Windows 10 Controlled Folder Access Step by Step Guide

Windows 10 Build 16232 and newer builds include a new security feature that can help prevent ransomware, malware, or malicious processes from making changes to files inside folders that you can choose to protect. It is called Windows Defender Controlled Folder Access, and I have been using it for two weeks now, and this article will describe how to set it up, and configure it so that it protects your important files and folders. I strongly recommend anyone using Windows 10 to enable this very helpful feature once they install the Fall Creators Update in a couple of months.

First of all, you are going to have to open up the Windows Defender Security Center, which you can find by going to the tray down at the bottom right of the taskbar and right clicking on the Windows Defender logo and choosing open. You can also click the search icon or the cortana circle and search for defender which will allow you to choose the Windows Defender Security Center. Once you open up the Security Center, you are going to want to find the Virus and Threat protection settings, by clicking the hamburger button on the top left to open up the settings choices and choosing the second item down, which is a shield, (right below the home symbol). This will open up the Antivirus settings, where you will then go to the right down a little and once again click on the Virus and Threat Protection Settings. You need to scroll down until you see Controlled Folder Access.

We are focusing on the Controlled Folder access settings which you can find as you scroll down right after the Automatic Sample Submission On/Off Switch. The first thing you are going to want to do is to change Controlled Folder Access to ON. Next you are going to want to click where it says Protected Folders. This will open Windows Explorer and allow you to choose the folders that you want to be protected. Microsoft has stated that the Windows directory and the libraries are automatically protected, however, just to be sure, I chose Documents, Downloads, my Applications folder, Music, Pictures, and Videos, as well as any external hard drives that are connected to the Windows 10 computer. At first I chose desktop, however I noticed that every time I install an application, the new application is not able to piut shortcuts on the desktop because of the controlled folder access designation, so I eventually removed Desktop from the Protected Folders. The nice thing about this feature is that if an application tries and fails to access a file in a protected folder, you will receive a notification that tells you the location of the executable and where it tries to access. These notifications then stay in the action center, so that if you miss the notification, you will see it later when the Action Center shows up on the right side of the desktop.

For example, I use a program called Internet Download Manager, and it was blocked from accessing the downloads directory. I received a notification that says:
DATA Protection
Unauthorized Changes Blocked C:\Users\james\Downloads\wordpress-com-2-6-0-setup.exe from making changes to the folder C:\Users\james\Desktop

Next step, if the application is safe and you want to allow the application to be able to changed files in the controlled folders, you go down to the next option which says Allow an App through Controlled Folder Access, which brings up Windows Explorer file picker again, where you will find the executable that was blocked and choose it, then accept the UAC prompt. You can go through this as many times as you want, adding any programs that need access to these protected folders.

In summary, Microsoft has finally added a security feature to Windows 10 Fall Creators Update (and any insider preview builds since 16232) that can help prevent ransomware from encryption the files that are inside these controlled folders. The great thing about this feature is that it is brand new, but it works great already, and is configurable enough so that you can whitelist the applications that you need to use to access these folders safely, while any application that Microsoft does not recognize as being safe will be blocked from encrypting any files in these folders. You are not going to want to add every folder, because this will likely cause too many false positives, but you should go through your computer’s hard drives, and move all of your important files into folders that you choose to be Protected Folders. This is a very exciting feature for Security professionals and enterprise I.T., but I am pretty sure that you will need to be running Windows 10 enterprise or Education in order to use this new feature for now.

It is rather simple, and if you are using Windows 10 education or enterprise version I recommend that you immediately turn this on, and set up your controlled folders. I am sure that this feature will be coming to windows server 2016 in the coming insider preview updates, and it is good to see that Microsoft is taking security seriously in Windows 10.

After installing the newest Windows Insider Preview Build 16241, I noticed that when I tried to add new controlled folders or allowed programs with the Windows Defender Security Center, the UI would crash, so I immediately went to PowerShell to check if there were new cmdlets to configure Controlled Folder Access, and there were.

You are now able to use PowerShell to add Controlled Folders, and Applications that are allowed to access and edit files in those folders.

Paypal donate button can be used to get technical help as well.

First, you need to click on the $0.00 and change it to the amount you want to donate. Then, once you fill in the dollar amount, you can then choose to donate with paypal, or with a credit card. Thank you for your help. Once you donate, I may contact you to thank you and offer my services, if you choose to leave a contact method, but this is not required. I am available for both hardware and software services, please inquire for more info.

We are currently creating docker containers, and nodejs applications, but just inquire with your needs, we do it all. Thanks Again.

Sincerely, James

Microsoft releases fix-it for IE 8 0-day- Hackers Steal 45 million from ATMs

2 Big Stories today I want to mention…. Microsoft once again rushed to release a hotfix for all of its’ Windows XP users that were stuck on Internet Explorer 8, as there was a zero (0-day) day vulnerability found last week that was utilizing around 9 different popular websites to redirect unsuspecting users to Exploit Kit Malware attacks. This 0-day was so important because any business or home user that still has a 32-bit Windows XP computer is forced to use Internet Explorer 8 for Windows Updates. This exploit was first seen on the United States’ Department of Labor website. All a user had to do while browsing with IE8 is visit a specific frame and they were automagically redirected to a malicious black-hole website that served up enough malware to take over their computer. Brian Krebs reported ” several security vendors reported that the U.S. Department of Labor Web site had been hacked and seeded with code designed to exploit the flaw and download malicious software.” If you are running Internet Explorer 8, or if you are on WIndows XP then you need to go and download and run this Microsoft Fix-It before your computer becomes part of a botnet…. or you could risk it and wait until Tuesday. This exploit is already part of Metasploit and at least 8 other websites have been fingered as also hosting this attack.

In other news, most likely one of the most profitable ATM hacks in history has been thwarted and it is now being reported that 1 young hacker is dead and 7 more face trial after being busted after stealing $45 million in a cyberheist that had cybercrooks actually going to thousands of ATMs with hacked debit or credit cards and collecting cash all over the world. It looks like they actually were able to lift the daily limits that are placed on credit/debit cards, and were able to literally collect as much money as the ATM’s had in them before being caught. explains the heist rather well, so i will pass it off to them and you can read it here…

Cleaning Up after Citadel – Department of Justice Ransomware (

Citadel Malware Screen

Citadel Malware Ransomware Screen

A client of mine was hit with a variant of the Citadel Ransomware yesterday. He was just surfing the web and looking for a movie to watch, when he was hit by the drive-by download. It placed a big old warning message with Your Computer Has Been Blocked on the left and The United States Department OF Justice warning on the right, and a picture of a naked girl in a sexual position near the bottom, while asking for a moneypak payment to unlock the computer.
Upon receiving the computer, I rebooted and used a Kaspersky Rescue CD to boot and scan the harddrive. It found the following files… 4 files labeled as “” and 10 files labeled as “Win32.Katusha.n”. The exact filenames don’t matter because they are just a bunch of random letters and numbers. After I deleted these 14 items with Kaspersky, I took out the cd and rebooted.

Upon reboot, the computer came on and about a minute after being on, the warning screen came back on, which I was happy about because I wanted to get a closer look and a picture. Upon looking at the bottom of the screen I noticed there was a small black square that was blurry but changing and I moved aroung and noticed a picture of me there, as the web cam was recording and putting my picture right in the page next to the naked girl porno warning. I covered up the webcam with some tape and started to begin experimenting with the computer to see what I could do. After taking a picture of the screen for documentation purposes, I tried to do a few things and was surprised that it actually let me open up some windows and folders, I immediately noticed that it had created another false partition and a bootsect.bak. I rebooted into safemode and deleted all the recent temporary files and then used RogueKiller to run a quick scan and removal of about 8 registry keys and a batch file. I was still not out of the woods, but I was in total control of this bad boy at this point.

I downloaded MalwareBytes and let that scan and it found 15 items, mostly in the ProgramData folder. Check out the pictures for more detailed info. After deleting everything MalwareBytes found I uninstalled Microsoft Security Essentials and installed BitDefender. This is not the first time I have seen Microsoft Security Essentials fail to protect against older known malware. After removing everything to this point and rebooting, the computer seems back to normal, I am still searching through the registry and all folders for any remaining traces. Bitdefender and MalwareBytes are both returning completely clean and it really wasnt that difficult to remove this so I am still wary that there may be traces left behind. Scan findings 1Kasperskyrescuescan

Mark Russonovich demonstration of Stuxnet, Flame, & more.

In between troubleshooting Windows Server 2008 SysVol Replication errors this week, I remember wanting to mention Mark Russonovich’s videos on Technet from when he demonstrated Stuxnet and Flame in Virtual Machines last year. I think I forgot to post the link so here it is, it was pretty entertaining. You can watch the video from June 11,2012 at TechEd here:

I solved a pretty annoying problem today when I finally found the solution to my SYSVOL replication error on a 2008 Server Domain Controller that was being improperly labeled with a \?C:WindowsSysVolSysvolDomainname.
The solution was simple but took me awhile to find it. All you have to do is go into ADSIEdit on the 2008 Domain Controller and maneuver to the msDFSR root path then edit the path that has the question mark and delete the first three characters. For the exact steps just check out the link at the end… Here is one of the technet articles that helped me get to the bottom of this.

Here is a link to the workaround which enables you to remove the bloody questionmark that was causing me grief.

HackInTheBox Security Conference Slides (PDFs)

Here is the Schedule And Presentation Calendar
D1T1 – Barisani and Bianco – Practical Exploitation of Embedded Systems.pdf
D1T1 – Chris Wysopal – Data Mining a Mountain of Vulnerabilities.pdf
D1T1 – Lucas Adamski – Firefox OS and You.pdf
D1T1 – Petko Petkov – History of the JavaScript Security Arsenal.pdf
D1T1 – Philippe Langlois and Emmanuel Gadaix – 6000 Ways and More.pdf
D1T1 – The Pirate Bay – Data is Political – NO SHOW
D1T2 – Don Bailey – Hackers, The Movie – A Retrospective.pdf
D1T2 – Haroon Meer – You and Your Research.pdf
D1T2 – Marc Heuse – IPv6 Insecurity Revolutions.pdf
D1T2 – Mark Dowd & Tarjei Mandt – iOS6 Security.pdf
D1T2 – Meder Kydyraliev – Defibrilating Web Security.pdf
D1T2 – Wes Brown – Supercomputing, Malware and Correlation.pdf
D1T3 – Charlie Miller – Attacking NFC.pdf
D1T3 – F Raynal & G Campana – An Attack Path to Jailbreaking Your Home Router.pdf
D1T3 – John Draper – A Historical Look at the Personal Computer and Phreaking.pdf
D1T3 – Jose Nazario – Tracking Large Scale Botnets.pdf
D1T3 – Paul Sebastian Ziegler – Hacking in the Far East.pdf
D1T3 – The Grugq – OPSEC – Because jail is for wuftpd.pdf
D2T1 – Chris Evans – Element 1337 in the Periodic Table – Pwnium.pdf
D2T1 – Katie Moussouris – How to Get Along with Vendors Without Really Trying.pdf
D2T1 – Ollie Whitehouse – Finding the Weak Link in Binaries.pdf
D2T1 – Paul Vixie – Silo Busting in Information Security – NO SLIDES
D2T1 – Rodrigo Branco – A Scientific Study of Malware Obfuscation
D2T1 – Shreeraj Shah – XSS and CSRF Strike Back Powered by HTML5.pdf
D2T2 – Fyodor Yarochkin and Vladimir – Messing up the Kids Playground.pdf
D2T2 – Jeremiah Grossman – Why Web Security is Fundamentally Broken.pdf
D2T2 – Raoul Chiesa – Information Warfare and Cyberwar.pdf
D2T2 – Saumil Shah – Innovative Approaches to Exploit Delivery.pdf
D2T3 – Emmanuel Gadaix – Something MEGA.pdf
D2T3 – Felix FX Lindner – Hacking Huawei VRP.pdf
D2T3 – Mikko Hypponen – Behind Enemy Lines.pdf
D2T3 – Stefano Zanero – Behaviour-Based Methods for Automated Scalable Malware Analysis.pdf

Thank YOU to Security Monkey’s Chief Monkey for the links…

I recently was given a job of cleaning up an HP Laptop with 38 pieces of malware.

  Malware Creators

Just last week I faced a job of removing the malware from a Windows 7 64bit HP Laptop, and getting the computer back to a usable condition. It was only 6 months old, and the owner complained that they could not do anything on the internet because the computer kept shutting itself off. She even talked about being ready to send it back to HP. I asked her if she had antivirus and kept it up-to-date, and she said she had installed AVG about a week after she brought the laptop home, and it often updated itslef while she was trying to use the computer. The first thing I did when I received the laptop was simply attempt to go online with each of the browsers. The computer had only 19 gb used out of 750, yet it had about 12 toolbars, and rebooted 5 minutes after I started trying to browse the web. I immediately installed MalwareBytes, and started to run a scan, while i proceeded to remove each of the different toolbars and I installed CCleaner so I would be able to clean the cache, cookies, and temporary files. MalwareBytes immediately found 30 malicious items in the first 5 minutes of the scan. I started looking at the AVG logs and settings to see why AVG had let this happen to the computer. I thought that maybe AVG was not turned on or had not run a scan in a while. However, I noticed that AVG was set to scan everyday at 5pm, and it had indeed run 20 times in the last month but had not found any malware. I checked the logs and found out that the only things AVG reported was actually files related to Microsoft .Net Framework 3.0 and 3.5 SP1 (which it labeled as a probable rootkit).

Malware Bytes finished its scan finding 45 malicious items (7 tracking cookies and 38 malicious trojans and toolbars). Next I ran an AVG scan (just to see if it would find any of these same items, before I removed them with Malware Bytes. I updated AVG’s signatures and then AVG scanned the entire system in about 15 minutes, and found nothing yet again. At this point, I had found an ASCII to UTF converter with a chinese logo, and an instance of LogMein rescue hidden in the temporary files folders. I called up the woman and asked if she had evr had anyone try to help her by remotely logging in to her computer and she said no, never. I realized that one of those toolbars she had installed had likely been a trojan with an Asian hacker on the other end that had been remotely running commands on her computer. I used the Netstat utility but did not see any current activity. At this point I had to do some proprietary investigation and forensics, in order to prevent this hacker from ever accessing this computer again. I completed this in an hour or two and ran a ComboFix Scan.

Okay, I then decided that either this AVG install was corrupted, or that AVG is no longer an effective player in the Anti-Virus industry. Well ,I did not have time to further investigate, as i needed to have this computer back to new condition by tomorrow. I removed all of the items found by Malware Bytes, then I restarted and deleted all the system restore points. I checked each of the browsers for any left over debris, (firefox, IE, and Chrome) and I rebooted the system. I next typed “MRT” in the search box which ran the Microsoft Malicious Software Removal Tool, but it did not find anything. I then ran a portable BitDefender scan on the entire system, as well as an online scan by ESET. The system was coming up clean. I completely removed all remnants of AVG except for the AVG secure search bar, (because utilizing the AVG safe search couldn’t hurt the owner.)

Next, I installed Microsoft Security Essentials, and set MalwareBytes’ real-time protection to off. MSE’s real-time protection will hopefully be good enough to protect the owner in the near future. I ran a full system scan, which came up clean, and used Revo Uninstaller to uninstall any leftover programs that the owner did not need. I then went ahead and tweaked all of the browsers’ settings and configured her firewall, and updated her Adobe Reader, Flash player, and her Java (which apparently had come installed on the laptop when she bought it. ( I used Secunia PSI to notify me of updates available for all installed programs.) Then I went online and tried to perform some everyday tasks to verify that the computer was back to a usable condition. Note: I had documented all of my work, and I handed over the documentation to the owner when I gave back the computer. In the end, the laptop was back to its OOBE (Out of the Box Experience), and the owner was very appreciative.