Windows 10: Change Windows Defender Controlled Folder Access Settings - Windows 10  

Jack07 said:

Firefox trying to make changes to %userprofile%\Desktop is driving me crazy!

Since a browser is the first to face the threats, how safe is to add it to the exception list?
I'm worried about worms and other stuff that could hijack the .exe

Same thoughts here... I'm not adding it to exceptions for now. On the other side, if browser is compromised and you're running it as admin, the damage is already done...

I disagree - it is perfectly designed, and I'll warrant that a lot of other software could learn from this example.

When you enable it, it is enabled across the board for all software, even stock Windows software. If you want to make an exception, you have to make it manually.

It's way better than starting the software with a default set of exceptions, many of which most people will not use, and thus also provide a possible loophole for malicious software to exploit. You want XYZ program to access restricted folders, you have to explicitly allow it - Micro$oft is not going to make any assumption on what you might want to allow and might want to block.

It's completely simple and effective in that way.

The other thing that some do not realise is that when you whitelist an executable you are whitelisting that application running from that specific location, so if you somehow end up with a rogue application with the same name as the one you have whitelisted, it will throw up an exception message and prevent the application from accessing the data. This assumes that your applications are located correctly in the Program Files or Program Files (x86), and owned by trustedinstaller, and thus cannot be replaced by any lesser process

Ransomware can use Office OLE objects to bypass CFA
Jesus says that a ransomware developer could easily bypass Microsoft CFA anti-ransomware feature by adding simple scripts that bypass CFA via OLE objects inside Office files.

In research published over the weekend, Jesus includes three examples that utilize boobytrapped Office documents (received via spam email) to overwrite the content of other Office documents stored inside CFA folders; password-protect the same files; or copy-paste their content inside files located outside the CFA folder, encrypt those, and delete the originals.

While the first example is just destructive, the last two will work as an actual ransom, with victims having to pay the ransomware author for the password/decryption code that unlocks the files.

Jesus displeased with Microsoft
Jesus said he notified Microsoft about the issue he discovered. In a screenshot of the email he received from Microsoft, Jesus said the OS maker didn't classify the issue as a security vulnerability but said it would improve CFA in future releases to address the reported bypass method.

"That really means Microsoft will fix the vulnerability that should be classified as Mitigation bypass without acknowledgment," said Jesus, referring to the fact that he'll get no credit or bug bounty reward for the issue he pointed out.

Researcher Bypasses Windows Controlled Folder Access Anti-Ransomware Protection

My CFA is blocking System32 files from making changes to memory, anyone know what that is about?