![]() In research published over the weekend, Jesus includes three examples that utilize boobytrapped Office documents (received via spam email) to overwrite the content of other Office documents stored inside CFA folders password-protect the same files or copy-paste their content inside files located outside the CFA folder, encrypt those, and delete the originals. Jesus says that a ransomware developer could easily bypass Microsoft CFA anti-ransomware feature by adding simple scripts that bypass CFA via OLE objects inside Office files. Ransomware can use Office OLE objects to bypass CFA This means that Office apps can modify files located in a CFA folder, either the user likes it or not. The user must manually approve any app that's allowed to edit files located in CFA folders by adding each app's executable to a whitelist managed through the "Allow an app through Controlled folder access" option.īut Yago Jesus, a Spanish security researcher with SecurityByDefault, has discovered that Microsoft has automatically whitelisted all Office apps on this list. Users who updated to the Windows 10 Fall Creators Update received an update for Windows Defender named Controlled Folder Access (CFA) that allows them to block any modifications to files found in user-designated directories. ![]() This feature, described in more depth in this Bleeping Computer review, is part of the Windows Defender antivirus built into all versions of Windows 10. A security researcher has found a way to bypass the "Controlled Folder Access" feature added in Windows 10 in October 2017, which Microsoft has touted as a reliable anti-ransomware defensive measure.
0 Comments
Leave a Reply. |