Researcher Bypasses Windows Controlled Folder Access Anti-Ransomware Protection

Discussion in '0-day Release' started by silversurfer, Feb 7, 2018.

  1. silversurfer

    silversurfer Malware Tester Silver Member

    Yago Jesus, a Spanish security researcher with SecurityByDefault, has discovered that Microsoft has automatically whitelisted all Office apps on this list. This means that Office apps can modify files located in a CFA folder, either the user likes it or not.

    Jesus says that a ransomware developer could easily bypass Microsoft CFA anti-ransomware feature by adding simple scripts that bypass CFA via OLE objects inside Office files.

    In research published over the weekend, Jesus includes three examples that utilize boobytrapped Office documents (received via spam email) to overwrite the content of other Office documents stored inside CFA folders; password-protect the same files; or copy-paste their content inside files located outside the CFA folder, encrypt those, and delete the originals.

    Full Article:
    Trim and RGiskardR like this.
  2. Google Adsense

Share This Page