Windows 10 build 16232
A security measure that provides for the protection of specific folders to which access is only allowed to applications present in a whitelist
The build 16232 of Windows 10 that Microsoft released on insider channel during the day yesterday, contains some new security features to the general strengthening of the system against the latest threats, including a which aims specifically to try to limit the damage that can result from the system being compromised by a ransomware.
The protection mechanisms put in place files from operating systems for years are based on a combination of ownership and access permissions. In those systems that are used by multiple users, this approach is a pretty effective way to reduce the incidence of problems: a user can not access (or can access only limited) to someone else’s property files that operates on the same system. It ‘the same approach that has also shown some effectiveness to protect the users’ operating system, in fact thanks to the permissions and privileges mechanism.
With the advent of ransomware context plague, however, it is heavily altered, changing the characteristics of the threat: in this case in fact the danger is not represented by another user amending encrypting files, but by a program that operates under the identity user and that may modify all the files that are accessible to the identity of the user. In other words, the ransomware can read and write the same files that the user can read and write.
From this account Microsoft has developed the functionality Controlled Access Folder that falls under the Windows Defender hat. The working principle of this new feature is to set up some folders to be protected and accessible only by the app found in a whitelist: All access attempts by unauthorized app would then be blocked by Defender. In order to reduce the need for management and maintenance of features, some applications will be automatically placed in the whitelist. Microsoft does not specify exactly which app, but it is reasonable to assume that the app store will be automatically populated with the necessary permits.
In theory, an approach of this kind should go to limit the ability of a ransomware to encrypt user data, but on the practical side of the real effectiveness of these measures will depend on the strength of Folder Access Controller. Because what actually functions will be necessary, for example, that functionality to prevent macro Word or Excel to access a protected folder even if the application from which they depend is in the whitelist. If a ransomware can find a way to “delegate” the dirty work to another application whitelisting, the effectiveness of the new measures will be effectively neutralized. The example of the Word macro is not accidental, because in recent days has been given a demonstration of the possibility of compromising the new Windows operating system 10S through these mechanisms.
Being a build released on insider channel, all features are considered in the form of beta, so in testing and evaluation, and therefore may never be released to the end user.