Microsoft describes the new Windows 10 feature ‘Controlled folder access in Windows Defender Antivirus’ in the article Announcing Windows 10 Insider Preview Build 16232 for PC + Build 15228 for Mobile. The article specifically mentions ransomware as one of the threats against which it is likely to be effective.
The article states that ‘Controlled folder access monitors the changes that apps make to files in certain protected folders. If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders.’
It’s not clear what criteria are used to blacklist an application: as I read it, it may simply use Windows Defender’s scanning engine to determine the status of an app. I guess I’ll wait for more information before deciding how much additional protection this really provides.
Whether this security feature will be enough to stop ransomware remains to be seen, especially if ransomware can get a whitelisted application to bypass the protection and offer a way in.
I wasn’t really thinking of this in terms of whitelisting until I read that, but the feature does, in fact, allow the user to add protected locations apart from the default folders, and also to ‘ Allow an app through Controlled folder access’. Which opens the door to social engineering as well as subversion of apps, but then that’s a persistent issue with whitelisting applications.