Windows 10 Ransomware Protection: What You Should Know

What Is Windows 10 Ransomware Protection?

Malware protection is a major concern for all computing systems. In light of this, Microsoft included Ransomware Protection features as part of Windows 10. Windows 10 Ransomware Protection comprises two main components:

  • Controlled Folder Access—lets you specify particular folders that require monitoring and prevent changes to the files retained within them. This will prevent all programs, except those you permit, from making any changes to the files within the monitored folders. This protects them from becoming encrypted by ransomware.
  • Ransomware Data Recovery—automatically syncs your regular data folders in your Microsoft OneDrive account to backup the files. Ransomware targets who have this feature enabled may utilize OneDrive to recover any files that are encrypted by ransomware.

As of Windows 10 version 1903, Windows Defender’s Ransomware Protection has been disabled by default. This article explains how to enable it to protect a Windows system from ransomware attacks.

Find out how your organization can reduce the risk of becoming a ransomware  victim. Watch the recording, here.

Note that if you have installed a third-party antivirus software, the Controlled Folder Access feature and the Ransomware Protection features screen may not be accessible.

What Is Controlled Folder Access?

Controlled folder access helps safeguard your valuable information from malicious applications and threats, including ransomware. Controlled folder access safeguards your data by examining applications by going through a checklist of trusted and known applications.

Supported on Windows 10 clients and Windows Server 2019, controlled folder access may be initiated via Windows Security Application, Intune (for managed devices) or Microsoft Endpoint Configuration Manager.

Controlled folder access is most effective with Microsoft Defender for Endpoint, which provides you with detailed reporting information regarding controlled folder access events while blocking as a component of the regular alert investigation scenarios.

How does Controlled Folder Access work?

Controlled folder access functions by only providing trusted applications with access to protected folders. Protected folders are assigned once controlled folder access has been configured. Generally, commonly used folders, including those used for pictures, documents, downloads and the like, feature on the checklist of controlled folders.

Controlled folder access works alongside a checklist of trusted applications. Applications that feature on the checklist of trusted software work as anticipated. Applications that do not feature on the list are blocked from making any modifications to files within protected folders.

Applications are placed on the list according to their reputation and prevalence. Applications that are prevalent throughout an organization and that have never shown any behavior thought to be malicious are deemed trustworthy. Those applications are automatically added to the list.

Applications may also be manually placed on the trusted checklist through the use of Intune or Configuration Manager. You can also perform other actions, including adding a file indication for an application, via the Security Center Console.

Related content: Read our guide about how to prevent ransomware.

New call-to-action

How To Turn on Windows 10 Ransomware Protection

The following steps can be used to enable Ransomware Protection on Windows 10:

  1. Open Windows Security

In Windows 10, type “security” into the search bar and select the Windows Security application to get started. After Windows Security has initiated, go to the left-side menu and choose “Virus and Threat Protection” (it has a shield icon).

  1. Manage Ransomware Protection

In the Virus and Threat Protection page, scroll down until you see the section named Ransomware Protection. Look for the link Manage Ransomware Protection, and click it to continue.

  1. Enable controlled folder access

Look for the Controlled folder access section and ensure that the toggle is switched to “on”. This will automatically start ransomware protection.

  1. Allow required access to certain apps

Once you’ve enabled Controlled Folder Access, look under it for the section Allow an App Through Controlled Folder Access. This is where you can manage application access.

By default, Controlled Folder Access mode will stop file access from all applications it doesn’t know ( probably the majority of the third-party applications you are utilizing). This can be an issue if an application genuinely does require access to a file. Select this option to let a specific application use your files.

  1. Set up OneDrive File Recovery

If you don’t have Microsoft’s cloud solution OneDrive, the Ransomware Protection window will suggest that you organize OneDrive. This lets you store key files within the OneDrive cloud and on the local hard drive, so you may access them even when Ransomware prevents you from accessing your local files.

OneDrive’s basic service does not cost money and includes individual file recovery. If you have previously set up OneDrive, select “View Files” to confirm that your essential files are already in OneDrive.

Potential Drawbacks of Windows Ransomware Protection

Now that you are aware of this feature, you may be wondering why it is not turned on by default. Here are some of the drawbacks of using Windows Ransomware Protection in certain cases:

  • Only prevents data encryption—attackers are still able to exfiltrate files and extort the organization, threatening to publish the sensitive data.
  • Malware running as admin—this solution is not able to protect against malware that elevates privileges and runs as admin, because it can then disable Ransomware protection.
    False positives—this feature tends to detect false positives, which might lead to another series of issues. For instance, if a program you trust is deemed to be dubious, the warning could appear at an unsuitable time. It could crash the program or give you no option to retain your work.
  • Reduced functionality—It is not possible to determine in advance which programs Microsoft will deem to be suspicious. Thus, it is difficult to know in advance if your common applications or games will function properly when the ransomware protection is on. A possible solution to prevent trusted programs from being labeled as suspicious is putting them on the controlled folder access whitelist, but this can be complicated for people who may not be technical, as it involves locating the executable file used to run the program.
  • Complex management—any files on an external hard drive or in a shared network have to be manually placed on the checklist of protected folders. This is not always simple or quick to do.

So, while there are advantages to using the Windows ransomware protection, you should consider all aspects. Consider your preparedness to make various manual adjustments when things don’t function normally. For some, it could just be simpler to toggle the Controlled Access folder back to “off” and invest in a powerful antivirus for Windows, which stops threats such as ransomware in real time.

Perception Point Advanced Threat Prevention

 Perception Point delivers a unified platform that prevents malware, ransomware, APTs and zero-days from reaching your end users.

Advanced email security is an integrated cloud email security solution (ICES) that can replace SEGs. The solution cloud-native SaaS solution protects your organization against all threats using 7 layers of advanced threat detection layers to prevent malicious files, URLs, and social-engineering based techniques.

Advanced Browser Security adds enterprise-grade security to your organizations native browsers. The managed solution fuses browser protection technology with multi-layer advanced threat prevention engines which delivers the unprecedented ability to detect and remediate all malicious threats from the web, including phishing, ransomware, malware, APTs, and more. Multi-layered static and dynamic detection capabilities instantly detect and block access to malicious/phishing websites and prevent malicious file downloads of ransomware, malware, and APTs.

Advanced Threat Protection for Cloud Collaboration, File Sharing and Storage Applications, such as Microsoft 365 applications (OneDrive, SharePoint, Teams), Google Drive Box, AWS S3 buckets, ZendeskSalesforce, and any of the other hundreds of apps out there, protects your organization with near real-time dynamic scanning. It does not tamper with files and does not impede on productivity.

An all-included managed Incident Response service is available for all customers 24/7 with no added charge. Perception Point’s team of cybersecurity experts will manage incidents, provide analysis and reporting, and optimize detection on-the-fly. The service drastically minimizes the need for internal IT or SOC team resources, reducing the time required to react and mitigate web-borne attacks by up to 75%.

Contact us for a demo and see the immediate value.

ransomware webinar