What is Controlled Folder Access?
With the release of Windows 10 Fall Creators Update, Microsoft added a new feature called Controlled Folder Access (CFA) to Windows Defender Exploit Guard. This features allows users to control which processes can access certain folders to help protect data from malicious programs, such as ransomware or wipers.
CFA is disabled by default, and can be enabled under the Windows Defender Security Center panel.
How is CFA Vulnerable?
Although Windows 10’s CFA anti-ransomware feature is a good step in the right direction, even a slightly sophisticated attack will easily bypass it. The Nyotron Security Research Team has discovered at least three ways to do this: APC Injection, Windows Management Instrumentation (WMI) and Office Macros.
They Nyotron Security Research Team was able to bypass CFA by injecting malicious code into explorer.exe using APC Injection. As Windows Defender doesn’t detect this injection technique, the malicious DLL injected to Explorer can basically do anything to a user’s protected files since it runs under a trusted process.
One of WMI capabilities is to remove files using the CIM_DataFile object; so, basic ransomware would be able to read the user’s files, encrypt them to a non-protected folder and then, using WMI, remove the original files.
Microsoft Office documents may contain built-in macros which attackers can use to deliver malware to encrypts files. CFA isn’t able to detect the modification of a large amount of files in a short period of time and prevent it.
If you are interested in a more in-depth analysis of these attacks (with proof-of-concept examples) along with additional CFA bypass methods please read our detailed security report.