Jump to content
hey_yo_

Windows 10 (Build 16232) will try to combat ransomware by locking up your data

Recommended Posts

Posted · Original PosterOP

Sources: Ars Technica and Microsoft

 

So yeah, it took them a global ransomware pandemic before becoming serious about it. But hey at least they're working on it.

Quote

The long-standing approach that operating systems have used to protect files is a mix of file ownership and permissions. On multi-user systems, this is broadly effective: it stops one user from reading or altering files owned by other users of the same system. The long-standing approach is also reasonably effective at protecting the operating system itself from users. But the rise of ransomware has changed the threats to data. The risk with ransomware comes not with another user changing all your files (by encrypting them); rather, the danger is that a program operating under a given user's identity will modify all the data files accessible to that user identity.

 

In other words, if you can read and write your own documents, so can any ransomware that you run.

 

Microsoft's attempt to combat this is called "Controlled folder access," and it's part of Windows Defender. With Controlled folder access, certain directories can be designated as being "protected," with certain locations, such as Documents, being compulsorily protected. Protected folders can only be accessed by apps on a whitelist; in theory, any attempt to access a Protected folder will be blocked by Defender. To reduce the maintenance overhead, certain applications will be whitelisted automatically. Microsoft doesn't exactly specify which applications, but we imagine that apps from the Store would automatically be allowed access, for example.

7a063763b2dd96cdbdb206b88e098dee.jpg.744198da4ad4bad62f33c1befccba26c.jpg40c50c273d49e89f73ca6a562e536ed8.png.fbd62eab074cbdb6b1f740888ee32505.png4c6880263f446697451dbd4f6fb21383.jpg.3539a6b9df9155b001a6e0c2e1038eea.jpg

Judging from the looks of it, this is something similar as to what Bitdefender did with their anti-ransomware module.

Ransomware.png.ddabd7f8f1656b4ac09279613fa00b00.png

*screenshot is not mine

 

It's nice that Microsoft is finally upping their game when it comes to security. I assume that this feature will be turned off once the user installs a third party AV. All that is nice but what about ransomware that doesn't only encrypt my personal files but the nasty ones that encrypt the master boot record like the notorious Petya ransomware? I don't want to dismiss what Microsoft is doing but it seems it will only protect my personal files from unwanted encryption but not the master boot record? I guess all things will be revealed when third parties start testing it. I would love the idea of not paying anymore for third party AV and just sticking to the out of the box protection but I'll believe it when I see it. Right now, I'll stick to what works well  [here & here]. 

 

I think this ransomware pandemic is a nice reminder to everyone especially to the computer anti-vaxxers that while Windows Updates are obtrusive and annoying, they're essential and it might save your business since most of the ransomware attacks are on PCs that aren't up to date with their patches.

Link to post
Share on other sites

oh look.. whitelisting


CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to post
Share on other sites
1 minute ago, DXMember said:

oh look.. whitelisting

Racist


PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to post
Share on other sites
2 minutes ago, djdwosk97 said:

Racist

well, I'm sorry but blacklisting clearly doesn't work


CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to post
Share on other sites
7 minutes ago, Bouzoo said:

Soooooooo Windows will become ransomware to protect us from ransomware. Fight fire with fire. /s

Wat? I think you haven't read this properly. They're basically making file access lists. 

Link to post
Share on other sites
8 minutes ago, Bouzoo said:

Soooooooo Windows will become ransomware to protect us from ransomware. Fight fire with fire. /s

Sort of, except Windows isn't locking up your data to where you can't have access to it anymore. Its protecting it.


System Specs:

CPU: 4790K 4.7GHz  GPU: ASUS STRIX GTX 1070 8GB MB: Gigabyte GA-Z87-HD3  RAM: Corsair Vengeance Pro 4x4GB (16GB)  CPU Cooler: Noctua NH-U14S  Sound card: Creative Sound Blaster Z  SSD: OCZ ARC100 480GB  HDD: Western Digital 1TB Black, Seagate Barracuda 1TB both 7200RPM, WD Green 2TB (storage)  PSU: Pro750W XFX 80 Plus Gold  Case: Corsair Carbide 330R  Optical Drive: Super Writemaster - SpeedPlus+ DVD/CD Drive

 

 

Link to post
Share on other sites
2 minutes ago, SCHISCHKA said:

ok so what are you saying about blacks not working?

all I'm saying is that whitelisting is the only way to be protected and get rid of malware


CPU: Intel i7 5820K @ 4.20 GHz | MotherboardMSI X99S SLI PLUS | RAM: Corsair LPX 16GB DDR4 @ 2666MHz | GPU: Sapphire R9 Fury (x2 CrossFire)
Storage: Samsung 950Pro 512GB // OCZ Vector150 240GB // Seagate 1TB | PSU: Seasonic 1050 Snow Silent | Case: NZXT H440 | Cooling: Nepton 240M
FireStrike // Extreme // Ultra // 8K // 16K

 

Link to post
Share on other sites
2 minutes ago, kerradeph said:

Wat? I think you haven't read this properly. They're basically making file access lists. 

 

2 minutes ago, sof006 said:

Sort of, except Windows isn't locking up your data to where you can't have access to it anymore. Its protecting it.

I'll go on a limb and say you guys don't see small letters well. 


The ability to google properly is a skill of its own. 

Link to post
Share on other sites
10 minutes ago, Bouzoo said:

Soooooooo Windows will become ransomware to protect us from ransomware. Fight fire with fire. /s

Microsoft have been in the game longer than you think. After getting stung by the OneDrive ransomware a few years ago, I still have to pay monthly fees to have access to my data.

 

2 minutes ago, Bouzoo said:

 

I'll go on a limb and say you guys don't see small letters well. 

no

Link to post
Share on other sites

It's a start. Hopefully they also manage to protect the MBR and other Windows files from unauthorized change.


CPU: Intel Core i7 875k / GPU: Radeon HD7970 GHz 3GB  / RAM: Crucial Ballistix Sport 8GBx2 DDR3-1600
MOBO: ASUS P7P55D-e LX / SSD: Intel 520 120GB / Case: Cooler Master HAF912 / PSU: Corsair TX850w / OS: Windows 10 Pro

Link to post
Share on other sites
Quote

Protected folders can only be accessed by apps on a whitelist

Quote

To reduce the maintenance overhead, certain applications will be whitelisted automatically. 

and there you go again ... how long until there will be viruses and ransomware capable of whitelisting itself automagically ? 

 

nice try ... but it won't hold up for long. it's just another round of cat & mouse 

Link to post
Share on other sites

whats wrong with setting the group policy in such a way that it stops executable files or applications that run malicious macros or other malicious code from operating out of the worst offending folders in windows - which includes the "windows temp" and the "appdata temp"  folders - or creating a policy that any software running out of these folders on the close of the application has to destroy the data in that folder on close. then add the protections mentioned to the remainder of the system...

For that matter why do we even have those folders whats the point of them - if the apps that run by windows are run in a sandbox environment by default in windows then surely that would resolve the issues too.because you can then run an application assess it and then if you at the end of the session with that application want to save your stuff as you close you get presented with an option of "Commit or Discard changes"  then you as the end user can control what is written to the windows envrioment. 

Alternatively, run windows in a sandbox environment and have documents etc in their own partitioned section of the OS. surely some of these ideas would be a lot more protective than just adding a few whitelist applications to a list. 

i mean how hard can it be to write a powershell script that will allow the addition of an item / app into the white list  that executes itself on the triggering of malware, wiper, or ransomware 

this list business isn't going to save anyone thanks to the linux like powers of powershell. 


 

Link to post
Share on other sites
36 minutes ago, hey_yo_ said:

It' All that is nice but what about ransomware that doesn't only encrypt my personal files but the nasty ones that encrypt the master boot record like the notorious Petya ransomware?

It is called UEFI with SecureBoot. Blocks also rootkits.

If you have an old PC with the aged old BIOS, time to upgrade it if you want that security. That should be already a 7-8 year old system by now.

If you have UEFI, and for some reason you set it to Legacy mode, to emulate the old BIOS... then that is on to you.

Link to post
Share on other sites
41 minutes ago, hey_yo_ said:

So yeah, it took them a global ransomware pandemic before becoming serious about it. But hey at least they're working on it.

That's how it works for most things. Like disease for example. 


Intel Core i7 5820K 4.7GHz 1.28V | Watercool MO-RA3 420 LC | ASUS RVE | Trident Z 3200MHz 4x4GB | GTX 980 K|NGP|N 2-Way SLi

Samsung Galaxy S7 Edge Black 32GB | Exynos 8890 Octa | SanDisk Ultra 200GB SDXC

1 | 2 | 3 | 4 | Valley | Superposition

 

Link to post
Share on other sites
3 minutes ago, GoodBytes said:

It is called UEFI with SecureBoot. Blocks also rootkits.

If you have an old PC with the aged old BIOS, time to upgrade it if you want that security. That should be already a 7-8 year old system by now.

If you have UEFI, and for some reason you set it to Legacy mode, to emulate the old BIOS... then that is on to you.

I don't think SecureBoot does what you think it does, or don't know what Petya does.

SecureBoot does not prevent Petya.

Link to post
Share on other sites
Posted · Original PosterOP

 

11 minutes ago, KenjiUmino said:

and there you go again ... how long until there will be viruses and ransomware capable of whitelisting itself automagically ? 

 

nice try ... but it won't hold up for long. it's just another round of cat & mouse 

This approach of Microsoft isn't particularly new. They've done similar with Windows Vista called User Account Control.

uac3.png.7b1c967686c1aff61f36f9ab0e2bd878.png

 

But malware authors found a way to get around it especially by doing drive by download attack, watering hole attack, or simply distributing malware (e.g. worms) on a flash drive is is being passed around by college students. I'm not going to dismiss this approach of Microsoft just yet but I'm not ditching my third party AV until I see evidence that the new Windows Defender is as effective as the top rated AVs.

3 minutes ago, GoodBytes said:

It is called UEFI with SecureBoot. Blocks also rootkits.

If you have an old PC with the aged old BIOS, time to upgrade it if you want that security. That should be already a 7-8 year old system by now.

If you have UEFI, and for some reason you set it to Legacy mode, to emulate the old BIOS... then that is on to you.

Correct me if I'm wrong with this but from what I understand with secure boot, it will only block execution of malware upon boot like preventing a malware infested flash drive from interfering with the boot process. But from what I understand, most ransomware attacks are executed when the OS is already loaded and the user is logged in. Petya, from what I knew at the moment will encrypt not the user's files but the master boot record when the user is already logged in. So yeah, secure boot only protects against rootkits but not ransomware.

 

13 minutes ago, Metal_Kitty said:

For that matter why do we even have those folders whats the point of them - if the apps that run by windows are run in a sandbox environment by default in windows then surely that would resolve the issues too.because you can then run an application assess it and then if you at the end of the session with that application want to save your stuff as you close you get presented with an option of "Commit or Discard changes"  then you as the end user can control what is written to the windows envrioment. 

Not all applications especially Win32 apps run on a restricted sandbox environment.

 

Link to post
Share on other sites
4 minutes ago, Metal_Kitty said:

whats wrong with setting the group policy in such a way that it stops executable files or applications that run malicious macros or other malicious code from operating out of the worst offending folders in windows - which includes the "windows temp" and the "appdata temp"  folders - or creating a policy that any software running out of these folders on the close of the application has to destroy the data in that folder on close. then add the protections mentioned to the remainder of the system...

How do you know that the program is malicious. Is TruCrypt Malicious?

 

Quote

For that matter why do we even have those folders whats the point of them - if the apps that run by windows are run in a sandbox environment by default in windows then surely that would resolve the issues too.because you can then run an application assess it and then if you at the end of the session with that application want to save your stuff as you close you get presented with an option of "Commit or Discard changes"  then you as the end user can control what is written to the windows envrioment. 

Temp folder is there for programs to put files temporarily. This is similar to Linux-based OS's "tmp" folder. Many programs uses it for various reasons.

AppData is a folder that contains 3 sub-folders. You can read the full documentation here:https://technet.microsoft.com/en-us/library/cc766489.aspx and https://blogs.msdn.microsoft.com/patricka/2010/03/18/where-should-i-store-my-data-and-configuration-files-if-i-target-multiple-os-versions/

But in short, in a domain joined system. Programs that stores data in Roaming is sync with the server, allowing the user to keep their software configurations between systems, and Local is local only. They are not sync with the domain server.

 

As for Documents, Pictures, Videos, etc... they are there for helping the user to know where to store their data.

 

Quote

Alternatively, run windows in a sandbox environment and have documents etc in their own partitioned section of the OS. surely some of these ideas would be a lot more protective than just adding a few whitelist applications to a list.

If you do, and the program is not adapted, many programs that rely on DRM, activation system, registry (like tweak tools), and more, would crash or fail to work correctly.

 

Quote

i mean how hard can it be to write a powershell script that will allow the addition of an item / app into the white list  that executes itself on the triggering of malware, wiper, or ransomware

You need to pass through UAC first. No one is real admin under Windows.

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.


×