Controlled folder access (CFA) demonstrations (block ransomware)

Applies to:

• Microsoft Defender for Endpoint Plan 1
• Microsoft Defender for Endpoint Plan 2

Controlled Folder Access helps you protect valuable data from malicious apps and threats, such as ransomware. All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Microsoft Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.

Scenario requirements and setup

• Windows 10 1709 build 16273
• Microsoft Defender Antivirus (active mode)

PowerShell commands

Set-MpPreference -EnableControlledFolderAccess (State)

Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\

Rule states

State	Mode	Numeric value
Disabled	= Off	0
Enabled	= Block mode	1
Audit	= Audit mode	2

Verify configuration

Get-MpPreference

Test file

CFA ransomware test file

Scenarios

Setup

Download and run this setup script. Before running the script set execution policy to Unrestricted using this PowerShell command:

Set-ExecutionPolicy Unrestricted

You can perform these manual steps instead:

1. Create a folder under c: named demo, "c:\demo"
2. Save this clean file into c:\demo (we need something to encrypt)
3. Execute PowerShell commands above

Scenario 1: CFA blocks ransomware test file

1. Turn on CFA using PowerShell command:

Set-MpPreference -EnableControlledFolderAccess Enabled

2. Add the demo folder to protected folders list using PowerShell command:

Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\

3. Download the ransomware test file
4. Execute the ransomware test file *this isn't ransomware, it simple tries to encrypt c:\demo

Scenario 1 expected results

5 seconds after executing the ransomware test file you should see a notification CFA blocked the encryption attempt.

Scenario 2: What would happen without CFA

1. Turn off CFA using this PowerShell command:

Set-MpPreference -EnableControlledFolderAccess Disabled

2. Execute the ransomware test file

Scenario 2 expected results

• The files in c:\demo will be encrypted and you should get a warning message
• Execute the ransomware test file again to decrypt the files

Clean-up

Download and run this cleanup script. You can perform these manual steps instead:

Set-MpPreference -EnableControlledFolderAccess Disabled

Cleanup c:\demo encryption run the encrypt/decrypt file

See also

Controlled folder access

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.