Controlled Folder Access?

[Amaroq_Starwind]

Windows 10 has a useful feature titled Controlled Folder Access, which prevents unauthorized programs from making changes to specified folders or the files within (especially useful in the case of dealing with Ransomware), but there are some issues with it...

1: In its current implementation, it automatically blocks everything, and individual programs need to be Whitelisted manually.

2: It requires Real-Time Protection to be enabled in Windows Defender, but Real-Time Protection completely shuts itself off when you have Malwarebytes installed and running.

 

What I propose is a modified implementation based within Malwarebytes, meaning that it can actually be used by Malwarebytes customers; it would run on three lists:

- Whitelist: Programs here are allowed to make changes to protected folders (or the files within) freely. However, everything will still be audited.

- Graylist: Programs here will need to prompt the user every time they attempt to make changes to protected folders (or the files within). This will be the default behavior unless otherwise specified.

- Blacklist: Programs here are completely barred from writing to protected folders.

Both the Blacklist and the Whitelist can be manually edited by the user, or updated from a community-provided list. The lists can also be configured separately based on a folder's security-level, with higher security levels being more restrictive.

 

Thoughts? 🦊

[exile360]

You should be able to run Defender with Malwarebytes protection active, you simply need to modify the setting under Windows Action Center located in Settings>Application in Malwarebytes to Never register Malwarebytes in the Windows Action Center and then restart your system.

As for the functionality you propose, that's very much like a HIPS, and while certainly useful, I'm not certain the Malwarebytes team would be inclined to develop it as it was something I proposed in the past and they decided against it (though what I had in mind was far more extensive, covering much more than just permissions on folders; I sought a full blown HIPS module that would monitor the system for any known malicious activity, similar to how the Exploit Protection and Ransomware Protection components in Malwarebytes currently monitor for behaviors associated with those threat types).

Edited November 26, 2018 by exile360

[Amaroq_Starwind]

What's HIPS?

[Amaroq_Starwind]

So, I unregistered Malwarebytes from the action center, but I forgot that I also had still Webroot Secureanywhere installed from the laptop's previous user. I never bothered uninstalling it because it hasn't ever conflicted with Malwarebytes and the license still has almost a year left, but I might have to uninstall it in order to get Protected Folder Access running because I can't for the life of me figure out how to unregister it from the Windows action center.

 

I also looked up HIPS. I am honestly surprised that the MBAM team declined something like that. 

[exile360]

Yes, if Webroot is on the system you'll most likely need to remove it for Defender to work.

As for HIPS, I think there are a few reasons.  First, because of the high probability of a high level of performance impact.  Second, because HIPS tend to be more for the more technical users who understand more about PCs and software as novice/normal PC users won't know how to answer any sort of prompts they get with regards to potentially risky activities; there are ways to mitigate this such as trying to build up a good whitelist for known good/safe executables and processes, but those are never 100% effective as there are always new executables and programs being created, including those by lesser known independent developers.  Third, just because HIPS have been around for so many years and yet still haven't proven to be the be all end all in PC security (currently there is no "silver bullet" perfect solution to stopping 100% of malware, both present and future possible threats) so the effort would likely prove pointless as soon as the bad guys get ahold of the product to test their wares against it; they'd just adapt their threats so that whatever they do, it isn't detected thus once again forcing the security vendors to play catch-up.  It's a constant cat-and-mouse game with each looking to beat the other at every step, so contemplating a hypothetical "perfect" solution is a futile effort (it's the same as the bad guys trying to come up with a type of infection/attack that no vendor could ever detect or remove; it's not really possible and this is why they've taken to more drastic measures like encrypting files because that's something that cannot be reversed/undone without a clean backup of the data, which would render virtually all threats moot anyway since you could just wipe the system and start over and replace your data from your clean backup copies).