Windows 10: Anti-ransomware protection in Fall Creators Update

Page 3 of 4 FirstFirst 1234 LastLast
  1.    24 Nov 2017 #21

    Barman58 said: View Post
    Predesigned whitelists are a serious issue for antiransomware, as any executable can be the bad one, even if it appears to be a totally benign part of the OS or a standard windows "filler" app.

    The problem with ransomware is that it targets file areas where even a standard user has full control access - Spoof a suitable OS tool that is included in a whitelist and you have full access to encrypt all the user files. But if a standard OS tool attempts to access a file area and you as the user has not initiated it then you at least have something that needs checking immediately, ( unless you a click everything you see kind of person, and those are beyond help )
    Yup, but zero-day is still heuristic though..
      My ComputerSystem Spec


  2. Posts : 6,983
    10 Home x64 (1803) (10 Pro on 2nd pc)
       24 Nov 2017 #22

    vram said: View Post
    ...but if I whitelist explorer.exe, (and I'm going to have to do that)....
    I'm curious as to why you feel you need to do that. It's never come up as a blocked app for me.

    I've had to whitelist things like soffice.bin (LibreOffice), 7zFM.exe (7-Zip file manager), psp.exe (PaintShop Pro) and from MS, Attib.exe and RoboCopy.exe (because of the way I use them in my backup batch files) - but I've never needed a general 'pass' for explorer.exe.
      My ComputersSystem Spec

  3.    24 Nov 2017 #23

    Bree said: View Post
    I'm curious as to why you feel you need to do that. It's never come up as a blocked app for me.

    I've had to whitelist things like soffice.bin (LibreOffice), 7zFM.exe (7-Zip file manager), psp.exe (PaintShop Pro) and from MS, Attib.exe and RoboCopy.exe (because of the way I use them in my backup batch files) - but I've never needed a general 'pass' for explorer.exe.
    I've been notified on two different machines that explorer.exe was prevented from making changes. I know those PCs are clean. Could've been glitches as those machines were upgraded and not clean installed. Doesn't matter though. Should've never happened.
      My ComputersSystem Spec


  4. Posts : 6,983
    10 Home x64 (1803) (10 Pro on 2nd pc)
       24 Nov 2017 #24

    vram said: View Post
    I've been notified on two different machines that explorer.exe was prevented from making changes. ... Should've never happened.
    Odd - It's never happened to me (and my machine's an upgrade, not a clean install). What was your action that triggered this?

    For further investigation it's worth noting that, unlike most other notifications, these Controlled Folder Access events are recorded in the Event Log as Event ID 1123 in...
    Application and Service Logs/Microsoft/Windows/Windows Defender/Operational
      My ComputersSystem Spec

  5.    24 Nov 2017 #25

    I think I was saving a file on both machines that I witnessed it.
      My ComputersSystem Spec

  6.    24 Nov 2017 #26

    Upgraded from CU and have had no problems with excessive notifications; so far I've only had 3 or 4.
      My ComputerSystem Spec

  7.    24 Nov 2017 #27

    I have a fresh loaded machine in front of me. May enable it to test. Not getting my hopes up.
      My ComputersSystem Spec


  • Posts : 120
    windows 10 Home ver 1709
       24 Nov 2017 #28

    Just upgraded to 1709. Had about 3-4 nags already when saving my files back to C drive (eg Notepad file .txt).
    Doesn't let me save it at all? Already turned Protected Folders off. Lasted about an hour.

    Am I missing something?
      My ComputerSystem Spec


  • Posts : 6,983
    10 Home x64 (1803) (10 Pro on 2nd pc)
       25 Nov 2017 #29

    vram said: View Post
    I think I was saving a file on both machines that I witnessed it.
    It would be the app that was saving the file that was blocked, most likely - not explorer. The text in the notification is abbreviated to fit, so the full path and name of the .exe isn't always readable - it may have just looked like it said 'explorer'. You get the full text in the Event Log though, see my earlier post #24 for where to look.
      My ComputersSystem Spec

  •    25 Nov 2017 #30

    vram said: View Post
    I think I was saving a file on both machines that I witnessed it.
    You would be nuts to whitelist explorer.exe in any case.

    You may as well whitelist everything as it can replace other objects with different ones of the same name.

    That is why it (and XCOPY and robocopy) are blocked by default.
      My ComputerSystem Spec


  •  
    Page 3 of 4 FirstFirst 1234 LastLast

    Related Threads
    Fall Creators Update in General Support
    Has anyone installed it yet? If so did it break anything for you? Debating If I should update or not.
    Solved Oct 17 Creators Fall update in Installation and Upgrade
    Why is the Fall Creators update coming on Sunday instead of Tuesday? I still haven't received the April Creators update. Will Fall update skip the April update? Just curious.
    Fall Creators Update in General Support
    Anyone know what changes or improvements will be in the fall update?
    Read more: Microsoft will call Windows 10's next update the 'Autumn Creators Update' in the UK | Windows Central Update: The Windows 10 Autumn Creators Update will be called 'Fall Creators Update' after all | Windows Central
    Source: Windows 10 Creators Update provides next-gen ransomware protection Windows Security
    Our Sites
    Site Links
    About Us
    Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

    Designer Media Ltd
    All times are GMT -5. The time now is 16:51.
    Find Us