Skip to main content
Skip to main content
Microsoft Security

Stopping ransomware where it counts: Protecting your data with Controlled folder access

  • Tanmay Ganacharya Partner Director, Security Research, Microsoft 365 Defender

Windows Defender Exploit Guard is a new set of host intrusion prevention capabilities included with Windows 10 Fall Creators Update. One of its features, Controlled folder access, stops ransomware in its tracks by preventing unauthorized access to your important files.

The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices.

Read our latest report: A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017

Encryption should protect your data and files. Ransomware twists the power of encryption against you and uses it to take files hostage. This means losing control of your data: documents, precious photos and videos, and other important files.

For enterprises and small businesses, losing access to files can mean disrupted operations. Worse, for critical infrastructure, ransomware infection can halt the delivery of services. Just this year, successive ransomware campaigns and no less than two global outbreaks immobilized hospitals, transport systems, and other high-tech facilities.

Ransomware continues to evolve and impact many types of devices in different environments. At Microsoft, we continue to harden Windows 10 against ransomware and other threats. Our end-to-end security suite integrates multiple next-generation defense technologies that help our customers prevent, detect, and respond to ransomware attacks.

Controlled folder access adds another layer of real-time protection against ransomware.

Crackdown on unauthorized encryption

Ransomware campaigns continue to grow and thrive as they are a lucrative business for cybercriminals. Ransomware gets into a victim’s device, encrypting files and data. Because these files are held hostage, cybercriminals can extort money from their victims.

Controlled folder access brings you right back in control of determining what programs can access your data. This feature protects your files from tampering, in real-time, by locking folders so that ransomware and other unauthorized apps can’t access them. It’s like putting your crown jewels in a safe whose key only you hold.

Cybercriminals can’t extort money if they can’t encrypt your files. Controlled folder access is a powerful tool that can render ransomware attacks worthless.

How Controlled folder access works

Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including malicious executable files, DLLs, and scripts are denied access to folders.

This feature can be enabled in Windows Defender Security Center app in Windows 10.

By default, Controlled folder access protects common folders where documents and other important data are stored. But it’s also flexible. You can add additional folders to protect, including those on other drives. You can also allow apps that you trust to access protected folders, so if you’re using unique or custom programs, your productivity is not affected.

When enabled, Controlled folder access prevents access by unauthorized apps and notifies you of an attempt to access or modify files in protected folders. It delivers this protection in real-time.

Enabling and managing Controlled folder access in enterprise networks

In enterprise environments, Controlled folder access can also be enabled and managed using Group Policy, PowerShell, or configuration service providers for mobile device management.

The Controlled folder access feature seamlessly integrates with Windows Defender Advanced Threat Protection. Every time Controlled folder access blocks an attempt to make changes to protected folders, an alert is generated on Windows Defender ATP. This notifies security operations personnel to take quick response actions, including quarantining affected machines or blocking the unauthorized app from running on other machines.

As with the other Windows Defender Exploit Guard features, administrators can customize notifications that appear on endpoints in the event of an intrusion attempt. Customized notifications then allow employees to call, email, or IM their company’s help desk.

Controlled folder access and other Windows Defender Exploit Guard features include an audit mode that administrators can use to evaluate these security features in enterprise networks. In audit mode, the Controlled folder feature does not block attempts to modify files on protected folders, but logs all events, so administrators can assess Windows Defender Exploit Guard capabilities without impacting operations.

A comprehensive suite of advanced ransomware protection in Windows 10

Ransomware attacks grow more and more sophisticated every day. To keep you safe, we are continually improving Windows to protect against ransomware and other threats. Windows 10 is the safest version of Windows yet. Controlled folder access is designed to help reduce the risk of ransomware attacks, keeping your user and businesses data safe.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.


Tanmay Ganacharya (@tanmayg)

Principal Group Manager, Windows Defender Research




Note these additional Windows security features

Windows 10 S is a configuration of Windows 10 that’s streamlined for security and performance. Windows 10 S provides Microsoft-vetted security by working exclusively with apps from the Windows Store and by using Microsoft Edge as the default browser.

Windows 10 customers are also protected from ransomware with Windows Defender Antivirus. With advanced machine learning models, as well as generic and heuristic techniques Windows Defender Antivirus detects new as well as never-before-seen ransomware in real-time.

Microsoft Edge blocks ransomware infection from the web by opening pages within low privilege app containers and by using reputation-based blocking of malicious downloads. Microsoft Edge has been providing industry-leading online protection for Windows 10 customers since its release. This year, Microsoft Edge is now available on iOS and Android, so users of these platforms can start benefiting from browser security beyond sandboxing.

In enterprise environments there are additional layers of protection. Device Guard provides virtualization-based lockdown security. It blocks all types of unauthorized content, stopping ransomware and other threats from reaching the machine.

In addition to Microsoft Edge, enterprises can also ensure online safety by blocking ransomware attacks that begin with email. Microsoft Exchange Online Protection (EOP) uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender ATP powers security operations personnel to detect and respond to malware outbreaks in their organization. Windows Defender ATP’s enhanced behavioral and machine learning detection libraries flag malicious behavior across the ransomware infection process. The new process tree visualization and improvements in machine isolation help security operations to investigate and respond to ransomware and other malicious attacks.

Controlled folder access is a new piece to this growing stack of next-gen solutions that help you prevent, detect, and respond to ransomware and other modern attacks.

Controlled folder access, Exploit Protection, Attack surface reduction, and Network protection make up the host intrusion prevention capabilities in Windows Defender Exploit Guard. These features and all the other next-gen security technologies that ship with the Fall Creators Update continue to make Windows 10 the safest, most secure Windows ever.

Learn more about Windows 10 Fall Creators Update

Microsoft 365 Security and Management Features Available in Fall Creators Update

Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

Stopping ransomware where it counts: Protecting your data with Controlled folder access

Making Microsoft Edge the most secure browser with Windows Defender Application Guard

Introducing Windows Defender Application Control

Hardening the system and maintaining integrity with Windows Defender System Guard

Move away from passwords, deploy Windows Hello. Today!

What’s new in Windows Defender ATP Fall Creators Update

Antivirus evolved

Get the latest information on ransomware

Our ransomware FAQ page summarizes the latest developments in the ransomware landscape. It has information about the most prevalent ransomware families like Cerber, WannaCrypt, Spora, Teerac (also known as Crypt0L0cker or CryptoLocker), and Locky, as well as the latest notable ransomware families like Tibbar (also known as Bad Rabbit), Ronggolawe, Petya (also referred to as NotPetya), Erebus, and others.



Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.