How to enable Ransomware Protection in Windows Defender and add custom folders to it
Windows Defender has been gaining a foothold steadily for the past few years. But there is one flaw in the antivirus that ships with Windows 10.
The option for Ransomware Protection is disabled by default even though it is available as a native option since the release of Windows 10 version 1709.
Initially I was bemused by this, but then I thought it is possible that Windows Defender could identify a legitimate application as a threat and block it, which is not something the user would want.
Quite a few third-party anti-ransomware programs exist and they do suffer from false positive issues as well. Check out our reviews of AppCheck AntiRansomware, Acronis Ransomware Protection, TrendMicro Ransombuster, or our overview of Anti-Ransomware software for Windows to get started.
For those unaware, ransomware is one the deadliest form of malware. It silently encrypts your data (pictures, videos, documents are commonly targeted), thus preventing you from accessing them.
It may even lock the bootloader when you reboot/turn off the computer. The malware displays a screen demanding a ransom from the user which usually involves a crypto-currency payment address that you have to send money to.
There is no guarantee that a payment will provide the unlock key required to regain access to files that the ransomware encrypted while it ran on the system. Ransomware attacks are often accompanied by a timer to add another pressure layer to the ransomware demand. Affected users are asked to pay the amount in time as they won't be able to decrypt their files anymore once the timer runs out.
Decryption tools are available for some ransomware types but these are released after an outbreak usually and not available right from the get-go.
Many companies, hospitals, and users fell victim to ransomware already. You may have heard of the ruckus caused world-wide by the WannaCry ransomware back in 2017, and that is just one example of ransomware causing havoc worldwide.
Besides being very cautious when using the computer, there are only a few options to protect against ransomware attacks. Two of the most effective are backups and security software that protects against ransomware.
How to enable Ransomware Protection in Windows Defender
1. Open the Windows Security Dashboard by double-clicking on the Defender taskbar icon (or use the Settings app and select Update & Security > Windows Security).
2. Click on Virus & Threat Protection.
3. Scroll down to Ransomware Protection.
4. Click on Manage Ransomware Protection (click Okay on the UAC pop-up if it is displayed).
5. On the next page, you will find a toggle for Controlled Folder Access. Enable the option. That's it.
Most antivirus programs use behavioral scanning to prevent zero-day attacks (new or unidentified malware). In other words, they monitor your computer's services, applications, anything in the background, for suspicious activity. For example, when an otherwise harmless file tries to gain access to your documents folder to execute a script that encrypt the files in it, Windows Defender will stop the malware to protect your data. It's a sort of intrusion prevention or anti-exploit method.
By default, the Ransomware Protection only covers specific folders. To view the ones that are secured, click on the Protected Folders option. It's just the User folders like Documents, Pictures, Videos, Music, Desktop, Favorites by default.
Tip: Add blocked programs to Controlled Folder Access' whitelist
So, what happens if a ransomware targets files in other folders? The files are affected unless the ransomware is quarantined before it starts to encrypt files on the device. Fortunately, there is a way to secure them.
There is an option on the top of the Protected Folders screen, which says "Add a protected folder". Click on it and choose any folder you want and it will be protected by Windows Defender. The folders can be on any partition or hard drive: they will be secured by the feature.
This method is not completely fool-proof but it's better than nothing. You might want to backup your data to an external drive regularly as well. Don't forget to checkout ConfigureDefender for more control.
Usually we ask you to share what programs you use. This time, I want to ask you something else. Have you ever seen a computer affected by ransomware? How was it dealt with?
Yes I got the Adame Ransomware and it started to change the filename extensions. I was warned by AVG on a number of steps when I was searching for something desperately. So I was ignoring the warnings until I realized the computer was doing something by itself. Immediately I disconnected from the internet and my data file backups on other drives. It managed to change a lot of my data in just that few seconds. Fortunately, the data affected had backups. I then installed a search program (“Everything”) and it thoroughly found all files that had the word “adame”. Just to be sure I just reformated the whole drive and did a clean install.
Can this be also done on domain level, with Group Policy? I can’t find the Defender options
Mine says next to Ransomeware, “no action needed”
I assume its on by default now.
To answer your question, yes, my PC was attacked by ransomware (I don’t know how or why – I don’t do porn or piracy and I always manually go to the website using my bookmarks when a company asks my to click a link in an email, and I am merely a home user). I simply restored to most recent backup on external SSD that is kept disconnected unless making or restoring from a backup.
I then began using Bitdefender AntiRansomware. I don’t think I have been attacked again as I think Bitdefender would have told me that it intervened, but I am not sure about that. At any rate backups solve so many issues without the hassle of seeking solutions to the problem that it is inconceivable not to use them.
@exrelayman – One way to get ransomware is from someone you know who has access to your computer and/or network. See, with some ransomware, instead of paying them for the decryption key, they will alternatively give you the key if you infect 3 others who pay.
I tried to set this up after reading this (using Windows Defender quite some time already after the free protection programs started nagging way to much) but some stuff doesn’t really work well.
I set one of my drives up to be protected but one application access some data on that drive so the first time it came up with the message “Protected folder access blocked”. I then gave the app permission to access that folder but every time the app access that folder now, it is blocked although it is in the list of apps that are allowed to access that particular folder. What gives?
Answer:
My mother complained she couldn’t find a file.
I found all files had the extension .vvv .
Then there were text-files sprinkled inbetween with the ransom claim.
She doesn’t have many files, so I’ve set her up with free Dropbox.
Even free, they keep 30 days of changes.
So after cleaning out the ransomware I reverted all files to the version just before.
This was many, many years ago.
While I find this a noble attempt by Microsoft to thwart ransomware it is very clunky and inaccurate, there is little wonder it is off by default.
The main problem I have had is even after adding executables to the white list they are not recognised, this includes Libre Office, some games, and others applications.
I have the same question. I have Kaspersky Internet security and it has antiransomware protection. If I enable the above feature, will it conflict with my antivirus?
you can’t enable it in the 1st place if you have kis installed (i guess unless you are using ms defender rather than kis for real time protection
@Raj,
If you have Kapersky installed you might find it a little disconcerting to discover that sites can track your online activity by using your unique Kapersky ID even if you use private browsing. See https://www.bleepingcomputer.com/news/security/unique-kaspersky-av-user-id-allowed-3rd-party-web-tracking/
^The above information does not match the headings in my brand new, as of tonight, 15th August 2019 Windows 10 update. No mention of ransomeware protection. Why do these instructions never match what I have on the screen in front of me. Very annoying and time wasting.
Alan, because Microsoft plays around with settings and names all the time. Which version of Windows 10 do you run?
You could try some ransomware blocklist’s in a
pi-holed router
After my Windows 10 Pro machine updated itself to version 1903 (on the Enterprise channel), the Ransomware Protection was automatically enabled. I found myself essentially unable to use the computer (“the folder is read-only” after a long delay), and eventually had to turn this feature off. My combination of third-party applications and usage of cloud storage was a false-positive nightmare.
Only regular full backups to an exteral drive that can be physically disconnected are really safe. Everything else is going to have holes in the armor.
So, if it hasn’t been setup, it first asks you to “Set up OneDrive” – I’m guessing that the way it “protects” you is to keep a copy of your protected file on OneDrive??
bear in mind the ms ranson protection requires the real time protection bit of ms def to be turned on. you don’t want 2 different security software doing the same exact thing to be on at the same time in general.
This is no an answer to your question but I used the ransomware protection for a while and then disabled it . It was blocking only legitimate programs on my computer. Sometimes it was puzzling because often a temp file from a legitimate program blocked access. So far no ransomware.
Regular backups to an external HD, preferably while disconnecting from the internet makes more sense for me.
I have been using the controlled folder access since day one. It can be a pain in the arse at times, though. Many allowances need to be made for your programs.
Before installing some programs, it is easiest to turn it off momentarily.
Nonetheless, it is a good thing to have on the system.
Good find and well written article Ashwin.
After reading your article I was left with a question to you.
I am wondering or I can double up main security?
I have already installed and running smoothly an Eset security program where there is an ransom-ware option, at main disposal and the ransom-ware protection is also enabled.
Can I also enable at the same time the windows defender ransom-ware protection so it works in good harmony, with the Eset ransom-ware protection at the same time?
Will this not only work correctly but also enhance main security options?
I found the protection useless when I gave it a shot months ago. It was blocking access to my folders to processes I wasn’t even sure of what they were. Then I needed to research what that process was. Eventually I got to the point where I gave permission to anything completely defeating the purpose of the protection.
Additionally, the errors you get when a process is denied are not always obvious. Your computer just stops working properly until you allow the processes that were denied. I don’t think most people should consider using this.
Generally speaking, I would not use two programs for the same purpose, e.g. two firewalls or two programs that protect against ransomware.
@Martin,
What about AppCheck which you reviewed last year Martin? Can’t that be used in conjunction with AV? https://www.ghacks.net/2018/06/02/appcheck-anti-ransomware-review/
If you run antivirus software with anti-ransomware software, that should be fine most of the time. If the AV already has ransomware protection, it may lead to issues if you run third-party software that offers similar protection.
You can try and see if it causes issues but generally speaking, it is not advised.
Thanks Martin. Much appreciated.
One strange thing happen. Last week the website was giving me when I am trying to post a to slow message. Now Whit this post I am getting a to quick slow down message.
I just wanted to post “Thanks Martin”