Windows 10: Bypassing Controlled Folder Access Anti-Ransomware Protection

[German]In Windows 10 Fall Creators Update (V1709) Microsoft introduced Windows Defender Folder Access as a protection against Ransomware. Nor a security researcher has bypassed this protection using OLE. Microsoft don't see a vulnerability an will fix it in future versions of Windows-as-a-service.


Windows-Defender Controlled Folder Access

Windows Defender comes in Windows 10 Fall Creators Update (V1709) with a new feature Controlled Folder Access (CFA). This should prevent the writing and manipulation of files by unauthorized applications (malware, ransomware). Microsoft has introduced Controlled Folder Access Folder protection in a blog post last October.

Windows 10 Controlled Folder Access
(Source Microsoft)

This feature may be enabled via the Settings app. According to Microsoft, Controlled folder access protects common folders where documents and other important data are stored. A user can add additional folders to protect, including those on other drives. And a user can also allow trusted apps to access protected folders.

Windows 10 Controlled Folder Access settings
(Source Microsoft)

When enabled, (CFA) prevents access by unauthorized apps and notifies the user of an attempt to access or modify files in protected folders.


(Source Microsoft)

Bypassing Controlled folder access via OLE

Spanish security researcher Yago Jesus, from SecurityByDefault, published this report, showing how to bypass Microsoft's Controlled folder access (CFA) via OLE. This is possible, because Office executables are included by default in a whitelist. So these programs could make changes in protected folders without restrictions. This means that Office applications can change (and bypass CFA protection) files located in a protected folder, whether the user likes it or not.

Jesus published three examples of manipulated Office documents (which could be distributed by spam email). These can be used to overwrite the contents of other Office documents stored in protected folders, to password-protect the same files or to insert their contents into files outside the CFA folder, encrypt them and delete the originals.

While the first example is only destructive, the other two examples of Ransomware work to demand ransom payment from the victim to unlock the password/encryption code.

It's not a vulnerability, says Microsoft

The security researcher informed Microsoft about the problem he has discovered, but is dissatisfied with the manufacturer's reaction. In a screenshot of the email he received from Microsoft, Jesus documents that the manufacturer of the operating system did not classify the problem as a security vulnerability. Microsoft intends to improve file protection in future versions to address the reported bypass method. (via)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *