GP SoftwareTwitter
Opus FAQsManualCommandsObjects

Does anybody use Windows' new "controlled folder access" feature already?


#1

I have added a few testing folders. Also, i have put Opus to the list of exceptions, because i suppose it is required to make the program work as intended (like renaming stuff, or deleting). No problems so far.


#2

Is Explorer whitelisted by default with that?

If it is, I suspect it'll work well against existing malware, but future malware will be written so that it modifies the files via explorer.exe, knowing it is whitelisted.

Windows has no protection against one process making another process (that is owned by the same user) do things on its behalf, so anything based on whitelisting processes only requires a little bit more sophistication on the part of the attacker, especially if they can know or find out which processes are whitelisted.

Maybe Windows does something to protect against this as well. I don't know the exact details of how the new feature works. But it sounds a bit like the UAC whitelist MS gave themselves in Windows 7, which essentially then allowed anything (that wanted to be naughty; but not things that were well behaved) to easily bypass UAC without waiting or prompting the user.


#3

Not yet. Exactly because of the reasons you've mentioned in the next sentence. But i wasn't sure, to which extent Opus uses just the same API (or whatever module), which could soften the protection. But i figured, as long Opus is rather a bit "exotic", concerning its market share (which hopefully will get better), it might be another obstacle for potential attackers.

Yes. I hope, that they will add some more granularity to it, enabling us to control, which child or parent process is allowed to manipulate the main process.

Neither do i. But it sounds promising, & for the first time since a very long time i got rid of my old AV, & changed to use Windows Defender. Mainly, because i wanted to use that new feature.

It's a very interesting approach anyway. But i must mention, that i additionally use two other Anti-Crypto applications, which are pretty lightweight in terms of system load (as far as i can see). Plus, making frequent backups to some offline hard drive, of course. You cannot be paranoid enough about your data! :smiley:

Thanks for the answer.


#4

Hmm, interesting. I guess if you have read-only access to the folders in Explorer (and Opus) by default it is enough for a lot of things, and you can whitelist the programs you use to make changes there. That makes sense in some ways. Malware would have to try injecting into every process until it found one that worked, which may not even be running at the time. OTOH, not being able to copy, rename or delete files by default seems a bit of a pain for documents folders and so on, but whitelisting Opus seems safer than whitelisting Explorer, as you say.

I've always had some folders that need UAC elevation to modify for sort-of similar reasons, although more to protect against badly written software (like Windows Media Player, which used to downgrade the covertart in music files without asking) or accidents (like someone drunk using the TV PC and deleting something by mistake :D). Maybe this provides a nicer way to do that, although I wonder how it will work with network folders.


#5

I would like to add to this with some observations. First, like UAC when it was introduced in Vista, "CFA" (Controlled Folder Access) can be a little annoying at a minimum although it may be worth it, even with its simplistic current capabilities.

Previously, I have at least sometimes (I reinstall Windows between 2-4 times a year since for...well...forever) gave DOpus permanent Admin access, but after my last Windows 10 installation became unbootable after only a few months, I'm acting out of an abundance of caution, not because I suspect DOpus, but anything I run through DOpus could potentially have caused an issue, and my having previously granted the permanent access just isn't an advisable SoP if it can be helped.

There's a partition where my old, previous (and non-booting) Windows 10 installation is. There are reasons (laziness, not priority) that I want to keep my user profile folder/Users for now, so I don't want to reformat it or deal with it for now, but I want to delete as much as I can of the larger folders (Windows/Program Files...) to use the drive as temporary space. Throughout repeated attempts to delete those two folders with Directory Opus, even after granting DOpus temporary 30-minute Admin access and with DOpus being whitelisted in Controlled Folder Access, I get notifications such as the below (at the bottom of my this text) complaining about some dllhost.exe that's in some subfolder of the Windows folder. I may have seen this in a few other DOpus-related operations as well.

DOpus still deletes what it can and for now, I'm unwilling to whitelist dllhost.exe as I believe I've seen it give the same notification for a few other operations with some of my other programs. As has always been typical of my experience with Windows, including through Windows/File Explorer, subsequent attempts to delete the same folders do result in more and more being gradually deleted while still not deleting everything that I intend to. I've started the same, long, deletion attempts at least 3-4 times, someone after the other and some over the course of several days and after relatively fresh reboots, and am running it again currently.

Note that I have in some special cases temporarily disabled CAF for some programs/functions unrelated to DOpus. This, too, is something which needs to be improved instead of requiring so many clicks to get to where it can be enabled/disabled, however, it's obvious that although the feature is out of the Insider Build ring and into the "mainstream", since it's disabled by default and not particularly called attention to from within a new Windows 10 installation that I've noticed, it's similar to how Windows 10 itself is, a work in progress, and an early one at that.

For the record, I don't really suggest DOpus add particular support/workarounds/anything having to do with CFA at this point since it's destined to either become radically changed over the next year or even possibly disappear, small chance the latter may be.

I also aggressively take advantage of Windows 10's defer updates feature to keep feature improvements at bay for at least 3 months, to prevent sudden bugged changes, but I am curious enough that I'll use the latest official Windows 10 ISO when fresh installing.

Capture