coward
      Anonymous Coward

      So that's:

      chmod -R a-rwx C:\

      Those clever Redmond folk... whatever will they think of in the next 30 years.

      1. Anonymous Coward
        Anonymous Coward

        "So that's:

        chmod -R a-rwx C:\"

        No it isn't; Windows already has a rather more powerful set of more granular file system ACLs than *Nix ever has.

        This is file system access permissions by application binary, not by user ACL.

        1. Captain Obvious
          FAIL

          Riiiiiiight....

          So when you turn on Deny permissions and users still can get access to it, this is more secure? Have seen this happen SO many times. REGARDLESS of inheritance, if you use deny permission on that group, they should not have access, yet randomly, sometimes they do.

          The superiority of Unix is the simplicity of the file permissions that do exactly what you tell them to do.

          1. Ken Hagan Gold badge

            Re: Riiiiiiight....

            This is the stuff that Dave Cutler brought to the party, 25 years ago. I've seen various ways of getting the configuration wrong, but I've never seen the configuration not being enforced properly.

            If you are a big fan of the original UNIX model then you can stick to that subset, although UNIX doesn't anymore so perhaps it wasn't quite so great.

          2. Anonymous Coward
            Anonymous Coward

            Re: Riiiiiiight....

            "if you use deny permission on that group, they should not have access, yet randomly, sometimes they do."

            Not on Windows they don't.. Deny always overrides any access. I have done hundreds of tests as part of a compliance project on various Windows versions and its rock solid. If users have access then they are not in a group with a deny group.

            1. Kiwi
              WTF?

              Re: Riiiiiiight....

              Not on Windows they don't.. Deny always overrides any access. I have done hundreds of tests as part of a compliance project on various Windows versions and its rock solid.

              You call "You do not have permission to access this (file/folder/drive). Click here to permanently get full access rights" 'rock solid'?

              I've performed thousands of test, and found the Windows security model... Actually, no that's not true, I've never found the Windows security model because it does not exist!

              1. Anonymous Coward
                Anonymous Coward

                Re: Riiiiiiight....

                "You call "You do not have permission to access this (file/folder/drive). Click here to permanently get full access rights" 'rock solid'?"

                LOL @ complete lack of understanding of ACLs. To be able to do that you need admin rights, AND the admin account needs to have rights to "take ownership" to the files in question.

                By default if you have admin rights, of course you can change permissions. However you can easily deny even the admin account access to files and folders if you need to. Which is something that the inflexible and more primitive *nix ACL model cant manage for root...

                1. Kiwi
                  FAIL

                  Re: Riiiiiiight....

                  "You call "You do not have permission to access this (file/folder/drive). Click here to permanently get full access rights" 'rock solid'?"

                  LOL @ complete lack of understanding of ACLs. To be able to do that you need admin rights, AND the admin account needs to have rights to "take ownership" to the files in question.

                  You're an MS shillsupporter and you challenge others on security?

                  And no, you clearly have a complete lack of understanding of MS's complete lack of security. I'm talking a LIMITED account with no admin rights on a Win7 (and I think I've seen this on 8) where the kids wanted to access something in another account (admin or not), they click the folder, get told they don't have permissions "click here to permanently get permission to access this folder",

                  We're talking home users so the MS craptastic and generally rather broken ACL's don't exactly come into it do they? Default MS settings, to be as insecure as possible and and when that's not insecure enough, to automatically and permanently give full access to whoever asks.

          3. Anonymous Coward
            Anonymous Coward

            Re: Riiiiiiight....

            "The superiority of Unix is the simplicity of the file permissions that do exactly what you tell them to do."

            Windows ACLs are more granular and have more options so it's much easier to achieve exactly what you want than on *Nix. Also it has more advanced features like constrained relegation and discretionary access control that you simply can't do with *Nix without installing complex third party products. You clearly don't know the subject matter very well...

            1. DuncanLarge Silver badge

              Re: Riiiiiiight....

              "Windows ACLs are more granular "

              UNIX ACL's are just as granular and if part of a windows domain implement the same access as on a windows client. Its just not everyone bothers to use UNIX ACL's.

        2. Kiwi
          Linux

          No it isn't; Windows already has a rather more powerful set of more granular file system ACLs than *Nix ever has.

          Yet their "security" still constantly lets minor browser bugs get the OS compromised, things that're impossible on proper secure OS's.

          1. Anonymous Coward
            Anonymous Coward

            "Yet their "security" still constantly lets minor browser bugs get the OS compromised, things that're impossible on proper secure OS's."

            That's been possible plenty of times of most OSs including Linux, IOS and Android - so I'm not sure what you have left to class as a proper secure OS?!

  20. Doctor Syntax Silver badge

    I was wondering how this worked seamlessly without changing the entire file access mechanism. By the time I got this far down the comments the answer is clear. "Seamlessly" doesn't apply. PDQ users will be trained to allow anything that wants to write anywhere to do so.

    1. Kiwi
      Pint

      PDQ users will be trained to allow anything that wants to write anywhere to do so.

      Yup. UAC V2.

  21. This post has been deleted by its author

  22. Anonymous Coward
    Anonymous Coward

    How difficult could it be for Microsoft to implement something that checked if multiple files have been written to in the same folder (perhaps with different extensions) by the same process and block write acess until white listed? Surely not rocket science?

    That way, all folders would be protected.

    1. Ken Hagan Gold badge

      How difficult could it be for you to see the number of false positives this might throw up?

  23. MacroRodent

    What apps are trusted?

    So to work, it has to know which applications are allowed write to the trusted folders. I guess initially only the Microsoft ones, like MS Office. So a macro virus (or succesful phishing) targeting Word or Excel can bypass this easily.

    By the way, this sounds like a limited version of Linux AppArmor.

    1. Anonymous Coward
      Anonymous Coward

      Re: What apps are trusted?

      "By the way, this sounds like a limited version of Linux AppArmor."

      No, Linux App Armour is more like a limited version of Windows AppLocker / Software Restriction Policies.

  24. Craigie

    why selected folders?

    And not entire drives?

    1. Anonymous Coward
      Anonymous Coward

      Re: why selected folders?

      "why selected folders?

      And not entire drives?"

      Selected folders could include say C:\

      1. Craigie

        Re: why selected folders?

        'Selected folders could include say C:\'

        It could, but the default are user file locations like 'Documents' and 'Desktop'. Maybe it's a performance killer when applied to the entire filesystem?

        1. Seajay#

          Re: why selected folders?

          I couldn't say about performance (can't check with Home edition) but surely the problem is that almost every program wants to write at least something to disk. So if you protect C: you need to allow every program access and if every program has access, there's no protection at all.

          I suppose one option would be to protect everything except %APPDATA% but that doesn't provide much protection above the standard because almost everything that's not in there or documents needs admin permission anyway (and if you're running as admin, you can just turn off the protection).

        2. Anonymous Coward
          Anonymous Coward

          Re: why selected folders?

          "Maybe it's a performance killer when applied to the entire filesystem?"

          Or maybe if you stick your data where it's supposed to be you don't need to worry about it?

      2. Anonymous Coward
        Anonymous Coward

        Re: why selected folders?

        ""why selected folders?

        And not entire drives?""

        Because then you would have to white list a much larger range of binaries which would defeat the whole objective of keeping applications allowed to write to the controlled areas of the disk to a minimum?!

        Not to mention that there shouldn't be any data that you care about outside of the default locations.

        1. Kiwi
          WTF?

          Re: why selected folders?

          Not to mention that there shouldn't be any data that you care about outside of the default locations.

          So.. You shouldn't have backups because e:\backup is not a default location?

          Why should it matter where I stick my data? Or is MS still a bit dumb in the concept of not everyone does everything the same?

  25. Anonymous Coward
    Anonymous Coward

    "Once the feature has been activated, essential directories like the user's documents folder are locked off from any malicious applications that seek to <...snip...> scramble them to destroy them. "

    So MS is locking-out Excel and WinWord from opening files in the Documents folder?

    1. Anonymous Coward
      Anonymous Coward

      5 thumbs-down?

      nobody here has a sense of humor anymore...

  26. Tubz Silver badge
    FAIL

    Doh !

    So I take your advice and activate, first thing to get flagged, Outlook 2016 wanting to update my inbox WTF Microsoft, flagging your shit as suspicious, way to go !

    1. Ken Hagan Gold badge

      Re: Doh !

      Doh? Really?

      Personally I'm delighted that MS didn't just whitelist everything from their own stable. It seems entirely proper that this decision should be made by the end-users (or their admins).

      1. stephanh

        Re: Doh !

        You are delighted that Microsoft is apparently unable to whitelist their own apps?

        Would it not rather suggest that the whitelisting criteria are sufficiently difficult to get right that the number of false positives will be huge, which in turn will cause the vast majority of users to disable this feature?

      2. Kiwi
        Thumb Up

        Re: Doh !

        It seems entirely proper that this decision should be made by the end-users (or their admins).

        While I largely agree, the question has to be asked... The first time a user downloads something from cnet/softpedia/download/etc.com? :)

  27. Anonymous Coward
    Trollface

    Good old MSFT

    "Windows 10 isn't done until Open Office won't run!!

  28. stephanh
    Windows

    Great feature!

    So my sysadmin turned this on on my computer so I don't need to fear ransomware anymore. Only one snag: this handy little photo editor I downloaded from the interwebs couldn't access my files in Documents anymore. No worries, though, I just created a new folder Documents2 and put all my files there! Am I a computer wiz or what?

    1. Ken Hagan Gold badge

      Re: Great feature!

      No. You are the kind of doofus that the feature is designed to obstruct. A computer wiz would have provided sufficient evidence to their sysadmin that the handy little photo editor was legit and should be added to the whitelist.

      In the meantime, you've created a nice little sandbox called Documents2 and when you next download some ransomware it will only be that sandbox that gets toasted. "Documents" will be fine.

      1. Doctor Syntax Silver badge

        Re: Great feature!

        "No. You are the kind of doofus that the feature is designed to obstruct."

        Whoosh!

  29. anonymous boring coward Silver badge

    "Cybercriminals can’t extort money if they can’t encrypt your files. "

    So if you stop the criminals form from committing crimes, you are safe? Astonishing!

  30. JibberJabberBadger

    What about us?

    Bit of a tech newb here, so feel free not to flame me.. is there a version of this for home (non enterprise) users?

    1. Anonymous Coward
      Anonymous Coward

      Re: What about us?

      I believe it's available for home users. You just cant control it via GPOs but have to set it manually.

  31. MrKrotos

    Ooooooh, seems the turd has another layer of glitter!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like