
Windows 10 will use protected folders to thwart crypto ransomware - Errorcod3
https://www.helpnetsecurity.com/2017/07/03/windows-10-protect-ransomware/
======
ChuckMcM
One of the "features" (back in the day) of running a diskless system was that
you could set change policy on the server hosting the file which was
completely out of reach of the "client" machine that was running the program.
For nearly all of the system files there was no reason for them to change.
NetApp turned this into a huge win when they could use snapshots to support
multiple VM images with just the small configuration changes.

Given the well known benefit there, and that the processor on your hard drive
is about as powerful as your phone, why not have the drive set up files that
are 'read only' unless allowed to change out of band. Here is how it would
work.

Your disk works like a regular SATA drive, except that there is a new SATA
write option which can write a block as 'frozen'. Once written that way the
block can be read but not written. You add an out of band logic signal and
wire it up to a switch/button that you can put on the front (and/or) back
panel. When the button is pressed the disk lets you 'unfreeze' or write frozen
blocks, when it it isn't pressed they can't be changed.

Now your hard drive, in conjunction with a locally operated physical switch,
protects sensitive files from being damaged or modified.

~~~
WalterBright
I would like to have a physical write protect switch on drives I connect via
USB ports. It would be great for backup drives, so you wouldn't inadvertently
goof them up when restoring from them. (Like get the arguments reversed in an
rsync.)

I used such a lot with floppy disks back in the 1980s.

~~~
colejohnson66
Wasn’t write protection a thing on old USB flash drives? I have a 32 MB drive
somewhere that has a WP switch on it.

~~~
etiam
I remember looking for those models some years back.

[http://www.fencepost.net/2010/03/usb-flash-drives-with-
hardw...](http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-
write-protection/)

[https://eikonal.wordpress.com/2010/05/21/usb-thumb-drives-
wi...](https://eikonal.wordpress.com/2010/05/21/usb-thumb-drives-with-read-
onlywrite-protect-hardware-switch/)

Ought to take a look again if they're available now. Even if they still only
come with a few gigabytes of storage there would be some nice applications.

------
zeta0134
Okay, so I know Windows probably doesn't actually work this way, but from a
user interface perspective... what's the rationale on giving an App permanent
access to the user's home folder directories? Don't most well behaved apps
have a file open / folder open dialog, which should be able to grant access to
files at runtime? If the file opening dialog is provided and controlled by the
operating system (I realize many, many legacy apps work differently in
Windows) then the OS can silently grant permissions at the time of open,
rather than letting apps either have free reign or no access at all.

I feel like this is the expected behavior anyway; Power Users may run
utilities that need to touch the whole system, but most regular users are
doing pretty good to juggle more than a handful of open files in their mental
model of the machine while they're using it. The idea of file permissions is
already pretty foreign to the average end user. Applications already have a
designated area (%APPDATA%) where they can store their temporary files and
things, so perhaps the documents folders _should_ be more locked down by
default.

~~~
pjmlp
That is how Windows sandbox for store apps works, the applications cannot
access files directly.

The problem is getting everyone on the store train, and to move away from
classical desktop.

~~~
ryukafalz
It's unfortunate that Windows seems to conflate sandboxing applications and
central control of which applications are available. I'd love all the apps on
my system to be sandboxed, but not if I lose the ability to install
"unapproved" apps at the same time.

~~~
dlp211
This isn't a thing on Windows. You are not required to go through the store in
order to install or run UWP apps.

------
cube00
I've always wondered why Windows and other OSes don't offer a 'cold storage'
area where you need thaw out files before editing. Files not modified within a
selected time freeze from further modification. I've got plenty of files that
are archived that I'd never want to change, but it's a hassle to
unmount/remount just to add a new file to an existing directory.

~~~
megamindbrian
How about just enabling Shadow copies by default! I don't understand why
Windows has great "Time machine like features", but every fucking time I right
click and go to Properties and look at the "Previous versions" tab and it is
completely empty.

~~~
sgift
Probably because the typical anti-MS comments would be worse for them than the
risk of ransomware (from their perspective):

"Windows eats all my hard disk!! I've updated to <windows xy>/Windows did an
update and now all my disk space is gone!!! Don't update!!!!"

"New MS update steals your disk space, here's how to stop it"

And so on, and so on.

~~~
cm2187
No it wouldn't be turned on by default. If it was every software that you run
occasionally would break. This would be opt-in for certain folders.

~~~
brainfire
No, this thread is about shadow copies being turned on by default.

------
Meph504
My concern is first off, this seems like it is going to break a massive number
of applications. It also seems that they are pushing this layer of access
management that doesn't have proper support on any platform but UWP.

I see this as Microsoft taking yet another step to force people to move to
their new Appstore model. by choking the access to the operating system away
from any other platform, which I find really amusing because their own top
tier applications aren't built on these platforms (office, visual studio,
etc..).

~~~
pjmlp
Better update yourself.

The next version of Office and Note for Windows 10 are going to be store only.

At Build they also had people from Adobe, Cakewalk and Kodi showing their
desktop apps ported to the UWP via the Desktop Bridge.

Like they did with WPF and Visual Studio, they are pushing everyone into the
train by dragging their own devs into it.

~~~
0xffff2
> Like they did with WPF and Visual Studio

Except Visual Studio _isn 't_ using anything newer than WPF yet, is it?

~~~
pjmlp
You completely missed the mark.

.NET developers only started taking WPF seriously after the performance
improvements Microsoft did to WPF, which took place after Visual Studio team
adopted WPF to prove its quality.

If you intended to do any remark regarding UWP, first WPF is not going
anywhere as communicated to those that care to learn what goes at Build, and
second the architecture between WPF, Silverlight and UWP is almost the same,
just a few differences regarding XAML features and .NET APIs.

------
hippich
So last ransomware we seen in the news actually tried to reboot system and
encrypt files before OS is loaded. So unless that new tech gonna protect MBR
(which should be protected anyway) - not sure how it going to stop encryption.

~~~
satysin
This is why Secure Boot is a thing.

~~~
KallDrexx
Wouldn't secure boot just prevent you from booting into the invalid MBR? At
that point your files are already encrypted and your MBR already over-written,
Secure boot is just preventing further exploitation.

~~~
sedachv
You can get around UEFI Secure Boot by installing an old signed bootloader
with known exploits (if I understand correctly this is why the "Secure Golden
Key Boot" exploit of last year[1] cannot be patched without changing public
keys in the UEFI firmware). Not only that, the code that is shared by most
UEFI implementations is garbage[2] with a large attack surface; exploits
against the firmware is a possibility.

The primary function of UEFI Secure Boot is for Microsoft to prevent other
operating systems from being installed on as many systems as they can get away
with (right now there is no provision that end users should be allowed to
disable Secure Boot on ARM devices, for example). The "security" functionality
is an unworkable side-effect that provides a convenient fiction to accomplish
that goal.

[1]
[https://www.reddit.com/r/netsec/comments/4wybax/writeup_of_s...](https://www.reddit.com/r/netsec/comments/4wybax/writeup_of_secure_boot_bypass_which_i_dub_secure/)
[2]
[https://www.youtube.com/watch?v=V2aq5M3Q76U](https://www.youtube.com/watch?v=V2aq5M3Q76U)

------
jakobdabo
Completely unrelated, but am I the only with an impression that MS has
switched Windows into a rolling release OS (like Gentoo or Arch) with infinite
updates of Windows 10? This would be a genius move to solve the issue of the
users remaining on the old unmaintained release like it was with XP, and like
it is now with 7.

~~~
copperx
Just like OS X (10). It's like everybody is afraid to go to 11.

To be fair, software is a recent human endeavor, and except for Emacs, I'm not
familiar with software versions over 10.

~~~
ken
In operating systems, FreeBSD, HP/UX, and Solaris are all on version 11. iOS
11 is in beta now.

In databases, Oracle and Informix are both on version 12.

I think the lack of high version numbers is not necessarily paranoia, but
simply that there isn't much software that's old enough yet.

------
ComodoHacker
I always thought protecting users from malicious code they willingly download
and run themselves is futile and a waste of developers' resources.

Do I miss something and this is actually a viable security approach?

~~~
pfg
It's not going to do much for targeted attacks, but there are definitely ways
to limit the damage for large-scale ransomware attacks. As it is right now,
ransomware doesn't even need to bother with privilege escalation because files
valuable to users are most likely owned by them. Not to say that all
ransomware malware sticks to just user privileges, but it's usually enough do
get the job done.

Having a sort of firewall for file systems that's enforced by the system means
that in addition to getting code to run with user privileges, the malware
authors need to trick the victims into giving the software root (which might
be impossible on enterprise networks), or use a privilege escalation
vulnerability to do that.

Of course, people could still click through prompts, allow access to all apps
due to warning fatigue, etc., but it's an improvement - if done correctly.

------
floatboth
> If an app attempts to make a change to these files, and the app is
> blacklisted by the feature, you’ll get a notification about the attempt

So it's allow default? That sounds useless.

We need a deny default thing. Like Little Snitch but for disk. Every time an
app accesses a directory it hasn't accessed before, ask. (Skip asking when
files are opened using the system "Open file" dialog for a bit less
annoyance.)

------
vxNsr
I think that the most recent attack in Ukraine already overcame this obstacle.
They were able to use an in-place update system by a trusted software vendor
to install their malicious code on the victim's computer. That software would
almost certainly have had permissions even under this list, so it's not that
effective.

------
sitkack
How about using ML to detect profiles of access and disallowing un-common
access patterns? If I only use VS Code to access my source, prevent win-
malwr.sys from accessing that folder.

~~~
yjftsjthsd-h
And then one day you want to zip up the project to send to a friend, run an
external linter on it, or make backups. ML depends on an adequate training
set, and real life uses change quickly enough to break it.

~~~
sitkack
The OS would confirm that it was an end user making the action not malware. It
is about the automatic creation of security rules based on observed behavior.
The other option would be to create everything manually, which doesn't happen.

~~~
ric129
Browsers have already taught us how useless this is, users will always click
through.

------
bpodgursky
I'm surprised Google hasn't run a Chromebook advertising campaign which just
says "use a Chromebook and never care about ransomware again"

~~~
heartbreak
Because files on Google Drive cannot be encrypted?

~~~
bpodgursky
Google has old versions of all the files, and would immediately revert them
when they detected a virus going around.

~~~
mulmen
What if the malware just waits a few months to spring the news that your files
are encrypted? Offsite backups don't save you from encryption based attacks.

------
d--b
This sounds like a feature that will be painful to work with for regular apps,
but that malware will easily work around.

I mean I am no security expert at all, but you kind of need administrative
privilege to install a malware, so why not keep it to access all the folders
you need?

~~~
muricula
You don't need administrator privilege. You just need to double click an exe.

------
ocdtrekkie
This seems like a good idea, and I'm pretty excited to see this step. Though I
suspect if certain apps are whitelisted to edit in those folders, ransomware
will simply turn to finding exploits in those apps. And most of your document
and photo editing apps out there may not have been designed with security in
mind, as they never expected to be gatekeepers of file access.

This will also probably be a UAC-level nightmare for getting old software to
work on newer PCs, as today's software generally just assumes it can have file
access to document folders.

~~~
Santosh83
Many of the ideas seem good for a corporate/enterprise setup where you lock
the system down to run a few business/tech apps, but not so pain-free for
desktop users. I mean, nearly every app on my system needs access to the usual
folders. Unless MS bundles a good whitelist of approved apps, granting
permissions is going to get really annoying.

~~~
ocdtrekkie
Akin to Windows SmartScreen and stuff, I expect Microsoft to offer the
whitelist as a service. Obviously, they wouldn't want to cause extra headaches
in getting Microsoft Office and the like to have access to your documents.

------
bsder
How about we just have "copy-on-write" filesystems by default?

Something which then tries to "encrypt" your hard drive merely winds up
creating another layer on top which you wipe out to get back the original
files. You only have to flip a "hardware switch" when your disk fills up or
you get a catastrophe.

I cry every time I see something that IBM or DEC got right _40 years ago_ that
we _STILL_ haven't adopted.

~~~
cctan
Why was this not implemented widely? I mean not in source control systems like
git or TFS, but built into OSes.

------
lucb1e
What are "end-to-end security features"? They mention it once but then never
again.

As far as I know, the term end to end is about communications: an exchange
between two or more parties, or endpoints, which can be encrypted "end to
end". I'm afraid they just dropped it as another term nobody knows the meaning
of, so we'll have to find a new term to describe why Signal and Wire are
better than (non-PGP) email.

~~~
Meph504
"end to end" has been a term in common use in language since the 1800s meaning
complete coverage. look it up on the oxford english dictionary for more
details.

~~~
lucb1e
Oh, right, objects can lie end to end and have nothing to do with encryption.
I had never heard it in security context without meaning e2e encryption.

------
Kenji
I'm skeptical. The cost of managing these permissions might outweigh the
benefit. But hey, why not try it. As long as I can disable it when it ends up
getting in my way...

------
MichaelBurge
Linux has had the same issue for the longest time: You need root or a
capability to set the time, but any program you run can wipe your entire home
directory.

~~~
tormeh
[https://xkcd.com/1200/](https://xkcd.com/1200/)

------
dboreham
Perhaps the place to implement countermeasures is in the disk drive (SSD these
days)?

e.g. arrange for the drive to never delete anything unless some key exchange
has recently been done, that depends on user input (bio parameters, or
password).

From a user perspective you'd see this as :

All deletes (and file version changes) go to a recycle bin. Emptying the bin
can only be done upon presentation of the secret.

~~~
mtgx
Do you trust any of the SSD makers to implement proper and updated (obviously
necessary) counter-measures against ransomware?

They can't even get encryption right.

[https://motherboard.vice.com/en_us/article/mgbmma/some-
popul...](https://motherboard.vice.com/en_us/article/mgbmma/some-popular-self-
encrypting-hard-drives-have-really-bad-encryption)

[https://www.theregister.co.uk/2015/10/20/western_digital_bad...](https://www.theregister.co.uk/2015/10/20/western_digital_bad_hard_drive_encryption/)

------
ksk
I wonder MS has given any thought to 'sealing' executable regions so no new
instructions can leak into memory. IOW Once executed, a process can only
reference instructions present in the binary itself. Basically make running
JIT-ed code, self-modifying code, etc, a special process privilege, that can
then have a limited process context for I/O.

~~~
pjc50
Isn't that a subset of W^X / DEP [https://support.microsoft.com/en-
sg/help/875352/a-detailed-d...](https://support.microsoft.com/en-
sg/help/875352/a-detailed-description-of-the-data-execution-prevention-dep-
feature-in) ?

Can be defeated by "return-orientated programming", which uses only the
existing instructions in the binary and a modified stack.

~~~
ksk
Yeah, DEP + ASLR already addresses some of this. Perhaps the stack regions
could partially be set to read-only to protect return addresses.

~~~
kevingadd
Control Flow Integrity is one technique for addressing these sorts of attacks:

[https://www.microsoft.com/en-us/research/wp-
content/uploads/...](https://www.microsoft.com/en-us/research/wp-
content/uploads/2005/11/ccs05.pdf)

IIRC there are even some experimental efforts to add hardware support for CFI
techniques to new processors (Intel I think?) but there's work going on to add
support for it to modern compilers, which would allow you to compile libc and
other system libraries with it turned on.

EDIT: It appears Clang actually ships with some CFI support already:
[https://clang.llvm.org/docs/ControlFlowIntegrity.html](https://clang.llvm.org/docs/ControlFlowIntegrity.html)

------
topkeker
This seems like another strange workaround. We need to change the way the
operating system behaves for the future. The problem is default allow for
untrusted code to execute. Everyone recognises this as the problem, no one
wants to step forward and implement the change.

We do it for mobile, mostly, the desktop needs the same shift.

~~~
muricula
That basically means forcing everyone to sign their code and offer it through
the App Store. You'll see developers complaining about that upthread.

Windows 10 does make code signing mandatory for new drivers, and the drivers
must pass a suite of acceptance tests.

~~~
topkeker
You're right, but people complaining shouldn't dictate life. People also
complain about being crushed by ransomware. Not to say they don't have a valid
point, but the paradigm needs to change.

We used trusted stores for certificates and mobile applications, it's time for
the desktop to do the same beyond drivers.

Not to say things won't creep through, but default allow needs to go for this
to be truly solved, not a new feature or vendor product.

------
Someone
_" If an app attempts to make a change to these files, and the app is
blacklisted by the feature, you’ll get a notification about the attempt,”
Microsoft explains."_

I don't understand. If they have a blacklist, why ask the user? Or is
"blacklisted" used loosely here to include code flagged by heuristics?

~~~
firebird84
Perhaps "brownlist" would be more appropriate

------
faragon
The filesystem itself is a risk: per-user default permissions so any
application launched by one user can trash all his files is scary. Even
applications being able to access other installed applications is dangerous. I
hope the industry find a way between all closed (a la Apple) and all open.

------
unclebucknasty
Or "Windows Will Protect Vulnerable Client Software With More Client
Software".

Wouldn't it be much easier and more effective to offer a one-click low cost
encrypted cloud backup-service? They could bundle this with Update or Defender
to offer point in time recovery.

------
jamesfmilne
macOS already does this.

System Integrity Protection.

[https://support.apple.com/en-gb/HT204899](https://support.apple.com/en-
gb/HT204899)

[edit] apologies, indeed, SIP only protects system files, which is not what
this article is about.

~~~
Shank
This is about protecting user files and areas, not the system files. A user
level ransomware can indeed encrypt all /home/$user contents on macOS just as
easily as it can C:\Users\$user on Windows.

------
bArray
This seems like a rushed reaction to recent events - I think there will be
problems as a result of the rushed implementation. I could only begin to
imagine the embarrassment if this was the cause of the next zero day attack.

~~~
BrandonLive
What?

------
rix0r
The UI is not really explained. I hope this is not going to train more
generations of Windows user to click "yes yes yes" in response to annoying
dialogs.

------
Mo3
.. what about the existing file versioning and backup tools?

~~~
Ghostium
Also some crypto trojans delete or even encrypt your snapshots if you using
the existing restore software from Windows.

------
TekMol
How often are browsers affected by 0-day exploits these days?

I they are not, wouldn't using web-applications and keeping your system up to
date solve the whole issue?

------
revmoo
Countdown to malware using this feature to prevent removal

------
callesgg
To me it seams like a part of the definition of a zero day exploit makes it
impossible to stop.

~~~
Shorel
Part of the definition of a zero day exploit requires software providers to
constantly fix issues, otherwise a thousand days exploit would be enough to
compromise a system, and no zero day concept would have been necessary, they
would be just called exploits.

~~~
schoen
At least, it requires _someone_ to be able to act in mitigation. That might
also be the user of the software (if they can patch it, find a workaround,
have some other software validate inputs or detect attacks, etc.).

