title: Microsoft Defender for Endpoint Controlled folder access (CFA) demonstrations description: Demonstrates how Controlled Folder Access protects valuable data from malicious apps and threats, such as ransomware. search.appverid: met150 ms.service: defender-endpoint ms.author: lwainstein author: limwainstein ms.localizationpriority: medium manager: bagol audience: ITPro ms.collection:
- m365-security
- tier2
- demo
ms.topic: article
ms.subservice: asr
ms.date: 10/11/2024
appliesto:
- Microsoft Defender for Endpoint Plan 1
- Microsoft Defender for Endpoint Plan 2
Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Microsoft Defender Antivirus assesses all apps (any executable file, including .exe, .scr, .dll files and others) and then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then the app can't make changes to any files in any protected folder.
- Windows 10 1709 build 16273
- Microsoft Defender Antivirus (active mode)
Set-MpPreference -EnableControlledFolderAccess (State)Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\| State | Mode | Numeric value |
|---|---|---|
| Disabled | Off | 0 |
| Enabled | Block mode | 1 |
| Audit | Audit mode | 2 |
Get-MpPreferenceDownload and run this setup script. Before running the script, set execution policy to Unrestricted by using this PowerShell command:
Set-ExecutionPolicy UnrestrictedOr, you can perform these manual steps instead:
-
Create a folder under
c:nameddemo, as inc:\demo. -
Save this clean file into
c:\demo(we need something to encrypt). -
Run the PowerShell commands listed earlier in this article.
Next, check that status of the Aggressive Ransomware Prevention ASR rule and disable it for the duration of this test if it's enabled:
$idx = $(Get-MpPreference).AttackSurfaceReductionRules_Ids.IndexOf("C1DB55AB-C21A-4637-BB3F-A12568109D35")
if ($idx -ge 0) {Write-Host "Rule Status: " $(Get-MpPreference).AttackSurfaceReductionRules_Actions[$idx]} else {Write-Host "Rule does not exist on this machine"}If the rule exists and the status is 1 (Enabled) or 6 (Warn), it must be disabled to run this test:
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Disabled-
Turn on CFA using PowerShell command:
Set-MpPreference -EnableControlledFolderAccess Enabled
-
Add the demo folder to protected folders list using PowerShell command:
Set-MpPreference -ControlledFolderAccessProtectedFolders C:\demo\
-
Download the ransomware test file.
-
Execute the ransomware test file. Note that it isn't ransomware; it simply tries to encrypt
c:\demo.
About five seconds after executing the ransomware test file, you should see a notification that CFA blocked the encryption attempt.
-
Turn off CFA using this PowerShell command:
Set-MpPreference -EnableControlledFolderAccess Disabled
-
Execute the ransomware test file.
- The files in
c:\demoare encrypted and you should get a warning message - Execute the ransomware test file again to decrypt the files
-
Download and run this cleanup script. You can perform these manual steps instead:
Set-MpPreference -EnableControlledFolderAccess Disabled
-
Clean up
c:\demoencryption by using the encrypt/decrypt file -
If the Aggressive Ransomware Prevention ASR rule was enabled and you disabled it at the beginning of this test, enable it again:
Add-MpPreference -AttackSurfaceReductionRules_Ids C1DB55AB-C21A-4637-BB3F-A12568109D35 -AttackSurfaceReductionRules_Actions Enabled