Jump to content

Controlled access folders with Defender in 1709


Recommended Posts

With the Fall Creators Update 1709 Microsoft has included an enhanced version of their own Windows Defender product.  This apparently has an option to turn on anti-ransomware protection using a feature called "controlled folder access".  See this link: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard

Is this a "must have" feature or does Eset Smart Security have its own mechanism to give this degree of enhanced protection?

Link to comment
Share on other sites

  • Administrators

This seems to be a simple feature that enables only allowed applications to make modifications to selected folders. The same can be accomplished with a HIPS rule. My understanding is that the feature  would not protect folders from ransomware that injects into or is run by allowed applications, such as VB scripts.

Link to comment
Share on other sites

Appears the default setting is to deny any access to any controlled folder. [See below Edit] You can add allowed apps but of course if those were hijacked, you could get nailed. If this is true, it should detect any script engine access.

As previously stated, you can easily do the same by creating a HIPS "ask" rule for My Documents, etc. to detect any write or delete access and the more apps you create "allow" rules for, the higher the likelihood of getting nailed by ransomware. For example, malware could deliver ransomware using the explorer.exe shell.

Note:  Win 10 1709 Controlled Folder access only works if Windows Defender is used as your AV.

-EDIT-

All ransomware has to do is inject one the below noted "safe" apps or run from its shell e.g. explorer.exe:

Quote

!Important

By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets.

Ref.: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard#allow-specifc-apps-to-make-changes-to-controlled-folders

Edited by itman
Link to comment
Share on other sites

Thanks for the comments and advice.  However, I expect any AV product that I choose to pay for to provide the best possible protection by default rather than expecting the user to have knowledge and understanding of how to create advance settings. If Microsoft is deeming some form of access control as important and Eset is not then I need to ask why?  I have no wish to start using Defender and am happy to pay for Eset to help keep my family computers safe but I am looking for reassurance that it will do so by default without me or my wife having any specialist knowledge.   I don't mind being asked questions when first installing or updating on an interactive basis but I don't expect to have to be proactive in order to feel secure. 

Link to comment
Share on other sites

13 minutes ago, chrisj said:

If Microsoft is deeming some form of access control as important and Eset is not then I need to ask why? 

Windows Defender ransomware protection is abysmal as noted in AV Lab tests that specifically tested for ransomware protection effectiveness. This is why MS added the controlled folders protection; a typical Band-Aid security approach they are noted for.

Eset has by default anti-ransomware protection as long as LiveGrid is enabled. It is most effective on Win 10 since Eset uses its built-in protections such as AMSI to monitor script execution.

Link to comment
Share on other sites

  • Administrators
1 hour ago, chrisj said:

If Microsoft is deeming some form of access control as important and Eset is not then I need to ask why?

Because we don't want to give users a false sense of security by providing a solution that can be relatively easily circumvented and cause issues for some users at the same time. We use several advanced smart techniques to prevent new borne malware from running in the first place.

Link to comment
Share on other sites

Many thanks for all the feedback.  I don't pretend to understand all the technicalities other than to realise that most users will not delve in any detail into all the complexities of the subject. I started off this thread wanting some assurance that I was doing the right thing in sticking with ESET and not considering the "free" option and I am comfortable that I have achieved that.  I fully recognise that no solution can ever give a 100% guarantee and the user must always take some responsibility as to what they do on their computers.  It is, however, important that products that are considerably customizable, such as the various flavours of ESET, default to a high degree of security as many users will never venture beyond the default settings, let alone understand some of the configuration options offered. 

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...