Windows 10's 'Controlled Folder Access' Anti-Ransomware Feature Is Now Live

A reader shares a BleepingComputer report: With the release of Windows 10 Fall Creators Update last week, the "Controlled Folder Access" that Microsoft touted in June is now live for millions of users. As the name hints, the Controlled Folder Access feature allows users to control who can access certain folders. The feature works on a "block everything by default" philosophy, which means that on a theoretical level, it would be able to prevent ransomware when it tries to access and encrypt files stored in those folders. The benefits of using Controlled Folder Access for your home and work computers are tangible for anyone that's fearful of losing crucial files to a ransomware infection.

Re:Um... Isn't this just default Linux permissions

[JcMorin]

The new feature is not permission by users but permission by an application running. The virus, most of the time, run under your own credentials.

Re:Um... Isn't this just default Linux permissions

[TheRaven64]

That sounds a lot more sensible: Windows NT has had ACLs (much richer than the default UNIX model and similarly expressive to NFSv4 / POSIX ACLs) since day one, but the ACLs have been per user, not per (user, program) pair. The NT kernel supports this kind of ACL policy, but it's never been exposed via the UI (Chromium uses it for sandboxing, constraining different binaries to different parts of the FS).

It's very useful if it's paired with a sensible default policy and a sensible UI. You can implement the same thing with the TrustedBSD MAC framework or SELinux, and macOS / iOS implement their sandboxing policies in exactly this way. macOS, in particular, provides a 'powerbox' model, where the standard open and save dialogs are owned by the system and implicitly grant the application permissions to the files / directories that the user selects as part of a dynamic policy. This means that well-behaved applications never need to ask for explicit privilege elevation. The problem is, well-behaved applications are generally not the ones that you most want to sandbox...

Re:Um... Isn't this just default Linux permissions

Users will be used to automatically say "yes" when they're trying to accomplish something (open a PDF that they just downloaded) and the prompt makes sense ("do you want to grant PDFreader access to folder Downloads?). It doesn't follow that users will therefore say "yes" to a request not related to what they're trying to accomplish.

Re:Um... Isn't this just default Linux permissions

[amorsen]

There is no such ability in Linux or *nix, since ACLs are solely based on uid and not the name of the executable with your uid.

Yes there is. There are even two in Linux, SELinux and AppArmor.

However, there is no easy-to-use GUI to administer it per-user, which means that you rely on the way-too-permissive default policy for most programs. This could have been done years ago technically, since SELinux and AppArmor are both quite old, but no one had the right idea apparently.

Re:Um... Isn't this just default Linux permissions

[thegarbz]

So the user will be asked a number of times (probably once per appli / folder) if they agree to allow that appli to access that folder, then when they see the fake "Adobe something wants to access your folder" they will be used to automatically Yes it.

You know Windows 10 did away with pretty much all of that, which is why Chrome can't even set itself as a default browser anymore and instead serves up instructions for the user to change it via control panel.

There is no more "simple yes".