Researcher Found Bypasses on Windows Controlled Folder Access Anti-Ransomware Protection

Your Feed is from https://www.safeharboroncyber.com/Blog/
CyberWisdom Safe Harbor Commentary:
This story from bleepingcomputer.com revealed a security researcher has discovered a way to get around the “controlled folder access” feature added to Windows 10 in October 2017, which Microsoft said is a credible counter-raster software defensive measure.
This feature, which is detailed in this Bleeping Computers evaluation, is part of the Windows Defender anti-virus software built into all versions of Windows 10.
Users who update to Windows 10 Fall Creators Update receive a Windows Defender update called Controlled Folder Access (CFA) that allows them to block any changes to the files found in the user-specified directory.
Users must manually approve any application that allows editing of files located in the CFA folder by adding each application’s executable to the whitelist managed by the Allow access to applications through controlled folders option.
Controlled Folder Access – Application Whitelist
However, Yago Jesus, security researcher at SecurityByDefault, a Spanish security researcher, found that Microsoft has automatically whitelisted all Office applications in the list. This means that Office applications can modify files that reside in the CFA folder, whether or not the user likes it.Ransomware can bypass the CFA using Office OLE objects
Jesus said ransomware developers can easily bypass the Microsoft CFA anti-ransomware functionality by bypassing the CFA by adding simple scripts through OLE objects in Office files.
In a research note published over the weekend, Jesus listed three examples of using fraudulent office files (received via spam) to overwrite the contents of other Office files stored in the CFA folder, password-protecting the same files, or copying and pasting Go to a file outside the CFA folder, encrypt it, and delete the original.
Although the first example is only destructive, the last two will be used as actual ransom and the victim will have to pay the ransomware author for the password / decryption code to unlock the file.Jesus is dissatisfied with Microsoft
Jesus said he informed Microsoft of what he found. In an email screenshot from Microsoft that Jesus received from Microsoft, operating system manufacturers did not classify the issue as a security breach, but instead said they would improve the CFA in future releases to address reported bypassing.
“This really means that Microsoft will fix this loophole and should be categorized as mitigating detours without recognition,” Jesus said, referring to the issues he pointed out that he did not get any credit or wrong bounties.
Read more…
Bitdefender Ironically Stopped Working on Safer Internet Day CSS Code Can Be Abused to Collect Sensitive User Data Scammers Use Download Bombs to Freeze Chrome Browsers on Shady Sites InsaneCrypt (desuCrypt) Decrypter Remove the FF Web Surety Adware & Miner Firefox Addon Remove the My PC Mechanic System Optimizer PUP Remove the Color Filter Miner & Adware Firefox Addon Remove Security Tool and SecurityTool (Uninstall Guide) How to remove Antivirus 2009 (Uninstall Instructions) How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller Locky Ransomware Information, Help Guide, and FAQ CryptoLocker Ransomware Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ How to Rename a Hyper-V Virtual Machine using PowerShell & Hyper-V Manager How to Install Hyper-V in Windows 10 How to Enable CPU Virtualization in Your Computer’s BIOS How to open a Windows 10 Elevated Command Prompt How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows A security researcher has found a way to bypass the “Controlled Folder Access” feature added in Windows 10 in October 2017, which Microsoft has touted as a reliable anti-ransomware defensive measure. This feature, described in more depth in this Bleeping Computer review, is part of the Windows Defender antivirus built into all versions of Windows 10. Users who updated to the Windows 10 Fall Creators Update received an update for Windows Defender named Controlled Folder Access (CFA) that allows them to block any modifications to files found in user-designated directories. The user must manually approve any app that’s allowed to edit files located in CFA folders by adding each app’s executable to a whitelist managed through the “Allow an app through Controlled folder access” option. But Yago Jesus, a Spanish security researcher with SecurityByDefault, has discovered that Microsoft has automatically whitelisted all Office apps on this list. This means that Office apps can modify files located in a CFA folder, either the user likes it or not. Engaging post, Read More…
thumbnail courtesy of bleepingcomputer.com
If you like to receive more of these curated safe harbor news alerts then subscribe to my mailing list. and come back soon at https://www.safeharboroncyber.com/Blog/ to read further CyberWisdom Safe Harbor Commentaries. Home » Curated SafeHarboronCyber’s CyberWisdom Post
The post Researcher Found Bypasses on Windows Controlled Folder Access Anti-Ransomware Protection appeared first on Safe Harbor on Cyber.