Hello everybody! In this video, I’m going to tell you aboutcontrolled folder access: why we need it, how it works, how it can be enabled and howto set up certain folders for protection.
Controlled folder access is a function ofWindows Defender meant to protect user files from encryption by various ransomware.
According to Microsoft, any executable fileis examined by the Windows Defender antivirus element to see if the application is dangerousor safe.
If such application is rated as malware, itcannot modify any files in the protected folders.
Why we need this functionThis function prevents modifying personal folderssuch as Documents, Pictures, Music, Videos and Desktop.
As a rule, any program installed on your computercan modify files in these folders.
If you enable this function, only the programsrecognized as friendly will be able to make any changes.
How to enable this functionTo enable it, go to Settings / Update & Security / Windows Defender / Windows Defender SecurityCenter / Virus & threat protection.
In the window that opens, go to “Virus & threatprotection settings,” make sure that “Real-time Protection” is on, and then enable “Controlledfolder access.
” When you do that, two new tabs will appear:“Protected folders” and “Allow an app through “Controlled folder access.
” By default, the protected folders list includesthe Documents, Pictures, Videos, Music, Desktop, and Favorites folders.
You can’t change the default list of directories,but you can add a new folder path manually by clicking on the plus icon.
In the other tab, “Allow an app through“Controlled folder access” you can add to the white list an application which wasblocked by the Windows Defender as untrusted.
To do it, click the “Add an allowed app”button and choose the path to the program’s executable file.
If you encounter an “access denied” errorwhen a program tries to access such folders, you will have to add it into this list, that’sall.
Group policiesIn Windows 10, you can configure this function with group policies.
It’s only possible on a Pro version, asit doesn’t work in Windows Home.
To do it, enter “gpedit.
Msc” into thesearch field and run it.
In the window that opens, go to Computer Configuration/ Administrative Templates / Windows Components / Windows Defender / Windows Defender ExploitGuard / Controlled Folder Access.
Open Controlled Folder Access and enable ithere.
In the options, you can select the Block optionso that untrusted apps won’t be able to modify or delete files in protected folders,for example, Documents.
Another option is Audit Mode – the apps usuallyseen as untrusted will be able to modify or delete files in protected folders.
However, each event will be recorded to Windowsevent log.
If you choose Disabled, all apps will be ableto modify or delete files in protected folders.
You can also configure trusted apps and protectedfolders.
PowerShellYou can also enable and configure Controlled folder access using PowerShell; to run it,right-click on the Start menu and select Windows PowerShell (Administrator).
Alternatively, enter “PowerShell” in thesearch field and run it while holding down Ctrl + Shift to start it as Administrator.
To turn the function on, enter the followingcommand: Set-MpPreference -EnableControlledFolderAccess Enabled, and there are three options for thisfunction: enabled, disabled or AuditMode.
To add a folder into the protected list, enterthe command Add-MpPreference -ControlledFolderAccessProtectedFolders “<the folder to be protected>"Add-MpPreference -ControlledFolderAccessProtectedFolders "< C:UsersDmitryDownloads>"To add an application into the white list, use this command: Add-MpPreference -ControlledFolderAccessAllowedApplications“<name of the app to be whitelisted, including the path>"Add-MpPreference -ControlledFolderAccessAllowedApplications "< C:Program Files (x86)AdobeAuditionCCAdobeAdobeAudition CC 2017 Adobe Audition CC.
Exe>" Controlled folder access eventsIn the event log, Windows records any changes in the settings as well as all cases whenevents are triggered by AuditMode and Block options.
By following the logs, you can monitor allchanges made to folders and control any suspicious activities.
Type Event viewer in the Start menu to openthe Windows Event Viewer.
In the tab “Custom Views” you can createyour own views.
You can also download a ready-made file withsettings and import it.
To view Controlled folder access events, downloadthe archive “Exploit Guard Evaluation Package” from the Microsoft official website; you canfind the link in the description.
Extract the file cfa-events.
Xml to your Desktop:this is the file containing view settings for Controlled Folder Access.
On the left panel, under Actions, click Importcustom view, specify the path to the file on the desktop, click Open and OK.
After that, Control Folder Access view willopen.
You can visit the Microsoft website to readabout meanings of all event IDs.
Find the link in the description.
In my case, event ID 5007 means that settingsare changed.
That is all for now.
Hit the Like button and subscribe to our channel.
Leave comments to ask questions.
Thank you for watching.