Jul 19 2023 11:11 PM - edited Oct 21 2023 11:11 PM
Hi All. I am working on enabling CFA on some machines and started with some test VMs at first. I created the ASR rule, enabled Controlled Folder Access and assigned it to a group to which my test VMs are members of.
When checking in PowerShell, CFA is enabled on the machine:
I am then using the test ransomware from the Defender Test Ground that encrypts files in C:\Demo. The issue I'm facing is that the ransomware encrypts the files, even though CFA is enabled. What am I doing wrong? Thanks.
Jul 23 2023 11:13 PM
I ran into that too. It looks like the CFA test tool is now a trusted application and can therefore write into protected folders.
You could remove PowerShell as a protected application and use a PS command to create a file in a protected folder, e.g.
Write-Output "CFA Test File - Can be deleted" | Out-File -FilePath "$($env:USERPROFILE)\Documents\CFA-test.txt"
CFA should block this.
Jul 27 2023 12:58 AM
@am1357, thank you for the answer. Do I need to remove PS as a protected application at a device level or can I do it from Intune? It shouldn't have any other negative effects on running PS I guess, right?
Jul 27 2023 01:39 AM
@The737 It should be possible to remove that from the device itself using
Remove-MpPreference -ControlledFolderAccessAllowedApplications "PS PATH"
https://learn.microsoft.com/en-us/powershell/module/defender/remove-mppreference
Oct 05 2023 11:14 AM
@am1357, coming back to the thread after a longer break. I can't remove PowerShell from the allowed applications list. Tried both the PowerShell and the path to the encryptor from the playground. I get the same error. Any help would be appreciated.
Oct 05 2023 10:52 PM
@The737Ah, I see. Looks like tamper protection might stop you from making changes. How did you add PS as an allowed application in the first place? Intune?
Oct 21 2023 11:12 PM