Windows 10’s Controlled Folder Access Won’t Protect Your Data

What is Controlled Folder Access?

With the release of Windows 10 Fall Creators Update, Microsoft added a new feature called Controlled Folder Access (CFA) to Windows Defender Exploit Guard. This features allows users to control which processes can access certain folders to help protect data from malicious programs, such as ransomware or wipers.

CFA is disabled by default, and can be enabled under the Windows Defender Security Center panel.

How is CFA Vulnerable?

Although Windows 10’s CFA anti-ransomware feature is a good step in the right direction, even a slightly sophisticated attack will easily bypass it.  The Nyotron Security Research Team has discovered at least three ways to do this:  APC Injection, Windows Management Instrumentation (WMI) and Office Macros.

APC Injection

They Nyotron Security Research Team was able to bypass CFA by injecting malicious code into explorer.exe using APC Injection. As Windows Defender doesn’t detect this injection technique, the malicious DLL injected to Explorer can basically do anything to a user’s protected files since it runs under a trusted process.

WMI

One of WMI capabilities is to remove files using the CIM_DataFile object; so, basic ransomware would be able to read the user’s files, encrypt them to a non-protected folder and then, using WMI, remove the original files.

Office Macros

Microsoft Office documents may contain built-in macros which attackers can use to deliver malware to encrypts files.  CFA isn’t able to detect the modification of a large amount of files in a short period of time and prevent it.

If you are interested in a more in-depth analysis of these attacks (with proof-of-concept examples) along with additional CFA bypass methods please read our detailed security report.

 

Ad
Rene Kolga
Rene Kolga is Senior Director of Product and Marketing at Nyotron, the developer of PARANOID, the industry’s first OS-Centric Positive Security solution to strengthen your AV or NGAV protection. By mapping legitimate operating system behavior, PARANOID understands all the normative ways that may lead to damage and is completely agnostic to threats and attack vectors. When an attack attempts to delete, exfiltrate or encrypt files (among other things), PARANOID blocks them in real-time.

No posts to display