Odd Defender 'Controlled Folder Access' alert
-
Odd Defender 'Controlled Folder Access' alert
Fall Creators Update 1709 introduced a new 'Controlled Folder Access' function in Defender. This is off by default, but I have turned it on to test it. I've had to allow a couple of apps access (VLC was one) but other than that it seem unobtrusive.
However, very occasionally (and with no apparent pattern, I've even seen it once visiting TenForums) I've seen a very strange alert for Internet Explorer....
I have two problems with this. First, I don't read Chinese (Japanese, or whatever).
Second, there appears to be no such folder as %desktopdirectory%
Anyone got any idea what this means?
-
-
The whole concept of Anti ransomware using Controlled Folder Access is always going to be intrusive due to the way that ransomware works - you have to use the "deny everything access to everywhere approach" and then build a personal whitelist over time, ( the "default list concept" is a potential issue as until a user is prompted that, for example, Notepad (which they are not using) is trying to access File x then they may not be aware that they have a rouge Notepad.exe setting ransom locks on files).
Anyway with your specific message I would first case think of some addon in the browser that has set-up it's own user variable to work with the desktop ( the language looks more Korean to me if that helps (but don't quote me on it))
Edit
Not the first time that developers have used their own system variables ... how to point to current user desktop in command line ?
-
![]()
...with your specific message I would first case think of some addon in the browser that has set-up it's own user variable to work with the desktop ( the language looks more Korean to me if that helps (but don't quote me on it))
(I can't read Korean either :))
The only addon in my IE is a Skype plugin that pre-dates the upgrade to Win10 - and that is set as 'disabled'. The only other things I have added are a few accelerators (Map with Google, Translate with Google, etc.). As these are just small xml files I can look at their code - nothing there that would explain this.
The whole concept of Anti ransomware using Controlled Folder Access is always going to be intrusive...
Yes, that's what I wanted to test. So far it seems the answer is 'not as much as I had feared'. I had to grant MS's own RoboCopy access so it could reset archive attributes on user files (I use it in my backup .bat file) - strangely, the Attrib command get's a 'free pass' when doing the same thing.
Those few I have had to grant access were allowed to save/modify documents, it was their %appdata% that got blocked. These included VLC and Libre Office.
Last edited by Bree; 03 Nov 2017 at 13:00.
-
-
( the language looks more Korean to me ...)
Identified now as Chinese. Tracked down the entry in the Event Viewer then I could search for the symbols online.
These Controled Folder Access events are recorded as Event ID 1123 in...
Application and Service Logs/Microsoft/Windows/Windows Defender/Operational
C:\Program Files\internet explorer\iexplore.exe has been blocked from modifying %desktopdirectory%\䔀鶸翿 by Controlled Folder Access.
Detection time: 2017-11-03T04:48:48.340Z
Not the first time that developers have used their own system variables ...
That too I have now identified by the simple expedient of trying to save to the Desktop from PaintShop Pro (and in the process found another app that I need to grant access to). %desktopdirectory% is indeed Defender's internal variable for my Desktop.
The only remaining question is why on earth was IE trying to modify something on the Desktop? A scan with AdwCleaner found nothing untoward. 
-
The past 3 days now I have been getting that message for Control Folder Access Blocked C\...\ Youcam6_webcam_c... from making changes % userprofile %\ documents.......
-
The past 3 days now I have been getting that message for Control Folder Access Blocked C\...\ Youcam6_webcam_c... from making changes % userprofile %\ documents.......
That is to be expected if you turn on Controlled Folder Access and are running third-party software that's not in Defenders 'whitelist' of known trusted apps.
If you know and trust the app that's being blocked you can add it as an allowed app in Defender's 'Virus & threat protection settings'.
If you don't recognise the app concerned, then Controlled Folder Access is doing it's job properly :)
-
That is to be expected if you turn on Controlled Folder Access and are running third-party software that's not in Defenders 'whitelist' of known trusted apps.
If you know and trust the app that's being blocked you can add it as an allowed app in Defender's 'Virus & threat protection settings'.
If you don't recognise the app concerned, then Controlled Folder Access is doing it's job properly :)
I didn't turn nothing on, Win10 is new to me, I am use to Win7. The fall update was installed on Oct 28th. now the past 3 days access block comes up, started off with Ccleaner %userprofile%\ documents, I uninstalled it and reinstalled. now its Youcam6.
-
I didn't turn nothing on, Win10 is new to me, I am use to Win7. The fall update was installed on Oct 28th....
Controlled Folder Access is a new feature in the Fall update. You can turn it off, or leave it on and allow access for the apps you want to use. See this tutorial for more details.
Controlled folder access makes it easier for you to protect valuable data from malicious apps and threats, such as
ransomware.
Controlled folder access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders.
Change Windows Defender Controlled Folder Access Settings - Windows 10
-
-
Youcam6 came preinstalled. I was told it was for use to upload videos I make on YouTube.
-
![]()
3rd party is anything that does not come as a built-in part of Windows itself - a lot of laptop and other systems add their own preferred cameras, specialist keyboards etc.
Controlled Folder access is something that has been around for some time (as part of the Bitdefender Suite that I use for one), and it has to be a total block on all software accessing critical areas to be a viable anti-ransomware system.
The way it works can be quite informative as many programs access files in areas which you would not expect.
It must also block every attempted access by every application as Malware will often replace known safe applications including those supplied as part of windows.
This means that if you are performing a task using a windows application and the app is flagged then you can accept and whitelist, but what about when an unknown or unused windows application is flagged - then you have to investigate or get your backups out or maybe even your wallet to recover your system
It is much better to take the time, as access attempts are flagged, to add them to the Whitelist on your system and also to add any non standard data storage areas to the protected .
Its better to lose a minute or two as the system learns your system than switch the protection off and lose every piece of personal data you have on the system, which is the risk you take if you do not use the protection available
Quote