Ransomware is a nasty piece of work. The bad guys hijack your computer, encrypt all your files, and tell you they’ll sell you a decryption key for a certain amount of money. And maybe, just maybe, you’ll actually get the key. It turns out that about half of those who pay never see the key nor do they regain access to their files. The jerks not only take your files, but they take your money, too! Damn crooks… you can’t trust ’em.
It just so happens that Windows provides a strong layer of protection against Ransomware called Controlled Folder Access. (If a folder can’t be accessed, then it can’t be encrypted.) You will need to enable this feature and this week’s Quick Tips article is going to show you how to do just that.
Controlled Folder Access
Follow these few steps to either enable or disable Controlled Folder Access:
- Use the Windows Key + I to open the Settings App
- Choose Update & Security
- In the left panel, choose Windows Defender
- Click the button labeled Open Windows Defender Security Center
- Choose Virus & threat protection
- Choose Virus & threat protection settings
- Scroll down until you see Controlled folder access
That should bring you here:
If you toggle this switch to the On position, two new links will be displayed as shown in the above image:
- Protected folders — Clicking this option will show you a list of all the folders being protected by Windows. You cannot remove the default folders from this list, but you will be able to add/remove folders of your own choosing by using this option
- Allow an app through Controlled folder access — Windows will sometimes block access to a folder that one of your programs needs. This option will allow you to create exceptions for specific programs
If you have ever installed a third-party firewall, then you will be able to relate to this. You install the firewall breathing that satisfying sigh of relief only to be inundated by pop-ups asking if it’s OK to let this or that program through. At first, it will seem as if that’s all you are doing– giving programs permissions. Well, be prepared for a similar experience with Controlled Folder Access.
Windows will immediately begin to block access to many of the programs that you are comfortable using every day. In the beginning it will be a real pain in the neck, but as time goes by, this source of irritation will eventually subside as you add more and more exceptions to your list (as described above). This is the price one has to pay for a very good way to help prevent yourself from becoming a victim of Ransomware. Damn crooks…
As always, if you have any helpful suggestions, comments or questions, please share them with us,
37 thoughts on “Windows 10 Quick Tips – Ransomware Protection”
Hi Richard. This seems to be the last resort for those who do not have anti-ransomware software installed on their computer or a proper image backup, Mindblower!
My two cents:
I agree that a solid backup strategy will make your system bullet-proof, and not just from Ransomware. The advantage of using the built-in Windows protection is that you can’t get infected in the first place. It is a brute-force approach that is currently unbeatable.
Anti-Ransomware utilities have limited capabilities to protect your system, and the advertised recovery capabilities don’t always work. And “recovery” implies that your were infected, and that the utility had failed in the first place. I see AR programs as a gimmick and only serve to give people a false sense of security.
Besides, it’s yet one more service running in the background which ultimately isn’t necessary,
Seems Windows 10 keeps adding new features (hoping to attract users), imo. Seems those using older operating systems must rely on third party utilities for safety, Mindblower!
MS certainly wants everybody running Windows 10, that’s for sure. It makes their job much simpler. They will no longer have to support the legacy software that’s basically been a pain in their collective butts for these past few decades.
I can see it now– all the parties and high-fives when Windows 7/8.x are no longer supported.
It will be the end of an era,
Totally understand and respect this, Richard. But, those who spent money for those older operating systems were/are assured continued support. Total support ends for;
Windows 7 on Jan 14, 2020
Windows 8.1 on Jan 10, 2023
Windows 10 on Oct 14, 2025
With only less than a three year difference and just under four years to go, I believe there is plenty of time to see much greater improvements in the next operating system (positive thinking) and only time will tell if Microsoft can deliver what all users want.
As a (solely) desktop user (might be in a tiny group), I do not need or want those forced one operating system for all platforms, Mindblower!
I’m not sure where you are getting your information, but there will not be a Windows 11. Windows 10 is it. The last a final version of Windows. Windows 10 does not have an end of support date. Only the major upgrades do, and those are generally good for 18 months.
After support for the older versions expires, we can just call it Windows (without a number attached to it). Sure, there will be new builds being made on a regular basis, and yes, those will be given expiration dates, but Windows (10) will continue, ad infinitum. Well, maybe not quite that long 😉
I totally agree with you about the poor souls who paid for the older versions of Windows (myself included). They deserve proper treatment and attention at least until their respective OS expiration dates. I must point out that those same people had their chance to get Windows for free. For those who didn’t take advantage of that opportunity, the time will come when they will have to drag out their wallets and pay for Windows one last time.
I, for one, will be happy if/when the time comes that everyone is using the same Windows OS. It will make everyone’s lives so much simpler. It’s good for Microsoft, it’s good for us, and it’s good for the developers who make our computers so useful,
I am using Zorin 12.1 Core to read DCT, because I am so happy for Microsoft. Their are other options for running a PC.
Linux and its various incarnations offer a very effective alternative to Windows. If Windows ever becomes a pay-as-you-go service, a la Office 365, then I will seriously consider making the leap.
Linux would probably fulfill all my current needs with one major drawback– games. I am not a game junky, per se, but the games I happen to currently love are also games which are not supported by the Linux OS. Bummer.
Honestly, I would like to leave Windows behind, but now is not the time.
Thank you for your comment and also for reading DCT!
I’m glad you’re so happy for Microsoft ?
May I ask what Windows OS are you using to run your games?
10, of course! ?
My must-have games are:
Galactic Civilizations III
Sid Meier’s Civilization 6
There are others I like, but could live without, I guess… maybe… shucks…
Here is where I’m getting my information Richard.
https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet and https://www.theinquirer.net/inquirer/news/2418619/windows-10-will-reach-end-of-life-on-14-october-2025 , Mindblower!
The first link you provide verifies my claim. Perhaps you misread it? The end of support dates are for the 6-month upgrades. 1803 is due in April and will further the expiry date for another 18 months.
The current version, 1709, is valid through April 2019. Educational and Enterprise editions offer greater longevity. Enterprise LTSB is a whole other kettle of fish and doesn’t apply to your everyday user.
The second link is from an outdated (2015) source whose integrity I question. Regardless of its old date, the very name “theinquirer” makes my spidey-sense tingle. I could be completely wrong in making this prejudgment based merely on a name, but it isn’t something I’d care to place bets on.
Thanks for your input,
Where does W10 S fit into the future of Microsft and Windows?
I’m not sure I understand Microsoft’s goal here. It’s basically a handcuffed version of Windows 10. On purchased machines running in S-mode, it’s my understanding that you can switch it to Pro with a few clicks. Switching it back isn’t so straightforward, I hear.
Paul Thurrott and Leo LaPorte were briefly talking about it this week on Windows Weekly. You can watch this video at: https://twit.tv/shows/windows-weekly
You probably know as much about it as I do. If you would like to learn more, MS has a FAQ page at this address: https://support.microsoft.com/en-us/help/4020089/windows-10-s-faq
Sorry I couldn’t be of more help,
Interesting reading!! Paul Thurrott is where I ran across W10 S. I guess if one has no desire to change anything or wants Microsoft to have total control of their PC, then this would be the OS to have. It also sounds like a proprietary move, much like the Mac. For some users who can’t seem to download from the internet, without filling their machines with malware or whatever, it might be the smart OS to have. I do not believe I will be trying it anytime soon.
Will this affect any user friendly programs? Like Team viewer etc?
I have yet to see any built-in Windows features/Apps/programs being blocked. On my system, there are several programs I use that were initially blocked including my browser.
I’m using the McAfee suite of products.
In trying to activate Controlled Folder Access as described, it seems you have to also activate Windows Defender Antivirus. Is that correct?
If I activate it temporarily, can I then use the Controlled Folder Access to prevent the ransomware issue from becoming an issue for me? I don’t want to be running 2 antivirus programs at the same time.
Thanks for you articles, I really enjoy reading them.
Thank you for your kind words.
You are right not to run two AV programs concurrently. And, yes, Controlled Folder Access is part of Windows Defender. Until you mentioned it here, it never occurred to me what would happen if someone was running a third-party AV program. Now we know.
My guess, and it’s only a guess, is that CFA will also block McAfee, so you would initially have a small battle on your hands.
And to answer your question about temporarily enabling Defender in order to turn on CFA, I don’t know whether CFA will continue to work after Defender is disabled. I don’t use a third-party AV program so I can’t test it on my system. But you could 😉
Once CFA is enabled you should reboot your computer because there may be many startup programs that CFA will initially block until you add them to the exceptions list. This can be a pain in the neck at first, so be prepared for some drudge-work. You will have to repeat the reboot sequence until you receive no more notifications.
Of course, if McAfee disables CFA, there’s no point in going through that painful process in the first place, so you might want to check that out, first thing.
If you decide to play around with it, let us know what you find out.
With McAfee still activated, the CFA toggle is grayed out, unavailable. So I didn’t pursue it any further. Not gonna go through the hassle of disabling McAfee just to try something with Defender CFA that feels like it “just ain’t gonna work”. I do appreciate your input and wish you the best.
A great article to assist those who don’t know about the seriousness of Ransomeware attacks and should have protection and those who want it and unsure about the effectiveness of ‘snake-oil’ type programs touting un-safe ‘goodies’.
I use Emsisoft Pro and WAR from Win Patrol, and sometimes Emsisoft puts up a barrier on a download/quarantine, then a few days later will advise that after investigation the program was a ‘false-positive’.
During my many years of ‘computing’ I have never had a security breach.
(PC User assisted greatly with good advice.) 😉
While this is a welcome feature, I don’t see how it can be final in any way. Malware writers will simply insert commands to turn off Protected Folders, and we’ll be right back where we were.
Current backups and, even better, off-site backups are the best way to combat ransomware.
You are absolutely correct about backups being the ultimate defense against anything. And you’re right again when you talk about the bad guys ultimately circumventing the Windows protections. But they haven’t done that yet, at least not on this level, so the Folder Protection mechanism is still valid for the time being.
It doesn’t matter how tall a wall you build, someone will eventually figure out a way to scale it,
This article is pretty great– IF you’re a bit tech-savvy. The people I deal with would be ringing me non-stop if I applied this to their machines. It’s better than nothing, but still requires a good working knowledge of tech to implement.
If you’re using Windows, you need regular data backups (not connected to the PC unless actively backing up) & some sort of imaging software. I used a 120GB SSD to fresh install Win 7/8.1 on the machines here which the kids use, imaged them, then upgraded to 10 & imaged that, as well. Then, I put the original drives back (they were all running fine at the time I pulled them). There are now three copies of each in the event of any sort of virus. Each machine is also BIOS/UEFI password protected. It’s not perfect, but it’ll save time later as the install to a new drive will go much faster.
None of us are big-time gamers— about the biggest is LoL. We have consoles for the rest.
I stick to Linux Mint, since 2009. I work repairing MS so it’s really so fantastic to come home and just have my machine work. I know that a lot of people sit back and state that they never have any issues w/MS, but my experience is vastly opposite. Windows updates, alone, wreak havoc. Then, there’s also the dreaded Outlook behemouth– when that thing goes bad, it’s a nightmare to get back on-track….Ugh, no more for me, thanks.
I’m just glad there’s a great alternative to MS and Apple, and getting better all of the time! 😉
It can be a bit heady when you first set this up, especially if it’s on a machine that’s been used for a while. And MS didn’t make it very easy to add those exceptions to the list, either. They need to fix that part up a bit. They don’t always show the full path to the EXE file and that means it can be by guess and by gosh at times. It is still a simple way to lock down those sensitive OS and data files.
Linux is always in the back of my mind– that monkey on my shoulder whispering, “Play with me.” The problem is that there is some software I would find it very difficult to live without. And I really hate the constant password nags. I’ve signed in, already, so let me be!
Actually, I have far less password prompts in Linux. At least I know “why” it asks in Linux. If Linux asks, it’s a file system-level change, so important. In MS, it hounds you incessantly, w/o explanation– and in ANY program in MS, too. I am nearly driven nuts on short MS jobs due to this! When I finally get that done, I’m ordered to restart Windows (no warning)– where I sit for 20 30 mins or more– that’s just BS. PS: shutdown & startup are BOTH held ransom. Sorry if you erroneously thought you could print out your plane ticket…that trip you’re now LATE FOR!
I’m sorry. It is ridiculous. I update Mint w/o any interference in my day. I’m not thrashing you– I’m only letting people know. MS & Apple are NOT the be all/end all.
You’re a good read, Richard. Very good.
“MS & Apple are NOT the be all/end all”
Neither is Linux a replacement for “WINDOWS”, and probably never will be.
But the two can compliment each other if
properly setup. I do run Linux but not as a
replacement for Windows.
Now, if you want to discuss Linux, then why not post your setup over in the Linux
This post is being written using Firefox running in Linux Mint 18.1 Serena. Will be looking for you.
“Neither is Linux a replacement for “WINDOWS”, and probably never will be.”
I disagree.Depending on your usage, it’s easily a replacement. I’m someone who did this– & it was very straight-forward. MS commandeered desktop/laptop tech at it’s infancy. The inroads created/gained by the Linux community ever since are astounding!
Can Linux “best” MS’s strong-arm of the gaming side of things? Or, the CPU-made-Win 10 only? Likely not now- as they saw to that from the start. However, Steam made inroads and you never know how that’ll go.
When MS began, it was Apple who had the photo/video/audio content creators, not MS. MS was all about Office. Most people looked at their MS computers as word processors & email clients, (as that was what they used them for to start with). MS woke up at some stage & tried to regroup but it was a bit late in that game. Same with their mp3 players & phones…
Not to say you cannot do the above in MS now, just that at the start, they weren’t really moving in that direction, and even now Apple software dominates in those areas.
Our unique experiences with Windows regarding password interrogation are like night and day. I haven’t been asked for a password in many moons. To be clear, there is no wireless connection, I live in the country, and no other person uses this computer. I’m sure it would be much different in an office environment.
Thanks for the compliment! I feel… taller, somehow, 😉
I’m going to call you out on that one mate. I’ve been running both Windows (currently 10) and Linux (currently Mint) for many years. During that time, apart from initial logon, Windows has never, not once, asked for my password. On the other hand, Linux is constantly requesting my password, even for the most mundane of operations AND after having just logged on using same. Install software from the repository – password request. Uninstall software – password request. Download and install system updates – password request. It goes on and on.
Ah, I misspoke. I should have said a constant, “are you sure” on everything, UAC on everything, not password. As above, at least with Mint, I know that the prompt is important & isn’t only an, “are you really, really sure” sort of thing. In fact, prompts pop up so often for many Windows users (not to mention the free AV pop-ups) that they click “yes” without giving it any thought– that, isn’t good. I know this– as I service MS home users and they do so as I’m sitting there– and before I can even have a look at what they’re ” agreeing to”.
At least Windows will let a user deactivate UAC, still looking for a way to deactivate password prompt, so I just use a two letter PW.
that should read “deactivate password prompt in Linux”
Applying a no PW is easy in Windows. Not sure why anyone would deactivate a Linux PW? Is that what you meant?
I know the reason why Linux ask for the PW prompt. Like Mr Jim I think it is just silly to have to input a PW for every little thing that is done with the system, especially when one is installing software from the software center that is already their for the user, I can see using a PW when using the command line. If Linux truly wants Windows user to adopt Linux, then maybe it needs to adopt more Windows like features and developed more hardware support. Until this happens Linux will never be a true replacement OS for Windows users, just another tool to extend the life of an old PC.
For all you Linux geeks this is how you edit Linux for PW Prompts
Open Terminal and enter “sudo visudo” and edit the /etc/sudoers.tmp file.
It would help if you read this. I did this just for you Mr Jim.
Comments are closed.