Anti-ransomware protection in Fall Creators Update

Superfly · 24 Nov 2017

Barman58 said:

Predesigned whitelists are a serious issue for antiransomware, as any executable can be the bad one, even if it appears to be a totally benign part of the OS or a standard windows "filler" app.

The problem with ransomware is that it targets file areas where even a standard user has full control access - Spoof a suitable OS tool that is included in a whitelist and you have full access to encrypt all the user files. But if a standard OS tool attempts to access a file area and you as the user has not initiated it then you at least have something that needs checking immediately, ( unless you a click everything you see kind of person, and those are beyond help )

Yup, but zero-day is still heuristic though..

Bree · 24 Nov 2017

vram said:

...but if I whitelist explorer.exe, (and I'm going to have to do that)....

I'm curious as to why you feel you need to do that. It's never come up as a blocked app for me.

I've had to whitelist things like soffice.bin (LibreOffice), 7zFM.exe (7-Zip file manager), psp.exe (PaintShop Pro) and from MS, Attib.exe and RoboCopy.exe (because of the way I use them in my backup batch files) - but I've never needed a general 'pass' for explorer.exe.

SoDiMm · 24 Nov 2017

Bree said:

I'm curious as to why you feel you need to do that. It's never come up as a blocked app for me.

I've had to whitelist things like soffice.bin (LibreOffice), 7zFM.exe (7-Zip file manager), psp.exe (PaintShop Pro) and from MS, Attib.exe and RoboCopy.exe (because of the way I use them in my backup batch files) - but I've never needed a general 'pass' for explorer.exe.

I've been notified on two different machines that explorer.exe was prevented from making changes. I know those PCs are clean. Could've been glitches as those machines were upgraded and not clean installed. Doesn't matter though. Should've never happened.

Bree · 24 Nov 2017

vram said:

I've been notified on two different machines that explorer.exe was prevented from making changes. ... Should've never happened.

Odd - It's never happened to me (and my machine's an upgrade, not a clean install). What was your action that triggered this?

For further investigation it's worth noting that, unlike most other notifications, these Controlled Folder Access events are recorded in the Event Log as Event ID 1123 in...
Application and Service Logs/Microsoft/Windows/Windows Defender/Operational

SoDiMm · 24 Nov 2017

I think I was saving a file on both machines that I witnessed it.

PromU · 24 Nov 2017

Upgraded from CU and have had no problems with excessive notifications; so far I've only had 3 or 4.

SoDiMm · 24 Nov 2017

I have a fresh loaded machine in front of me. May enable it to test. Not getting my hopes up.

Jeddie · 24 Nov 2017

Just upgraded to 1709. Had about 3-4 nags already when saving my files back to C drive (eg Notepad file .txt).
Doesn't let me save it at all? Already turned Protected Folders off. Lasted about an hour.

Am I missing something?

Bree · 25 Nov 2017

vram said:

I think I was saving a file on both machines that I witnessed it.

It would be the app that was saving the file that was blocked, most likely - not explorer. The text in the notification is abbreviated to fit, so the full path and name of the .exe isn't always readable - it may have just looked like it said 'explorer'. You get the full text in the Event Log though, see my earlier post #24 for where to look.

lx07 · 25 Nov 2017

vram said:

I think I was saving a file on both machines that I witnessed it.

You would be nuts to whitelist explorer.exe in any case.

You may as well whitelist everything as it can replace other objects with different ones of the same name.

That is why it (and XCOPY and robocopy) are blocked by default.