Microsoft has come up with a way to preemptively block many kinds of ransomware by simply restricting access to folders that contain files the ransomware may want to zap.
There’s just one problem. Restricting, or controlling, folder access is a pain in the neck — it blocks every program unless you specifically give a specific program access. So, for example, you can turn off access to your Documents folder but allow access to Word and Excel. That may work well until you want to run Notepad on a file in the Documents folder. Oh-oh.
That’s the reason why Microsoft doesn’t turn on Controlled Folder Access (CFA) by default. If you really, really want CFA, you have to dig deep and find it. If you do make the effort, the monkey’s on your back to (1) stick CFA on all the right folders and (2) allowlist any program that may need to use files in the CFAs folders.To enable CFA, you need to jump through the following hoops:
- In the Cortana search bar, to the right of the Start button, type sec. At the top, tap or click Windows Defender Security Center.
- Tap or click the Virus & Threat Protection icon, scroll way down, and slide the Control Folder Access button to On.
Click Yes when asked if you want to allow the app to make changes to your device. The CFA settings screen appears.
You have to set up controlled folder access manually — and doing so is problematic on many systems. - Click the Protected Folders link.You see a list of all folders protected by CFA — Documents, Pictures, Videos, Music, Desktop.
Realize that ransomware frequently attacks files in other locations.
- If you want to add another folder to the blocked list, click the Add a Protected Folder icon and navigate to and select the folder. Repeat as necessary.Note that Windows 10 has an automatically created (but not fully disclosed!) set of programs that it deems to be friendly.
- Click the back arrow in the upper-left corner to return to the window you saw previously.
- If you have any programs that need access to those folders, and the apps aren’t automatically identified as friendly, click the Allow an App through Controlled Folder Access link. Navigate in Explorer to the app that you want to allow, and then click Open.
The Windows 10 folder is added to the allowlist.