Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Microsoft Privacy Security Windows IT

Windows 10 Will Soon Protect Files and Folders From Ransomware (theverge.com) 219

Microsoft is making some interesting security-related changes to Windows 10 with the next Fall Creators Update, expected to debut in September. From a report: Windows 10 testers can now access a preview of the changes that include a new controlled folder access feature. It's designed to only allow specific apps to access and read / write to a folder. If enabled, the default list prevents apps from accessing the desktop, pictures, movies, and documents folders. "Controlled folder access monitors the changes that apps make to files in certain protected folders," explains Dona Sarkar, head of Microsoft's Windows Insiders program. "If an app attempts to make a change to these files, and the app is blacklisted by the feature, you'll get a notification about the attempt."
This discussion has been archived. No new comments can be posted.

Windows 10 Will Soon Protect Files and Folders From Ransomware

Comments Filter:
  • Petty useful (Score:5, Interesting)

    by qbast ( 1265706 ) on Thursday June 29, 2017 @12:45PM (#54713819)
    It should prove quite useful, especially for backups. Currently even doing a backup every day I am risking that malware will become active during the process and encrypt backups on connected external disk along with everything else. With this feature I can specify that only backup program can have access to the external drive.
    • I've seen "disk firewalls" in other operating systems. Macs use something like SELinux to keep all but root tasks out of the Time Machine repository.

      I think this isn't a bad thing, and a must eventually. However, it does force an organization system (where the Documents folder winds up organized into Word, Excel, etc. subfolders, each only allowing the appropriate application and the backup program to access that directory.) Some ransomware can use a Dancing Bunnies attack and just ask the user for permi

    • Use a NAS in place of a USB backup drive. Run ZFS or (I assume) btrfs and take snapshots on a regular basis. If any software on your PC decides to encrypt your NAS share, you can revert to a previous snapshot.
    • I'm imagining a hard drive riddled with undeletable files and folders created by apps that failed to uninstall correctly.
    • I can't see this being useful against ransomware. Remember that ransomware already uses privilege escalation so that it can encrypt everything on the computer, including operating system folders. In other words it's already bypassed the system that Microsoft's implementing.
      • by Jeremi ( 14640 )

        Presumably this would be useful against malware that doesn't have root privilege (or whatever it's called in Windows-land). Currently, any software running at user-privilege level has the ability to munge the user's files, which by unfortunate coincidence are usually also the files that are the most valuable and most difficult to recreate after they get destroyed.

        I'm not sure what would be sufficient to defend against malware that has root access, since presumably any defense you put up could be removed by

        • Since you mentioned defenses that can be removed by malware... I certainly hope Microsoft put UAC in front of this new control panel item. If it's anything like the other 99% of security settings they have then unprivileged malware will simply deactivate it with the logged-in user's privileges and then continue on its merry way.
    • by vux984 ( 928602 )

      I'm sorry. You are doing backups wrong.

      Backups should be done via a client/server; where the client agent software sends data to the server.

      The client system should not ever directly mount nor be able to write to the backup media.

      And of course, the backups should be differential versioned; so if the client is compromised, and the encrypted/corrupted files are backed up, that you can still roll back to the day before the corruption.

      And there should be another separate back up on top of that.

      Don't get me wron

  • by Anonymous Coward on Thursday June 29, 2017 @12:47PM (#54713839)

    But the recent malware attacks weren't simply malicious trojaned apps changing each other's files. It was spread by compromising / using system services that are meant to be used to access a broad array of files. I don't see how changing the permissions model to block inter-app accesses will fix this...

    • by slew ( 2918 )

      But the recent malware attacks weren't simply malicious trojaned apps changing each other's files. It was spread by compromising / using system services that are meant to be used to access a broad array of files. I don't see how changing the permissions model to block inter-app accesses will fix this...

      I was going to mention this, but perhaps at least it will raise the bar somewhat so that instead of fighting all sorts of "apps" that people download you are only fighting unpatched systems and zero-days bugs...

    • It seems that the idea is a whitelist rather than a blacklist, and across user-system space. In such case, if no one can modify the contents of a folder (not even using Windows explorer, or any system service), except using the registered binary, this would avoid any changes from scripts or trojans. Seems a nice idea to me.

      • How about full sand-boxing, with permissions. Make the core OS small (task control, memory manager, permissions) to limit the quantity of vulnerable software, with most of the OS running at normal privilege. Make a white-list of what directories and file types programs are allowed access to. This wouldn't prevent idiots from configuring everything wide open and getting hacked, but it would let professionals and experts safeguard their stuff.
      • if no one can modify the contents of a folder (not even using Windows explorer, or any system service), except using the registered binary

        Then an application's publisher could hold your data for ransom.

  • by aglider ( 2435074 ) on Thursday June 29, 2017 @12:48PM (#54713841) Homepage

    So it'd be enough for ransomware to impersonate those specific apps or just get into the party list. Shouldn't it?

    • Re:Specific apps? (Score:5, Interesting)

      by postbigbang ( 761081 ) on Thursday June 29, 2017 @01:00PM (#54713969)

      It's just one more slap-dash fix in a creaky operating system riddled with legacy APIs that are now being easily strangled with NSA-ware. Adding strict user space is what made XP SP2 somewhat tenable, but this is just one more embarrassing and glaring hole, and IMHO, a great reason to take a serious look at devops and agile as software development models. Windows 10 isn't new; it's the lipstick on a pig made from thousands and thousands of attempts to get it right.

      I'm just entirely shocked that Microsoft's stock price hasn't cratered into the pit it deserves. Don't think that the current wave isn't the last or best; ransomware will be iteratively released until bitcoin shoots past $10,000/coin.

      • Re: (Score:3, Insightful)

        I'm just entirely shocked that Microsoft's stock price hasn't cratered into the pit it deserves. Don't think that the current wave isn't the last or best; ransomware will be iteratively released until bitcoin shoots past $10,000/coin.

        Because it's not really hurting Microsoft's pocket. There isn't really a legitimate alternative for windows. The general public seemed baffled by Linux (and Linux isn't getting the marketing spent to promote it). Apple is a walled garden that nobody wants.

        Many business apps only run on windows. Microsoft's customers aren't going anywhere.

        • Re:Specific apps? (Score:4, Interesting)

          by TheFakeTimCook ( 4641057 ) on Thursday June 29, 2017 @02:21PM (#54714591)

          I'm just entirely shocked that Microsoft's stock price hasn't cratered into the pit it deserves. Don't think that the current wave isn't the last or best; ransomware will be iteratively released until bitcoin shoots past $10,000/coin.

          Because it's not really hurting Microsoft's pocket. There isn't really a legitimate alternative for windows. The general public seemed baffled by Linux (and Linux isn't getting the marketing spent to promote it). Apple is a walled garden that nobody wants.

          Many business apps only run on windows. Microsoft's customers aren't going anywhere.

          At least for the Apple case, you are incorrect:

          In general:

          http://www.vertoanalytics.com/... [vertoanalytics.com] ...and, more specifically...

          "IBM began replacing PCs with Macs in early 2015, when it began giving employees the choice to upgrade to a Mac when their company kit needed upgrading. The data speaks for itself, at IBM an astonishing 73 percent of employees will choose a Mac when they get the chance to choose for themselves"

          http://www.computerworld.com/a... [computerworld.com]

          • by bazorg ( 911295 )

            "IBM began replacing PCs with Macs in early 2015"

            Irony can be pretty ironic.

            • "IBM began replacing PCs with Macs in early 2015"

              Irony can be pretty ironic.

              Are you speaking of the irony that stems from the fact that, in the early days of Apple, Jobs basically touted that they were the "Anti-IBM"?

              If so, I have thought about that, too. But remember, PCs were only a VERY small part of IBM's business (in fact, it started as part of their TYPEWRITER division!); so IBM itself was never THAT beholden to the WIndows culture, anyway.

        • by tattood ( 855883 )

          Many business apps only run on windows. Microsoft's customers aren't going anywhere.

          With the move towards SAAS, I wonder if this is going to change. If all of the business apps change to web-based products instead of installed software, then you can use any OS you want as long as it has a browser.

          • by tepples ( 727027 )

            If all of the business apps change to web-based products instead of installed software, then you can use any OS you want as long as it has a browser.

            And, in the case of business travelers' laptops, $10 per GB to connect to said web-based products.

        • Apple is a walled garden that nobody wants.

          Come again? While iOS may be a walled garden, macOS has no meaningful restrictions on what you can run. If you can download it, you can run it, regardless of source, author, or whether they're registered with Apple. I'll grant that the default setting these days is to disallow unsigned apps (i.e. apps not signed by a registered Apple developer), which makes sense as a default, given that this is an OS being used by untrained masses, but for someone such as yourself, you can easily bypass the restriction on

        • Re:Specific apps? (Score:5, Insightful)

          by bluefoxlucid ( 723572 ) on Thursday June 29, 2017 @03:33PM (#54715077) Homepage Journal

          You're baffled by Windows. Let's see you set up a corporate network with active directory domains using an all-Microsoft environment, complete with patch management, group policy, and the like. Then replicate that in linux.

          You can't.

          I run DevOps software on Linux. We develop stuff here, we deploy it, we run it in Docker containers, we put it on Linux. I got Linux to connect to the Active Directory domain via Samba--it's rickety, fickle, and hard to debug, as well as basically-independent because it doesn't do any of the actual active directory stuff. You can't push configurations down through Samba. Samba isn't Puppet.

          I've been fighting that battle for 10 years. I tell people we need robust, integrated enterprise network and configuration management like a Microsoft Domain; they tell me nobody wants that, and that Samba can already provide single sign-on. The freaking Social Security Administration investigated replacing much of their workstation deployments with Linux and deemed it unacceptable because you can't do anything like SCCM or GPO. Oh, you can now, if you want to develop Puppet or Chef modules in-house, with no standards to work from.

          The operational risk of running Linux, the sheer cost of administrating and securing a giant network of dumb workstations, is just ridiculous. Your network will never be in a known state. This is an easy problem to fix, except the people who want it fixed are either unable to do it themselves (yeah I'm not any form of programmer you want writing production code) or able to get a better, faster result by just buying COTS like Microsoft Active Directory and SCCM.

          Oh, and many business applications only run on Windows. That's not really a big deal today--not with O365 and all--and a mixed environment is acceptable if you can manage it sanely.

          The Linux ecosystem is filled with people who manage isolated servers or somehow got LDAP working for single sign-on and think that's acceptable. There's a nebulous push for things like Puppet and Pulp, in its isolated world, learning no lessons from large enterprise deployments of Novell (in the past), Windows, and so forth. People think that some rickety, slap-dash work that's not even up Windows NT 3.51 standards is somehow ready to take over the world, except that the applications aren't ported to it; in reality, the applications are hardly a barrier at all, and the complete lack of support for wide enterprise deployments is the big killer.

          Get some perspective.

          • by fisted ( 2295862 )

            set up a corporate network with active directory domains using an all-Microsoft environment, complete with patch management, group policy, and the like.

            There's your problem.

            Then replicate that in linux.

            Yep, it's hard to replicate such a complete POS infrastructure. Your mind is locked into the Windows world. This is like saying "Have you ever driven a car, with a steering wheel, seatbelts and all -- now try to replicate *that* on a motorcycle.

            If you need evidence that unix is fit to run massive scale networks, maybe look at relatively unknown, obscure projects like, say, the Internet.

            hard to debug

            Harder to debug than AD? Do you even know what debugging means?

        • Apple is a walled garden that nobody wants.

          Which I guess explains why Apple makes more money than the GDP of most sovereign nations on Earth.

      • Re: (Score:3, Insightful)

        I know it's fun to hate on Microsoft but it's worth noting that Linux has no protection from this kind of malware either. With this change the user directory on Windows will actually be more secure than the user directory in Linux.

        • For Linux on the desktop, it seems like it should be possible to have apps, like a web browser and email client, that have their own users. You could then run the apps via sudo and they'd only have access to files for their user or group. But last time I tried this I couldn't get it to work. Has anyone else done this successfully?

          • Specific apps? (Score:5, Informative)

            by csimpkin ( 808625 ) on Thursday June 29, 2017 @02:00PM (#54714431)

            You can use SELinux to accomplish a similar setup. You can ensure that a given application only has access to specific directories or files. Having spent a little time with it I can say it has an obscene learning curve.

            • by tattood ( 855883 )

              You can use SELinux to accomplish a similar setup. You can ensure that a given application only has access to specific directories or files. Having spent a little time with it I can say it has an obscene learning curve.

              Can you do the opposite based on directories? Make it so that only certain apps can access directories or files?

              • Yes, if you can express any such security rule in English, you can do it with Selinux.

                Only this role (group of users) can access this set of files, and only by running these programs, and only has read/write/execute permission. There are other attributes you can use as well.

                SELinux was released it in 1998.

                It's particularly well suited to servers. You can say exactly what your mail server software, or Apache web server, has access to, under exactly what conditions.

            • by Rei ( 128717 )

              Fedora has long come standard with SELinux enabled. I hate it. It sounds like a great idea, but the vast majority of apps do nothing special with SELinux failures, and just report them as "permission denied", leading the user to suspect a different problem than what's actually going on. And that's the good case; since SELinux problems can cause failures in things many programs don't expect to fail, it can leave you having to dig through the program with strace to figure out what went wrong. And with service

          • by boa ( 96754 )

            "Has anyone else done this successfully?"

            Check out Qubes OS https://www.qubes-os.org/ [qubes-os.org] . Qubes is picky on HW requirements, but works well if you have the HW.

        • Not hating on Microsoft. They're their own worst enemy. And I have quite a bit of difficulty with your determination that this makes Windows more secure than Linux. Remember: Microsoft only recently even considered the concept of user space. Everything was root. Everything before XP SP2 was admin. Only now are they trying to protect user space in rational ways. And they're failing.

          Why are they failing? Lack of rigorous testing made impossible by legacy APIs, horrific driver control, proprietary transports,

        • Actually it does in the form of a kernel security module (and userspace tools) called SELinux. SELinux enforces mandatory access control policies and it has no concept of the traditional "root" super-user with unfettered access to the system. The idea is that each user,program,daemon (services in windows) only has the minimum access to the system it requires to work
        • I know it's fun to hate on Microsoft but it's worth noting that Linux has no protection from this kind of malware either. With this change the user directory on Windows will actually be more secure than the user directory in Linux.

          No, it will just devolve into being a REAL PITA to do ANYTHING that resides inside of your User's directory-tree.

        • SELinux? If Apache gets compromised, and winds up with a root context, it won't be able to do much other than scrozzle its own directories.

      • It's just one more slap-dash fix in a creaky operating system riddled with legacy APIs

        Oh accessing a file system is related to legacy APIs? Tell me how Linux get's around protecting user files from programs run with user privileges? You lose a point for every manual intervention a user needs to make in order to actually access their files. How does Linux defend against a hacked user program with user privileges updating and containing malware from encrypting the files that the software needs to access? (Not that MS will succeed in this, but hey you're attacking them for trying. What are you

        • You make the mistake of believing that I espouse Linux as a secure operating system. It's better than the mutt called Windows in security, and has been for quite sometime. It's not invulnerable. Almost nothing is.

          Do you understand concepts like SE Linux? If not, then there is no rational discussion from here; you're a Windows fanboi and will not be swayed.

          Windows is prevalent in a large part of the business world. But as they're systematically held hostage by ransomware, cracks that leak billions of dollars

      • I'm just entirely shocked that Microsoft's stock price hasn't cratered into the pit it deserves.

        Hm. Why should their stock price go down? It is guaranteed income. Everyone needs an operating system and Microsoft has a legal stranglehold on the consumer and business markets. Microsoft could do something utterly evil, like monitor everything you do on a computer for analysis by the government and I bet there would barely even be a peep about it. Sure, some knowledgeable people will whine and complain needlessly about how such monitoring is merely to make Microsoft's products better, but the thought spac

    • One extra hurdle for them to clear. Better than no change.

  • Maybe I am wrong, but it looks like Office has been an attack vector.
    Will it be in the party list of "allowed apps"?

    • Office has ALWAYS been an attack vector. From damn Macro viruses in the 90's to other tecnhiques that embed in Word or other office products today.

      My wife got a virus on her laptop recently opening a Word document. Office is still very much a vector.

  • My 3 remaining Windows computers from Window 10! By keeping them on Window 7 Pro ;)
  • by Joe_Dragon ( 2206452 ) on Thursday June 29, 2017 @12:54PM (#54713899)

    will be used to block steam unless you buy windows 10 pro gamer

    • Errr why would you say that? MS already has the ability to block Steam they don't need to write a new feature for that. Please try and fit the hole in the tinfoil hat, some of the mind control is getting through and you're missing some really basic crap.

    • I suspect that is still a few years off. They learned with Trusted Computing that the chains have to go on a bit more slowly for the public to not cause a fuss about it.

      On a side note: Holy shit Slashdot is terrible without noscript. Actually, all of the web is. Been redirected to viruses twice so far this morning. How does this ecosystem even exist? Turn off the scripts,

      • by tepples ( 727027 )

        How does this ecosystem even exist? Turn off the scripts,

        Without scripts, how would an interactive web application like pix2pix [npocloud.nl] work? Would it instead have to be an OS-specific executable that the user is expected to download and install, or just do without if the user is running a different OS?

  • Great, so... (Score:5, Interesting)

    by Smidge204 ( 605297 ) on Thursday June 29, 2017 @12:54PM (#54713903) Journal

    ..the next generation of Ransomware will exploit a vulnerability in this new service to prevent YOU from accessing these folders and files.

    How very convenient!
    =Smidge=

    • Windows already does a fine job of that. When I upgraded from an XP system to Win7 (separate, all-new machine) and copied my files over, something got messed up with file permissions. I treat my desktop like a temp folder and write files to it all the time, except once I try to delete one of these files, Windows will throw a UAC prompt. No matter how many times I approve the prompt, Windows just keeps demanding admin access. All I have to do is wait 5 minutes, and then I can delete the offending file.

  • I used to get work done in Windows but I've diversified away from it on my production machines -- I do have it on a few test machines just in case they make some customer friendly decisions

    Things I'm unhappy about:
    - the broken update process (when I tried a few months ago, Windows 7 no longer auto-updates all the way through without manual intervention) -- it was supposed to work until 2020

    - the telemetry which reportedly can't be completely be turned off -- I like building nice quiet machines that are read

  • Ah, Windows - the cause of, and solution to, all of life's problems.

  • The sad but hilarious thing here is that the head of Microsoft's Insider Program doesn't know the difference between whitelisting and blacklisting.
  • So Microsoft is implementing a crippled version of SELinux?

  • Office macros are one of the most notorious attack vectors...

  • Personally I would be more concerned with exfiltration than deletion but if MS wants to provide safety they should consider versioning file system so that designated folders can be rolled back to prior states no matter what happened to the data. Not all fail is intentional and this could provide useful value beyond attack resistance.

    Aspect based access control mechanisms have a tendency of subverting themselves in the name of convenience over time. First there was the windows firewall, then every app inst

    • File system based versioning, something some older OS's were known to do. I think it was TOPS-20 that kept a versioned filesystem.

      This would be a much better solution to the ransomware issue, not only because it's the best way to ensure you can recover previous versions of files, but it's also useful for a myriad of other situations.

      Of course, Microsoft probably doesn't read /. so I doubt we'll get the more useful feature. App whitelist/blacklist seems a bit too complicated for end-users to be excepted to

  • I guess they figured a way to keep the user session running as root, while still sorta having security-ish behavior. If only there was an obvious solution like not making every user root.
  • Prediction: It will be exactly 6 months, maybe less, before MS largely defeats this, because, just like UAC, the only way MS knows how to make anything is either COMPLETELY in-your-face to the point of madness, or COMPLETELY useless.

  • by Dunbal ( 464142 ) * on Thursday June 29, 2017 @02:34PM (#54714693)
    All you need to do is send $300 worth of bitcoin to Redmond every few years if you want to keep using your computer.
  • didn't the last ransomware virus (petya or whatever) just reboot and encrypt the disk sector by sector, probably using good old INT 13h, then what is this going to help people ?!
  • Trusting Microsoft to protect your data is asking for a disaster to happen. Take charge of your own data and store it offline somewhere. Do NOT use so-called 'cloud storage'. External drives aren't expensive anymore. Even an external SSD isn't that expensive. With all the high-speed external data interfaces at your disposal these days plus how cheap large external storage is there's really no excuse anymore for not keeping your important files offline on a device in your physical possession.
  • There's an even easier way Microsoft could solve the problem that already exists and has probably 99% of the work already done for them: Volume Shadow Copy Service.

    Set aside 100 gigs of a 500+ gig hard drive, and designate one or more folders for protection.

    Any changes to files in the protected folders get journaled to that 100-gig area.

    If the journal fills up, the hard drive gets write-protected, with the exception of a 1-2 gig area where the user can create and save NEW files, but can't overwrite/delete existing files (so there will always be somewhere to save open files if the rest of the drive gets write-locked).

    Add some extra logic to warn the user as the journal reaches certain milestone sizes. Allow users to override the limits... but treat it like the safes used for change at convenience stores... you can override the limit NOW, but it won't take effect for 24 hours (and maybe up to a week, with warnings leading up to its execution, for more radical overrides).

    Need to write lots of temp files? Do it to a directory that's not protected. Or get a bigger hard drive, and make policy changes (that have to either be set at installation time, or get delayed by a period of time to give adequate advance warning).

    The only real difference between how it's used now would be the setting of hard thresholds that couldn't be exceeded without write-protecting the drive to give the user time to take action. It would probably create some new denial of service opportunities (some, accidental rather than malicious), but it would be a fairly effective safeguard against the current #1 mode of action used by ransomware (mass-encryption in the background of files over a short period of time).

  • ... to at least be able to read everything. I can appreciate preventing privilege escalation exploits from writing to a filesystem that it had no business modifying, but when I'm doing backups, I expect to be able to read the entire drive's contents without issue.

    Stick to user-level authorization for reading... but having application whitelists writing to folders may help the situation somewhat for the moment, or at least until the malware author learns how to masquerade their creation as some ordinaril

    • IMHO, this is yet another sad example of Microsoft solving the problem backwards.

      Take the way it handles program installation. If the .msi installer goes to create a new directory in c:\program files, c:\program files(x86), or somewhere else, Windows throws up all kinds of warnings. But if the installer simply goes to MODIFY an already-existing .exe file, it'll silently allow it without complaint once you've swatted away the UAC prompt. Which, IMHO, is fucking STUPID. Almost BY DEFINITION, if I launch a .ms

  • Chmod? Something like fswatch? Mailx? If you want to monitor the file system, folders, or an individual file, there's quite a few ways and programs to do that and have an email sent via something like mailx. Welcome to the 21st century M$. I just hope this isn't onemore step closer to total control over what you can and can't do. I'm also pretty sure there's a few firewalls for Linux that do more than just "internet" and include in-system stuff too. What the hell took them so long? Mac has something like th
  • Microsoft reinvented groups - the hard way.
    They used to own Xenix, there's no legal issues in the way of them learning from the examples of others.

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...