Windows 10 (Build 16232) will try to combat ransomware by locking up your data

[captain_to_fire]

Sources: Ars Technica and Microsoft

 

So yeah, it took them a global ransomware pandemic before becoming serious about it. But hey at least they're working on it.

Quote

The long-standing approach that operating systems have used to protect files is a mix of file ownership and permissions. On multi-user systems, this is broadly effective: it stops one user from reading or altering files owned by other users of the same system. The long-standing approach is also reasonably effective at protecting the operating system itself from users. But the rise of ransomware has changed the threats to data. The risk with ransomware comes not with another user changing all your files (by encrypting them); rather, the danger is that a program operating under a given user's identity will modify all the data files accessible to that user identity.

 

In other words, if you can read and write your own documents, so can any ransomware that you run.

 

Microsoft's attempt to combat this is called "Controlled folder access," and it's part of Windows Defender. With Controlled folder access, certain directories can be designated as being "protected," with certain locations, such as Documents, being compulsorily protected. Protected folders can only be accessed by apps on a whitelist; in theory, any attempt to access a Protected folder will be blocked by Defender. To reduce the maintenance overhead, certain applications will be whitelisted automatically. Microsoft doesn't exactly specify which applications, but we imagine that apps from the Store would automatically be allowed access, for example.

Judging from the looks of it, this is something similar as to what Bitdefender did with their anti-ransomware module.

*screenshot is not mine

 

It's nice that Microsoft is finally upping their game when it comes to security. I assume that this feature will be turned off once the user installs a third party AV. All that is nice but what about ransomware that doesn't only encrypt my personal files but the nasty ones that encrypt the master boot record like the notorious Petya ransomware? I don't want to dismiss what Microsoft is doing but it seems it will only protect my personal files from unwanted encryption but not the master boot record? I guess all things will be revealed when third parties start testing it. I would love the idea of not paying anymore for third party AV and just sticking to the out of the box protection but I'll believe it when I see it. Right now, I'll stick to what works well  [here & here]. 

 

I think this ransomware pandemic is a nice reminder to everyone especially to the computer anti-vaxxers that while Windows Updates are obtrusive and annoying, they're essential and it might save your business since most of the ransomware attacks are on PCs that aren't up to date with their patches.

[Bouzoo]

Soooooooo Windows will become ransomware to protect us from ransomware. Fight fire with fire. /s

[DXMember]

oh look.. whitelisting

[79wjd]

1 minute ago, DXMember said:

oh look.. whitelisting

Racist

[DXMember]

2 minutes ago, djdwosk97 said:

Racist

well, I'm sorry but blacklisting clearly doesn't work

[SCHISCHKA]

1 minute ago, DXMember said:

well, I'm sorry but blacklisting clearly doesn't work

ok so what are you saying about blacks not working?

[kerradeph]

7 minutes ago, Bouzoo said:

Soooooooo Windows will become ransomware to protect us from ransomware. Fight fire with fire. /s

Wat? I think you haven't read this properly. They're basically making file access lists. 

[sof006]

8 minutes ago, Bouzoo said:

Soooooooo Windows will become ransomware to protect us from ransomware. Fight fire with fire. /s

Sort of, except Windows isn't locking up your data to where you can't have access to it anymore. Its protecting it.

[SCHISCHKA]

this actually isnt bad. its what i do manually on linux. I mount everything i can as read only and only mount it writable when i need to write to it. noexec flags are really good too.

[DXMember]

2 minutes ago, SCHISCHKA said:

ok so what are you saying about blacks not working?

all I'm saying is that whitelisting is the only way to be protected and get rid of malware

[Bouzoo]

2 minutes ago, kerradeph said:

Wat? I think you haven't read this properly. They're basically making file access lists. 

 

2 minutes ago, sof006 said:

Sort of, except Windows isn't locking up your data to where you can't have access to it anymore. Its protecting it.

I'll go on a limb and say you guys don't see small letters well. 

[tlink]

5 minutes ago, SCHISCHKA said:

ok so what are you saying about blacks not working?

they used to work in the kernel fields but apparently that was wrong so it is being fazed out.

[kerradeph]

5 minutes ago, Bouzoo said:

 

I'll go on a limb and say you guys don't see small letters well. 

Sorry, Yeah, I missed that initially. 4K monitors add to the difficulty of seeing it. 

[SCHISCHKA]

Just now, tlink said:

they used to work in the kernel fields but apparently that was wrong so it is being fazed out.

i heard there were too many race conditions

[Doobeedoo]

Well, interesting approach. I mean it's good to see them focused more on security. Wish to see how this works out.

[Misanthrope]

11 minutes ago, SCHISCHKA said:

ok so what are you saying about blacks not working?

No no just that black listed apps commit most of the crimes....we should probably drop this line of comedy now though.

[DrMikeNZ]

10 minutes ago, Bouzoo said:

Soooooooo Windows will become ransomware to protect us from ransomware. Fight fire with fire. /s

Microsoft have been in the game longer than you think. After getting stung by the OneDrive ransomware a few years ago, I still have to pay monthly fees to have access to my data.

 

2 minutes ago, Bouzoo said:

 

I'll go on a limb and say you guys don't see small letters well. 

no

[TetraSky]

It's a start. Hopefully they also manage to protect the MBR and other Windows files from unauthorized change.

[KenjiUmino]

Quote

Protected folders can only be accessed by apps on a whitelist

Quote

To reduce the maintenance overhead, certain applications will be whitelisted automatically. 

and there you go again ... how long until there will be viruses and ransomware capable of whitelisting itself automagically ? 

 

nice try ... but it won't hold up for long. it's just another round of cat & mouse 

[Metal_Kitty]

whats wrong with setting the group policy in such a way that it stops executable files or applications that run malicious macros or other malicious code from operating out of the worst offending folders in windows - which includes the "windows temp" and the "appdata temp"  folders - or creating a policy that any software running out of these folders on the close of the application has to destroy the data in that folder on close. then add the protections mentioned to the remainder of the system...

For that matter why do we even have those folders whats the point of them - if the apps that run by windows are run in a sandbox environment by default in windows then surely that would resolve the issues too.because you can then run an application assess it and then if you at the end of the session with that application want to save your stuff as you close you get presented with an option of "Commit or Discard changes"  then you as the end user can control what is written to the windows envrioment. 

Alternatively, run windows in a sandbox environment and have documents etc in their own partitioned section of the OS. surely some of these ideas would be a lot more protective than just adding a few whitelist applications to a list. 

i mean how hard can it be to write a powershell script that will allow the addition of an item / app into the white list  that executes itself on the triggering of malware, wiper, or ransomware 

this list business isn't going to save anyone thanks to the linux like powers of powershell. 

 

[GoodBytes]

36 minutes ago, hey_yo_ said:

It' All that is nice but what about ransomware that doesn't only encrypt my personal files but the nasty ones that encrypt the master boot record like the notorious Petya ransomware?

It is called UEFI with SecureBoot. Blocks also rootkits.

If you have an old PC with the aged old BIOS, time to upgrade it if you want that security. That should be already a 7-8 year old system by now.

If you have UEFI, and for some reason you set it to Legacy mode, to emulate the old BIOS... then that is on to you.

[DildorTheDecent]

41 minutes ago, hey_yo_ said:

So yeah, it took them a global ransomware pandemic before becoming serious about it. But hey at least they're working on it.

That's how it works for most things. Like disease for example. 

[LAwLz]

3 minutes ago, GoodBytes said:

It is called UEFI with SecureBoot. Blocks also rootkits.

If you have an old PC with the aged old BIOS, time to upgrade it if you want that security. That should be already a 7-8 year old system by now.

If you have UEFI, and for some reason you set it to Legacy mode, to emulate the old BIOS... then that is on to you.

I don't think SecureBoot does what you think it does, or don't know what Petya does.

SecureBoot does not prevent Petya.

[captain_to_fire]

 

11 minutes ago, KenjiUmino said:

and there you go again ... how long until there will be viruses and ransomware capable of whitelisting itself automagically ? 

 

nice try ... but it won't hold up for long. it's just another round of cat & mouse 

This approach of Microsoft isn't particularly new. They've done similar with Windows Vista called User Account Control.

 

But malware authors found a way to get around it especially by doing drive by download attack, watering hole attack, or simply distributing malware (e.g. worms) on a flash drive is is being passed around by college students. I'm not going to dismiss this approach of Microsoft just yet but I'm not ditching my third party AV until I see evidence that the new Windows Defender is as effective as the top rated AVs.

3 minutes ago, GoodBytes said:

It is called UEFI with SecureBoot. Blocks also rootkits.

If you have an old PC with the aged old BIOS, time to upgrade it if you want that security. That should be already a 7-8 year old system by now.

If you have UEFI, and for some reason you set it to Legacy mode, to emulate the old BIOS... then that is on to you.

Correct me if I'm wrong with this but from what I understand with secure boot, it will only block execution of malware upon boot like preventing a malware infested flash drive from interfering with the boot process. But from what I understand, most ransomware attacks are executed when the OS is already loaded and the user is logged in. Petya, from what I knew at the moment will encrypt not the user's files but the master boot record when the user is already logged in. So yeah, secure boot only protects against rootkits but not ransomware.

 

13 minutes ago, Metal_Kitty said:

For that matter why do we even have those folders whats the point of them - if the apps that run by windows are run in a sandbox environment by default in windows then surely that would resolve the issues too.because you can then run an application assess it and then if you at the end of the session with that application want to save your stuff as you close you get presented with an option of "Commit or Discard changes"  then you as the end user can control what is written to the windows envrioment. 

Not all applications especially Win32 apps run on a restricted sandbox environment.

 

[GoodBytes]

4 minutes ago, Metal_Kitty said:

whats wrong with setting the group policy in such a way that it stops executable files or applications that run malicious macros or other malicious code from operating out of the worst offending folders in windows - which includes the "windows temp" and the "appdata temp"  folders - or creating a policy that any software running out of these folders on the close of the application has to destroy the data in that folder on close. then add the protections mentioned to the remainder of the system...

How do you know that the program is malicious. Is TruCrypt Malicious?

 

Quote

For that matter why do we even have those folders whats the point of them - if the apps that run by windows are run in a sandbox environment by default in windows then surely that would resolve the issues too.because you can then run an application assess it and then if you at the end of the session with that application want to save your stuff as you close you get presented with an option of "Commit or Discard changes"  then you as the end user can control what is written to the windows envrioment. 

Temp folder is there for programs to put files temporarily. This is similar to Linux-based OS's "tmp" folder. Many programs uses it for various reasons.

AppData is a folder that contains 3 sub-folders. You can read the full documentation here:https://technet.microsoft.com/en-us/library/cc766489.aspx and https://blogs.msdn.microsoft.com/patricka/2010/03/18/where-should-i-store-my-data-and-configuration-files-if-i-target-multiple-os-versions/

But in short, in a domain joined system. Programs that stores data in Roaming is sync with the server, allowing the user to keep their software configurations between systems, and Local is local only. They are not sync with the domain server.

 

As for Documents, Pictures, Videos, etc... they are there for helping the user to know where to store their data.

 

Quote

Alternatively, run windows in a sandbox environment and have documents etc in their own partitioned section of the OS. surely some of these ideas would be a lot more protective than just adding a few whitelist applications to a list.

If you do, and the program is not adapted, many programs that rely on DRM, activation system, registry (like tweak tools), and more, would crash or fail to work correctly.

 

Quote

i mean how hard can it be to write a powershell script that will allow the addition of an item / app into the white list  that executes itself on the triggering of malware, wiper, or ransomware

You need to pass through UAC first. No one is real admin under Windows.