By continuing to use the site or Forum, you agree to the use of cookies, find out more by reading our GDPR policy.

In Windows 10, Microsoft added a new ransomware protection feature called Controlled Folder Access that can be used to prevent modifications to files in protected folders by unknown programs. At the DerbyCon security conference last week, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature. Controlled Folder Access is a feature that allows you to protect folders and the files inside them so that they can only be modified by an application that is whitelisted. The whitelisted applications are either ones that you specify or ones that are whitelisted by default by Microsoft. Knowing that the explorer.exe program is whitelisted in Controlled Folder Access, Soya Aoyama, a security researcher at Fujitsu System Integration Laboratories Ltd., figured out a way to inject a malicious DLL into Explorer when it is started. Since Explorer is whitelisted, when the DLL is injected it will launch and be able to bypass the ransomware protection feature. To do this, Aoyama relied on the fact that when explorer.exe starts, it will load DLLs found under the HKEY_CLASSES_ROOT*shellexContextMenuHandlers registry key. The HKEY_CLASSES_ROOT tree is a merge of registry information found in HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. When performing the merge, Windows gives the data in the HKCU tree precedence. Tune into OUR FORUM to learn more.