Let’s dive further to learn more about controlled folder access and the ways to enable it on windows 10/11. The controlled folder access feature was developed to protect user files and data from ransomware and other kinds of malware. To tackle this issue, Microsoft devised an ingenious way to protect user data from such malicious attacks. They exploit user files and data by holding them hostage. Ransomware and malware have become quite advanced in the recent years.
If you are interested in a more in-depth analysis of these attacks (with proof-of-concept examples) along with additional CFA bypass methods please read our detailed security report. CFA isn’t able to detect the modification of a large amount of files in a short period of time and prevent it. Microsoft Office documents may contain built-in macros which attackers can use to deliver malware to encrypts files. One of WMI capabilities is to remove files using the CIM_DataFile object so, basic ransomware would be able to read the user’s files, encrypt them to a non-protected folder and then, using WMI, remove the original files. As Windows Defender doesn’t detect this injection technique, the malicious DLL injected to Explorer can basically do anything to a user’s protected files since it runs under a trusted process.
They Nyotron Security Research Team was able to bypass CFA by injecting malicious code into explorer.exe using APC Injection. The Nyotron Security Research Team has discovered at least three ways to do this: APC Injection, Windows Management Instrumentation (WMI) and Office Macros. CFA is disabled by default, and can be enabled under the Windows Defender Security Center panel.Īlthough Windows 10’s CFA anti-ransomware feature is a good step in the right direction, even a slightly sophisticated attack will easily bypass it.
0 kommentar(er)
