Controlled Folder Access for the Win!
Our founder and CEO, Brian Markus, recently wrote up an encounter he had with Windows Defender. It turns out that controlled folder access works great, and with a little research, you can see exactly what it’s doing and why.
Windows Defender helps protect data from malicious apps and threats such as ransomware. One of the layers of defense, Controlled Folder Access, checks programs against a list of known, approved apps and prevents unapproved programs from affecting folder contents.
While there is a bit of a learning curve associated with Microsoft Defender’s Controlled Folder Access protection capabilities, it is an impressive tool that has been able to stop everything we’ve thrown at it so far.
As mentioned, the solution works based on an approved application list. The list is initially empty, which means that protected folders cannot be updated or modified by any programs, even system-normal applications like Microsoft Word. All necessary applications must be added to the approved application list as part of the setup/install process, or they will not be able to access files in protected folders. We recommend messaging this requirement very clearly prior to enabling Controlled Folder Access, as the error messages are not very descriptive and may cause end users to become confused or believe that something is wrong with their computer.
For example, after I personally enabled Controlled Folder Access, I attempted to edit and save a file with VS Code and kept receiving a strange error.
The good news for administrators is that the logging is very clean and by looking in the right place, it is possible to see exactly what is going on and why.
Here’s how it works.
Open the Event Viewer and navigate to the following area:
Applications and Service Logs > Microsoft > Windows > Windows Defender > Operational
In my logs, I found the following entry which clearly stated the reason that my program was blocked.
C:\Program Files\Microsoft VS Code\Code.exe has been blocked from modifying C:\XXXX\XXXX folder by Controlled Folder Access.
Detection time: XXXX-XX-XXTXX:XX:XX.XXXX
Process Name: C:\Program Files\Microsoft VS Code\Code.exe
Security intelligence Version: 1.367.96.0
Engine Version: 1.1.19200.6
Product Version: 4.18.2203.5
With the path and application name in hand, I navigated to the Virus & Threat Protection screen, so that I could add VS Code to the allowed applications list.
I selected RansomWare protection and Manage ransomware protection, then Allow an app through Controlled Folder Access.
Finally, I selected + Add an allowed app. The system offered options to select from “Recently blocked apps” or “Browse all apps”.
I selected VS Code from the recently blocked apps, clicked the + next to it, and voila – I was able to continue my work.