Is the Windows 10 controlled folder access anti-ransomware feature any good?

With last week’s release of Windows 10 Fall Creators Update, users get a new feature aimed at stopping ransomware from encrypting their most important files.

It’s called controlled folder access, and is part of Windows Defender Exploit Guard, a new set of host intrusion prevention defenses that walks in the footsteps of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).

How does controlled folder access work?

Controlled folder access locks down folders, allowing only authorized (whitelisted) apps to access and modify files.

By default, it protects common folders where important data are stored – folders like Documents, Pictures, Movies, and Desktop. Those can’t be removed from the list of protected folders, but other folders can be added to it, including folders on other drives, network shares and mapped drives.

“You can also allow apps that you trust to access protected folders, so if you’re using unique or custom programs, your productivity is not affected,” Microsoft explained.

If, on the other hand, an unauthorized app tries to make a change to the files in those folder, it will be stopped and the user will get a notification about the attempt:

Windows 10 anti-ransomware

How to enable controlled folder access?

The easiest way for tech-unsavvy home users to switch it on is through the Windows Defender Security Center app, under the “Virus & threat protection” menu. They must click on the “Virus & threat protection settings”, and flip the switch to “On”. They can immediately add new folders to the protected folders list and whitelist apps.

Windows 10 anti-ransomware

“In enterprise environments, controlled folder access can also be enabled and managed using Group Policy, PowerShell, or configuration service providers for mobile device management,” Microsoft pointed out.

“The controlled folder access feature seamlessly integrates with Windows Defender Advanced Threat Protection. Every time controlled folder access blocks an attempt to make changes to protected folders, an alert is generated on Windows Defender ATP. This notifies security operations personnel to take quick response actions, including quarantining affected machines or blocking the unauthorized app from running on other machines.”

The endpoint alerts can be customized, so administrators can make them include instructions for end users on what to do next, e.g. immediately get in touch with the company’s help desk via email, phone or IM. More information on the whole process can be found here.

By the way, for controlled folder access to work, real-time protection in Windows Defender Antivirus must be enabled.

Does it actually work?

According to Bleeping Computer, it really does.

“Ultimately, while CFA is a great tool to protect folders from unwanted access, it won’t kill ransomware that access those folders. This means, that unprotected folders will still be encrypted, ransom notes will be displayed, and other unwanted behavior may occur,” they added.

Others have also tested and confirmed it’s efficacy.

Don't miss