deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-21 17:57:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
Justin Hall adb1fced13 changede link
2019-03-11 13:48:16 -07:00

5.4 KiB
Raw Blame History

title, description, keywords, search.product, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.author, ms.date
title description keywords search.product ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority author ms.author ms.date
Help prevent ransomware and threats from encrypting and changing files Files in default folders can be protected from being changed by malicious apps. This can help prevent ransomware from encrypting your files. controlled folder access, windows 10, windows defender, ransomware, protect, files, folders eADQiWindows 10XVcnh security w10 manage library security medium andreabichsel v-anbic 11/29/2018

Protect important folders with controlled folder access

Applies to:

Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. Controlled folder access works best with Windows Defender Advanced Threat Protection, which gives you detailed reporting into controlled folder access events and blocks as part of the usual alert investigation scenarios.

All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.

This is especially useful in helping to protect your documents and information from ransomware that can attempt to encrypt your files and hold them hostage.

A notification will appear on the computer where the app attempted to make changes to a protected folder. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.

The protected folders include common system folders, and you can add additional folders. You can also allow or whitelist apps to give them access to the protected folders.

You can use audit mode to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at demo.wd.microsoft.com to confirm the feature is working and see how it works.

Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019.

Requirements

Controlled folder access requires enabling Windows Defender Antivirus real-time protection.

Review controlled folder access events in the Windows Defender ATP Security Center

Windows Defender ATP provides detailed reporting into events and blocks as part of its alert investigation scenarios.

You can query Windows Defender ATP data by using Advanced hunting. If you're using audit mode, you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled.

Review controlled folder access events in Windows Event Viewer

You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:

  1. Download the Exploit Guard Evaluation Package and extract the file cfa-events.xml to an easily accessible location on the machine.

  2. Type Event viewer in the Start menu to open the Windows Event Viewer.

  3. On the left panel, under Actions, click Import custom view....

  4. Navigate to where you extracted cfa-events.xml and select it. Alternatively, copy the XML directly.

  5. Click OK.

  6. This will create a custom view that filters to only show the following events related to controlled folder access:

Event ID Description
5007 Event when settings are changed
1124 Audited controlled folder access event
1123 Blocked controlled folder access event

In this section

Topic Description
Evaluate controlled folder access Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
Enable controlled folder access Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
Customize controlled folder access Add additional protected folders, and allow specified apps to access protected folders.