6.5 KiB
title, description, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.author, ms.date
| title | description | keywords | search.product | ms.pagetype | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.localizationpriority | author | ms.author | ms.date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| See how controlled folder access can help protect files from being changed by malicious apps | Use a custom tool to see how Controlled folder access works in Windows 10. | Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try | eADQiWindows 10XVcnh | security | w10 | manage | library | security | medium | andreabichsel | v-anbic | 10/02/2018 |
Evaluate controlled folder access
Applies to:
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Controlled folder access is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from ransomware that can attempt to encrypt your files and hold them hostage.
This topic helps you evaluate controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
Note
This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main Controlled folder access topic.
Tip
You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and see how it works.
Use the demo tool to see how controlled folder access works
Use the ExploitGuard CFA File Creator tool to see how controlled folder access can prevent a suspicious app from creating files in protected folders.
The tool is part of the Windows Defender Exploit Guard evaluation package:
This tool can be run locally on an individual machine to see the typical behavior of controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
You can enable controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
-
Type powershell in the Start menu.
-
Right-click Windows PowerShell, click Run as administrator and click Yes or enter admin credentials at the prompt.
-
Enter the following in the PowerShell window to enable Controlled folder access:
Set-MpPreference -EnableControlledFolderAccess Enabled -
Open the Exploit Guard Evaluation Package and copy the file ExploitGuard CFA File Creator.exe to a location on your PC that is easy to access (such as your desktop).
-
Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click More details and then Run anyway.
-
You'll be asked to specify a name and location for the file. You can choose anything you wish to test.
-
A notification will appear, indicating that the tool was prevented from creating the file, as in the following example:
Review controlled folder access events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or locate them manually.
-
Type Event viewer in the Start menu to open the Windows Event Viewer.
-
On the left panel, under Actions, click Import custom view...
-
Navigate to the Exploit Guard Evaluation Package, and select the file cfa-events.xml. Alternatively, copy the XML directly.
-
Click OK.
-
This will create a custom view that filters to only show the following events related to Controlled folder access:
| Event ID | Description |
|---|---|
| 5007 | Event when settings are changed |
| 1124 | Audited controlled folder access event |
| 1123 | Blocked controlled folder access event |
| 1127 | Blocked controlled folder access sector write block event |
| 1128 | Audited controlled folder access sector write block event |
Use audit mode to measure impact
You can enable the controlled folder access feature in audit mode. This lets you see a record of what would have happened if you had enabled the setting.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
To enable audit mode, use the following PowerShell cmdlet:
Set-MpPreference -EnableControlledFolderAccess AuditMode
Tip
If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main controlled folder access topic.
For further details on how audit mode works, and when you might want to use it, see the audit Windows Defender Exploit Guard topic.
Customize protected folders and apps
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
See Protect important folders with controlled folder access for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.