controlled folder access

JohnH

VB.NET Forum Moderator
Staff member
Joined
Dec 17, 2005
Messages
15,825
Location
Norway
Programming Experience
10+
Some thoughts about new Defender feature controlled folder access.

Windows 10 Fall Creators Update includes a new feature for Defender called "controlled folder access", which means folders can be protected from unauthorized changes. By default it is not enabled, but enabled it will protect standard user folders like Documents, Pictures, Desktop etc and user can add other folders including network shares to add protection for their documents. When enabled applications can not write to these locations unless they are explicitly whitelisted (elevated admin prompt). Some applications are allowed implicitly, like MS Office and MS Notepad. Also, standard folders can't be excluded from this protection.

From what I read in articles a notification about block should appear and give user option to add the application to whitelist, that is not what happens on my machine, the notification appears but no option to whitelist it there. Also in Defender settings there is no blocklist with option to whitelist. There is a dialog where I can browse manually to an .exe to add it to whitelist (or paste a path), this can only get better.

The block notification truncates the path, I've found hidden deep in event lists a Defender event list that shows the block event, and also includes the full path. What about Clickonce installed applications? As you know their path is convoluted, and also changes if updated. No way users will be able to whitelist them manually.

So if you thought your application could safely write to user Documents and such folders think again, prepare for FileNotFoundException of all things.

If you have VS projects in Documents folder they are affected by this as well when debugging.
 
Just saw the installation of a commercial application crash and burn because it wasn't allowed to put app icon on desktop. LOL

On top, the installation was run from a network share, I tried to allow the mapped path to setup file, but Defender CFA would only let it through when I used the UNC path to the setup file. "Temporarily disable CFA" is what I should have done - I just tested this as well and it appears the folder and whitelisted apps are preserved when I re-enable it.
 

Latest posts

Back
Top