On Sun, 4/26/2026 8:55 PM, VanguardLH wrote:
Trying to find out how Controlled File Access (CFA) works in Windows has been, well, exasperating. Seems hiding is how the feature itself is protected.
You can whitelist (exclude) apps which grants them access to a protected folder. But is just the process name used to decide if a process is
granted access, or is a hash of the process (memory image) recorded for
the exclusion to ensure THAT process is whitelisted? Any program can
use any name, so a good program with a name could be usurped by a
malicious program by using the same name. Filtering based solely on
process name is weak protection.
Does CFA also record a hash of the memory image of a process to ensure
only that particular process gets whitelisted? A process name and hash together are far superior in identifying which programs are granted
access to a protected folder. Process name alone is very weak. If you allowed notepad.exe access to a protected folder, and process name alone
were used for whitelisting, then malware named notepad.exe would also be granted access to the protected folder. However, a hash on the good notepad.exe process would differ from the hash on a malicious
notepad.exe process, and would also include ADS (Alternate Data Streams) attached to a file if the hash were on the memory copy of the process (nothing runs unless loaded into memory from where it executes).
First scenario: Checks against process name only in the whitelist
filter. This is the type of filtering you find in firewalls.
Second scenario: Check against process name and its source path in the
file system in the whitelist filter. I've used SRPs (Software
Restriction Policies), after adding Block as an available action, in the
past with a Path rule to ensure a program only in a specific path was
granted access or blocked. That won't protect against malware that
replaces the targeted program file.
Third scenario: Checks against process name, and a hash generated and recorded on the memory image of the process in the whitelist filter.
Alas, after an update to a program, its files may change which encumbers
the user with prompts to grant access to the differently-hashed process.
The first scenario is easily bypassed by malware. A program can be
named anything, including the name of a good program. The second
scenario is better, but doesn't protect from malware supplanting the
good program files. The third scenario is much better, but a nuisance
after updates to a program. Trying to find how CFA actually works has
been despairing.
No, I'm not interested in "Windows sucks", alternate anti-ransomware solutions, or other off-topic discussions. Only in how CFA records a whitelisted process to grant access to protected folders. I've found
many other security products that whitelist by process or file name, but
they don't record a hash to ensure ONLY that copy of a file gets access. Maybe CFA is just as weak as those other anti-malware/ransomeware
products.
Susan seems to share your concerns on implementation, and recommends running
it in Audit Mode to see if you'll be happy "playing second fiddle to a machine" :-)
If you use Reliability Monitor, you can see that every day there is background activity where you are not in the loop (which is fine when you don't need
to be in that loop). The worst case then, is every application
you go to use, causes "friction" and "generated Events".
https://www.computerworld.com/article/1612084/windows-controlled-folder-access-think-twice-before-deploying.html
by Susan Bradley Contributing Writer
"Next, look in the event log for the following events:
5007 Event when settings are changed
1124 Audited controlled folder access event
1123 Blocked controlled folder access event
Often, there is a balance between the risks of attacks and the impact of security systems
on computers. Take the time to evaluate the balance and whether this has an acceptable
overhead for your needs.
"
I've been using Google for the last couple days, without seeing any
AI summary at the top of the page. I typed in
Controlled Folder Access
into Google and I "got an article" written for me. It had an unusual number
of cites at the bottom :-) It's usual with a Harmony-type response to get
3 cites or 5 cites, this one has 16 cites like it was a Wikipedia article.
This would be great if this was my homework assignment or I was a lawyer
hoping to get on the bad side of the judge.
********************* Google (Gemma?) top-of-page-article **********************
AI Overview
Controlled folder access is a Microsoft Defender Antivirus feature in Windows 10/11
and Server 2019+ that protects files from ransomware by allowing only authorized
applications to modify files in designated folders. It prevents unauthorized changes
to key directories, such as Documents, Pictures, and Desktop, by checking apps against a list of trusted applications.
How it Works
Protection mechanism: It scans apps for malicious activity and blocks unauthorized or
untrusted apps from modifying or deleting files in protected folders.
Default Folders: It commonly covers personal user folders (Documents, Pictures, Movies, Desktop).
Notifications: Users receive notifications when an application is blocked.
This video shows how to enable and configure Controlled Folder Access: [??? link not inline]
How to Enable/Configure (via Windows Security)
1. Open Windows Security and go to Virus & threat protection.
2. Select Manage ransomware protection.
3. Toggle Controlled folder access to On.
4. Use Protected folders to add more directories.
5. Use Allow an app through Controlled folder access to permit blocked applications.
Important Considerations
False Positives: Legitimate apps may be blocked, causing functionality issues
(e.g., game saves, software updates).
Audit Mode: It is recommended to run this feature in audit mode first to evaluate
its impact on productivity before fully enabling it.
Administration: It can be managed via Group Policy, Microsoft Endpoint Configuration Manager, or Intune.
It is highly effective for security but requires manual management to
whitelist legitimate apps that are incorrectly flagged.
Cites [16 of them!]:
https://learn.microsoft.com/en-us/defender-endpoint/enable-controlled-folders
https://learn.microsoft.com/en-us/defender-endpoint/controlled-folders
https://www.reddit.com/r/Windows11/comments/vfq5n2/controlled_folder_access/
https://www.ninjaone.com/blog/enable-or-disable-controlled-folder-access-in-windows-11/
https://support.microsoft.com/en-us/windows/virus-and-threat-protection-in-the-windows-security-app-1362f4cd-d71a-b52a-0b66-c2820032b65e
https://learn.microsoft.com/en-us/defender-endpoint/customize-controlled-folders
https://www.youtube.com/shorts/EGcGuO91Fb0
[I clicked the following article]
https://www.computerworld.com/article/1612084/windows-controlled-folder-access-think-twice-before-deploying.html
https://support.huntress.io/hc/en-us/articles/4412934492691-Controlled-Folder-Access-for-Windows
https://www.xda-developers.com/controlled-folder-access-windows-11-increased-data-security/
https://support.google.com/drive/answer/14254362%3Fhl%3Den%26co%3DGENIE.Platform%253DAndroid
https://www.youtube.com/watch%3Fv%3DEoahEIR2gCM
https://learn.microsoft.com/en-us/answers/questions/445477/how-to-give-a-user-full-control-of-all-files-in-a
https://www.reddit.com/r/windows/comments/mr1g3n/useless_controlled_folder_access_warnings_that_do/
https://docs.seqrite.com/docs/seqrite-endpoint-protection-8-3-control-center/configurations/application-control-policy/
https://learn.microsoft.com/en-us/defender-endpoint/evaluate-controlled-folder-access
********************* End: Google (Gemma?) top-of-page-article **********************
Paul
--- PyGate Linux v1.5.14
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)