Bypass restrictions of enabled Folder Access Control of Windows Defender
Asked Answered
E

0

8

I've got an application written with C# which is installed via InnoSetup.

With enabled Controlled Folder Access of Windows 10's Defender, the setup fails to create a desktop icon (showing the message PersistFile::Save failed, code 0x80070002) -- despite running with administrative privileges.

Furthermore the installed application (which is NOT run with administrative privileges) fails to write to folders of the user, e.g. Documents.

This happens even for new files or folders, which do not overwrite anything existing. For ransomware protection I'd expect that only modifying existing files is considered dangerous.

The first question that comes to my mind is: Why is my application considered to be harmful and is thus being blocked?

I've done extensive research to get an answer, but could not find anything that helps:

  1. Web resources from Mircosoft describing which applications are considered harmful and why cannot be found -- only guesswork there.

  2. Signing my application with an Extended Validation Certificate (which helps suppressing SmartScreen warnings) does not change Windows Defender's behavior.

  3. I let the Windows App Certification Kit analyze the installer -- which reported several warnings and one critical error. I fixed all issues the Kit complained about (except the warning regarding /SAFESEH which is not possible with InnoSetup), but this did not change Windows Defender's behavior regarding access blocking.

So, my refined question is: How can I bypass the access blocking of Windows Defender for my setup and my application in a valid way?

To give insights to the problem and to provide a basis for experiments I've set up a small sample application in C# which

  1. creates new (and afterwards removes) directories in the public desktop path, user's desktop path, pulic documents path and user's documents path
  2. is bundled by an InnoSetup script to a signed installer

Using Visual Studio to build the solution and InnoSetup to package the build, it should be easy to reproduce the behavior with enabled Controlled Folder Access. (Make sure to have a look at README.md for a description of the build steps!)

Please check out the sample project.

Edwards answered 4/1, 2019 at 13:43 Comment(3)
AFAIK this is strictly a User setting. They can allow apps through by adding them to a list. In the one case I ran an AccessCheck to probe if the Desktop folder is writable and showed a Dialog on failure.Moersch
If there's no proper way around it, I'd call it a poorly designed feature ;-) Then such a dialog were the only viable alternative.Edwards
Think of it as a poorly documented Firewall..Moersch

© 2022 - 2024 — McMap. All rights reserved.