1.    2 Weeks Ago #1
    Join Date : Aug 2016
    S/E England
    Posts : 4,517
    10 Home x64 (1709) (10 Pro on 2nd pc)

    Odd Defender 'Controlled Folder Access' alert


    Fall Creators Update 1709 introduced a new 'Controlled Folder Access' function in Defender. This is off by default, but I have turned it on to test it. I've had to allow a couple of apps access (VLC was one) but other than that it seem unobtrusive.

    However, very occasionally (and with no apparent pattern, I've even seen it once visiting TenForums) I've seen a very strange alert for Internet Explorer....

    Click image for larger version. 

Name:	Controled folder access blocked - IE.png 
Views:	46 
Size:	68.4 KB 
ID:	161896

    I have two problems with this. First, I don't read Chinese (Japanese, or whatever).
    Second, there appears to be no such folder as %desktopdirectory%

    Click image for larger version. 

Name:	Controled folder - Desktopdirectory.PNG 
Views:	46 
Size:	3.7 KB 
ID:	161897

    Anyone got any idea what this means?
      My ComputersSystem Spec
  2.    2 Weeks Ago #2
    Join Date : Oct 2013
    Newport, South Wales, UK
    Posts : 1,825
    Windows 10 Pro x64 FCU - XP/Vista/Win7/Win8.1 in VM for testing

    The whole concept of Anti ransomware using Controlled Folder Access is always going to be intrusive due to the way that ransomware works - you have to use the "deny everything access to everywhere approach" and then build a personal whitelist over time, ( the "default list concept" is a potential issue as until a user is prompted that, for example, Notepad (which they are not using) is trying to access File x then they may not be aware that they have a rouge Notepad.exe setting ransom locks on files).

    Anyway with your specific message I would first case think of some addon in the browser that has set-up it's own user variable to work with the desktop ( the language looks more Korean to me if that helps (but don't quote me on it))

    Edit

    Not the first time that developers have used their own system variables ... how to point to current user desktop in command line ?
      My ComputerSystem Spec
  3.    2 Weeks Ago #3
    Join Date : Aug 2016
    S/E England
    Posts : 4,517
    10 Home x64 (1709) (10 Pro on 2nd pc)
    Thread Starter

    Quote Originally Posted by Barman58 View Post
    ...with your specific message I would first case think of some addon in the browser that has set-up it's own user variable to work with the desktop ( the language looks more Korean to me if that helps (but don't quote me on it))
    (I can't read Korean either )

    The only addon in my IE is a Skype plugin that pre-dates the upgrade to Win10 - and that is set as 'disabled'. The only other things I have added are a few accelerators (Map with Google, Translate with Google, etc.). As these are just small xml files I can look at their code - nothing there that would explain this.

    The whole concept of Anti ransomware using Controlled Folder Access is always going to be intrusive...
    Yes, that's what I wanted to test. So far it seems the answer is 'not as much as I had feared'. I had to grant MS's own RoboCopy access so it could reset archive attributes on user files (I use it in my backup .bat file) - strangely, the Attrib command get's a 'free pass' when doing the same thing.

    Those few I have had to grant access were allowed to save/modify documents, it was their %appdata% that got blocked. These included VLC and Libre Office.
    Last edited by Bree; 2 Weeks Ago at 13:00.
      My ComputersSystem Spec
  4.    2 Weeks Ago #4
    Join Date : Aug 2016
    S/E England
    Posts : 4,517
    10 Home x64 (1709) (10 Pro on 2nd pc)
    Thread Starter

    Quote Originally Posted by Barman58 View Post
    ( the language looks more Korean to me ...)
    Identified now as Chinese. Tracked down the entry in the Event Viewer then I could search for the symbols online.

    These Controled Folder Access events are recorded as Event ID 1123 in...
    Application and Service Logs/Microsoft/Windows/Windows Defender/Operational

    C:\Program Files\internet explorer\iexplore.exe has been blocked from modifying %desktopdirectory%\䔀鶸翿 by Controlled Folder Access.
    Detection time: 2017-11-03T04:48:48.340Z

    Not the first time that developers have used their own system variables ...
    That too I have now identified by the simple expedient of trying to save to the Desktop from PaintShop Pro (and in the process found another app that I need to grant access to). %desktopdirectory% is indeed Defender's internal variable for my Desktop.

    The only remaining question is why on earth was IE trying to modify something on the Desktop? A scan with AdwCleaner found nothing untoward.
      My ComputersSystem Spec
  5.    2 Weeks Ago #5
    Join Date : Oct 2017
    Texas
    Posts : 104
    Windows 10 Home 64-bit Edition

    The past 3 days now I have been getting that message for Control Folder Access Blocked C\...\ Youcam6_webcam_c... from making changes % userprofile %\ documents.......
      My ComputersSystem Spec
  6.    2 Weeks Ago #6
    Join Date : Aug 2016
    S/E England
    Posts : 4,517
    10 Home x64 (1709) (10 Pro on 2nd pc)
    Thread Starter

    Quote Originally Posted by MrHudson View Post
    The past 3 days now I have been getting that message for Control Folder Access Blocked C\...\ Youcam6_webcam_c... from making changes % userprofile %\ documents.......
    That is to be expected if you turn on Controlled Folder Access and are running third-party software that's not in Defenders 'whitelist' of known trusted apps.

    If you know and trust the app that's being blocked you can add it as an allowed app in Defender's 'Virus & threat protection settings'.

    If you don't recognise the app concerned, then Controlled Folder Access is doing it's job properly
      My ComputersSystem Spec
  7.    2 Weeks Ago #7
    Join Date : Oct 2017
    Texas
    Posts : 104
    Windows 10 Home 64-bit Edition

    Quote Originally Posted by Bree View Post
    That is to be expected if you turn on Controlled Folder Access and are running third-party software that's not in Defenders 'whitelist' of known trusted apps.

    If you know and trust the app that's being blocked you can add it as an allowed app in Defender's 'Virus & threat protection settings'.

    If you don't recognise the app concerned, then Controlled Folder Access is doing it's job properly
    I didn't turn nothing on, Win10 is new to me, I am use to Win7. The fall update was installed on Oct 28th. now the past 3 days access block comes up, started off with Ccleaner %userprofile%\ documents, I uninstalled it and reinstalled. now its Youcam6.
      My ComputersSystem Spec
  8.    2 Weeks Ago #8
    Join Date : Aug 2016
    S/E England
    Posts : 4,517
    10 Home x64 (1709) (10 Pro on 2nd pc)
    Thread Starter

    Quote Originally Posted by MrHudson View Post
    I didn't turn nothing on, Win10 is new to me, I am use to Win7. The fall update was installed on Oct 28th....
    Controlled Folder Access is a new feature in the Fall update. You can turn it off, or leave it on and allow access for the apps you want to use. See this tutorial for more details.

    Controlled folder access makes it easier for you to protect valuable data from malicious apps and threats, such as ransomware.

    Controlled folder access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders.
    Change Windows Defender Controlled Folder Access Settings - Windows 10
      My ComputersSystem Spec
  9.    2 Weeks Ago #9
    Join Date : Oct 2017
    Texas
    Posts : 104
    Windows 10 Home 64-bit Edition

    Youcam6 came preinstalled. I was told it was for use to upload videos I make on YouTube.
      My ComputersSystem Spec
  10.    2 Weeks Ago #10
    Join Date : Oct 2013
    Newport, South Wales, UK
    Posts : 1,825
    Windows 10 Pro x64 FCU - XP/Vista/Win7/Win8.1 in VM for testing

    3rd party is anything that does not come as a built-in part of Windows itself - a lot of laptop and other systems add their own preferred cameras, specialist keyboards etc.

    Controlled Folder access is something that has been around for some time (as part of the Bitdefender Suite that I use for one), and it has to be a total block on all software accessing critical areas to be a viable anti-ransomware system.

    The way it works can be quite informative as many programs access files in areas which you would not expect.

    It must also block every attempted access by every application as Malware will often replace known safe applications including those supplied as part of windows.

    This means that if you are performing a task using a windows application and the app is flagged then you can accept and whitelist, but what about when an unknown or unused windows application is flagged - then you have to investigate or get your backups out or maybe even your wallet to recover your system

    It is much better to take the time, as access attempts are flagged, to add them to the Whitelist on your system and also to add any non standard data storage areas to the protected .

    Its better to lose a minute or two as the system learns your system than switch the protection off and lose every piece of personal data you have on the system, which is the risk you take if you do not use the protection available
      My ComputerSystem Spec

 


Similar Threads
Thread Forum
Security System Change Windows Defender Controlled Folder Access Settings - Windows 10
How to Change Windows Defender Controlled Folder Access Settings in Windows 10 Starting with Windows 10 build 16232, Controlled folder access is introduced in Windows Defender Antivirus. Controlled folder access makes it easier for you to...
Tutorials
Controlled folder access problems
I turned on controlled folder access in latest Windows 10 and tested with a few programs I use. I tested by adding Libreoffice calc (c:\program files\libreoffice5\scalc.exe) as an allowed app. However, with controlled folder access on I can't save...
AntiVirus, Firewalls and System Security
Solved Controlled folder access is greyed out
In the new Fall update there is a controlled folder access option. Which I would much like to use. I think it is meant to be on by default, for at least basic protection.. Mine is both off and greyed out so that I can not turn it on. I've read a...
AntiVirus, Firewalls and System Security
Solved About the "Controlled Folder Access" in windows defender...
Although not that important, I noticed that when you open Winders Defender, and then click on Virus and threat protection settings, and then scroll down to controlled folder access,.. It states, " Protect your files and folders from...
AntiVirus, Firewalls and System Security
Solved Defender icon shows alert - How to clear that?
I recently upgraded to the latest version of Windows which is great by the way. I have a question about the Windows Defender. It alerted me that my disk space was low and offered to delete previous versions to free up space. Great did that and it...
AntiVirus, Firewalls and System Security
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 17:23.
Find Us
Twitter Facebook Google+ Ten Forums iOS App Ten Forums Android App



Windows 10 Forums