The new Windows 10 Controlled Folder Access (CFA) feature is a great idea – prevent unknown programs from modifying your files, to stop ransomware in its tracks. It is so good that I forced an early update to Windows 10 Build 1709 (“Fall Creators Update”) on a couple of my home machines and enabled it. Now, I have quickly disabled it, as it is not possible to actually use it in a real environment. It just stops things a bit too hard.
First, the basics. As explained on a Microsoft TechNet blog:
Controlled folder access brings you right back in control of determining what programs can access your data. This feature protects your files from tampering, in real-time, by locking folders so that ransomware and other unauthorized apps can’t access them. It’s like putting your crown jewels in a safe whose key only you hold.
So basically, whitelisting the apps that can write to places like Documents, Desktop, Pictures, etc. This should stop anything malicious dead in its tracks. However, in my short experiment, it also stops valid programs, and does it in such a way that there is no choice but to turn the whole thing off.
The problem is pretty simple. When a program gets stopped, it is very stopped. There is no UAC-style dialog that lets you override the denial at the point of denial. I can see why that improves security.
That means that if you have done some work in a program and want to save it, you only find out that a program is on the disallowed list at the point of save. This puts you in a situation where you essentially have to throw away the work or immediately turn off CFA globally. You cannot create an exception on the fly and retain your work.
Why? In the CFA control panel you can add new programs as exceptions. It is (intentionally???) burdensome, as you have to go find the exact binary of the program that is to be whitelisted (my Windows is in Swedish, but it is easy to map this to Windows in order languages):
First of all, finding a program is a bit tough on the user. It is not something your average user can figure out – even though there is a shortcut. If you open up the Task Manager and bring up the properties for a running program, you can find the path. You cannot copy it, but at least it lets you search in the right folders in the dialog from Windows Defender Security Center.
Second, even if you add a program to the exceptions, this exception does not take effect until the program is restarted. I can see why this would be reasonable from an implementation perspective, but it puts you in a really bad spot when an important program does not let you save your work.
The only way out at this point is to quickly turn off CFA globally. That thankfully lets you actually save your work immediately, and data loss can be avoided. But even turning off CFA requires a very deep dig through the dialogs in Windows.
In summary: the problem with CFA is that if it stops you from saving something in a program, you only find out when you save. Not when you start working. To allow a save, you have to turn off CFA globally, since there is no way to set up the permissions at the point you are stopped. This is not a good user experience in any way.
The behavior for handling exceptions is unlike other firewalls, for example like the Windows network firewall, that lets you change permissions on the fly. I wrongly assumed this would be the case for CFA too, and my wife got rather upset when CFA hit her almost on the first thing she tried. My son got hit by it when he tried to do a save game in a game he was playing off of steam. Hadn’t the global “off” worked I would have had some rather unhappy family members.
What is OK?
It is also a very good question which programs are white listed. In some quick testing, the Office suite got through. But the venerable Snipping Tool in Windows, which is a part of Windows itself, got stopped! Olympus Viewer 3, which I used to import pictures from a camera got stopped. As well as a game run from Steam. There is no way in the GUI to inspect to list to ascertain what might be a problem.
Another thing I noticed is that for some reason, %APPDATA% is not protected by default. Maybe that would just cause too many problems. But there is software that stores really valuable documents there, such as Minecraft save games. It would make sense to protect that too.
Also, if you have an external disk or network location used for backups, it is not included in the CFA default setup. They really should be, as ransomware can be expected to attack such storage as well – and Windows 10 file history definitely knows where those documents are stored. Indeed, a smart ransomware attacking a Windows 10 machine with CFA might instead nuke anything on external drives and hope that is valuable enough. Quite often large bodies of documents are on external disks, especially for professionals producing very large files. You cannot put it all in “Documents” on C:, but rather they are on local disks or networked storage.
I think that CFA is a great idea. But the user interface has to be improved in a few ways to make it work in a home environment (and supposedly also in a commercial production environment). Here is my list, in case anyone would listen.
- Make it easy to allow programs through on the fly.
- List the allowed programs from the GUI to allow a user to make an assessment on how disruptive it will be.
- Warn that a program is not allowed to write when the program starts, not at the point of save.
- Create a tool that looks at installed software on a machine and asks the user if they want particular programs to be allowed through CFA.
- Add more locations to the default, in particular any storage used by Windows backup and any local disks attached over NVMe or SATA (as they are reasonably expected to be part of the working set of the user).