Have you heard of Controlled FOlder Access in windows 10? if not, have a look https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.
In short, it will block applications that are not whitelisted from making changes to a protected folder. The protected folder is a folder that Windows Defender will monitor. you can add/remove folder you required by the user. Also, you’ll need to specify what apps (based on the executable path) can make changes to the folder…
Enable and disable is pretty simple (On Windows 10 1803)
Start -> Settings -> Update & security -> Windows Security, click on Open Windows Defender Security Center
On Windows Defender Security Center, Virus & threat protection -> Virus & threat protection settings -> Manage Controlled folder access
On Controlled folder access, turn it on or off.
Once it is turned on, you’ll have options to manage protected folder and application whitelist.
and of course, you can enable/disable it via GPO.
I’ve been using controlled foder for a while and the solution is pretty robust and it does what it suppouse to do, so what i have learned:
1- create a list of folders to be protected. it may be just the user’s profile, but maybe not.
2- before enabling, make sure you know what needs to be allowed (enable it in audit mode via GPO/GPEdit – https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.
3- After a while (i’d say at least 1 week, preferable, 1 month) monitor via event viewer to see what apps are trying to read/write and create a white list of apps that can access the protected folder
4- create the GPO to enforce the settings
pretty simple, but do i have it enabled on my personal laptop?
Well…i had (like i said before), i’ve been using it and today i gave up..i had to disable..and the reasons:
1- i have too many apps that tries to make changes, and even apps that i did not know where trying to make changes (i.e. if you open remote desktop, it will try to make changes Default.rdp that is under the user’s document, so c:\windows\system32\mstsc.exe needs to be allowed, this also for mspaint, winword, itunes, iexplore, firefox, etc..etc..etc..)
2- number of notifications just drive me crazy. i didn’t add all apps that required writing on my user profile, but when i open some files that i feel they should no be required access, a notification pops up…and as it admin, i have loads of those notifications
3- i did not allow msiexec, i don’t want all installation to write stuff on my user profile, but unfortunatelly, some installation will be rollback if cannot create a desktop link 4- you have to manually add each app to the list, the notification does not have an option for you to do that…
5- notification text is too small…when you have an app installed in c:\Program Files\Software Vender\Software\Executable.exe, the notification will show c:\program files\So….\executable.exe…so i have to open event viewer quite often to see what’s the correct path for the application
6- it is based on the application path, it means if you change the location of the app, you’ll need to allow the new location or change the path…there is no way to control it via Certificates or just the .exe file
7- event viewer it too poor (it does not have information of what event was trying to be done (i.e. write, delete, etc). as well as what file, it only shows folder)
C:\Windows\explorer.exe has been blocked from modifying %userprofile%\OneDrive – perez.net.br\Documents by Controlled Folder Access.
Detection time: 2018-07-24T09:05:16.418Z
Path: %userprofile%\OneDrive – perez.net.br\Documents
Process Name: C:\Windows\explorer.exe
Signature Version: 1.273.212.0
Engine Version: 1.1.15100.1
Product Version: 4.18.1806.18062
i still have high hopes for this solution and i hope it will only get better and better