Windows 10: Anti-ransomware protection in Fall Creators Update

I’m a little surprised MS didn’t whitelist their own exes. Kind of stupid TBO.

There is always going to be a bit of annoyance when using protection of this type but it’s needlessly intrusive when it’s bugging users to grant access for applications that it should know are safe.

IMO, they need to tweak this feature with regularly updated app whitelist definitions. Anything not whitelisted is treated as unknown, requiring permission by the user. Not perfect, but would ease a lot of pain.

Guess it’ll be another couple of years before they get this new feature out of beta. There is no way I’m activating this or recommending it’s use to anyone I help.

 

I've been using it for over a month now. The initial rush of apps I've had to whitelist took a couple of weeks before it dropped to zero. Since then it has been completely unobtrusive. I'm leaving it turned on.

 

That’s good. Unfortunately I don’t have time to deal with that. Not myself, but for the people that will undoubtedly nag me about it.

 

That is why it is turned off by default - for people like you. You would get nagged. Not much but you would. You don't have time and would moan about the change.

I use the maywarebytes anti-ransomware. It was a bore for about a day to get it working smoothly but now it does.

If you don't use one (and don't bother making non-connected backups) then all you can do is hope for the best and not complain later.

If you make backups (and all the people who nag you do) it doesn't matter really either way. You/they can just restore.

 

LOL... Yup...'nuff said

BTW.. I had a similar issue with BD Free with over-zealous detection based on listing rather than heuristics - made me switch

 

Predesigned whitelists are a serious issue for antiransomware, as any executable can be the bad one, even if it appears to be a totally benign part of the OS or a standard windows "filler" app.

The problem with ransomware is that it targets file areas where even a standard user has full control access - Spoof a suitable OS tool that is included in a whitelist and you have full access to encrypt all the user files. But if a standard OS tool attempts to access a file area and you as the user has not initiated it then you at least have something that needs checking immediately, ( unless you a click everything you see kind of person, and those are beyond help )

 

I understand what you're saying but if I whitelist explorer.exe, (and I'm going to have to do that) then the protection of this feature for this app is null and void for that exe, anyway.

Its the same deal with many other apps the user is obviously going to whitelist as time goes on.

Best you can do is make sure the definitions for whitelisted exes are properly hashed with digital sigs. Incorrect Hash or missing sig triggers user prompt.

 

Yup, but zero-day is still heuristic though..

 

I'm curious as to why you feel you need to do that. It's never come up as a blocked app for me.

I've had to whitelist things like soffice.bin (LibreOffice), 7zFM.exe (7-Zip file manager), psp.exe (PaintShop Pro) and from MS, Attib.exe and RoboCopy.exe (because of the way I use them in my backup batch files) - but I've never needed a general 'pass' for explorer.exe.

 

I've been notified on two different machines that explorer.exe was prevented from making changes. I know those PCs are clean. Could've been glitches as those machines were upgraded and not clean installed. Doesn't matter though. Should've never happened.

 

Odd - It's never happened to me (and my machine's an upgrade, not a clean install). What was your action that triggered this?

For further investigation it's worth noting that, unlike most other notifications, these Controlled Folder Access events are recorded in the Event Log as Event ID 1123 in...
Application and Service Logs/Microsoft/Windows/Windows Defender/Operational

 

I think I was saving a file on both machines that I witnessed it.

 

Upgraded from CU and have had no problems with excessive notifications; so far I've only had 3 or 4.

 

I have a fresh loaded machine in front of me. May enable it to test. Not getting my hopes up.

 

Just upgraded to 1709. Had about 3-4 nags already when saving my files back to C drive (eg Notepad file .txt).
Doesn't let me save it at all? Already turned Protected Folders off. Lasted about an hour.

Am I missing something?