Anvil File Security, a new Division-M product, is a ransomware and malware file protection technology. This article is a brief technical overview of why this technology is needed, and how it works.
… but first a quick note on the name. Those reading our previous post, Drive Bender v3, arrived… and 2019! would note the name changed from FolderWall to Anvil. After feedback from the community, we decided to change the name.
Why Anvil?
First the why… ransom/malware is a significant issue with attacks becoming more sophisticated in how they are infecting targets. While there are any number of products to protect against infection, they generally rely on heuristic analysis to block malware. For the most part, this works for common variants, however, as WannaCry and Locky (an example of some ransomware variants) have demonstrated, infection prevention is not 100% assured.
We looked at this issue in late 2016 and decided to add some form of file protection to our pooling product, Drive Bender, in its v3 roadmap. This development work was brought forward after a Drive Bender user’s pool became infected, and as a result, lost a large percentage of files.
Our approach and thinking around this issue was a little different… while protecting from infection is important, the only certain way to protect files is to control access to those files. Anvil is the technology we developed to be included with Drive Bender v3, and now we are releasing a standalone version of the same name.
How does Anvil work?
Well, the idea is simple (which is often the best): you create rules that dictate file access. So for example, a folder containing your Microsoft Office files, say a bunch of Word and Excel files (prime ransomware targets), is protected by a rule that only allows the Word and Excel processes to write to this folder. To prevent binary spoofing (i.e. a fake Word.exe process), Anvil validates the calling process during the initial rule processing, ensuring the binary in question is who it claims to be.
Now, that is a basic example… and while creating rules may work for advanced and enterprise users, for most, this is not a realistic option. So we have added a rule generating wizard to help with this (you can modify the underlying rules if you like). One of these wizards is a “Learning mode”, which allows you to interact with a folder (or folders) and Anvil dynamically builds the rules based on this interaction. Another mode we have is “Request mode”, whereby the user is prompted if an application wants to write to a folder (you can optionally remember the confirmation).
Here are the highlights shipping in the early access
- File write restrictions to designated folders. This means that you get to specify the applications that can write to a folder.
- File read and list restrictions on designated folders. In addition, to write restrictions, you can also limit what applications can read a file, or even list the contents of a folder.
- A request option, file write restrictions based on a prompts to the user (failing to respond results in access denied). This allows you to selectively allow an application that wants to write to a folder at the time of access.
- Learning mode captures what applications you use in a selected folder, then builds the rules to only allow those applications in the future.
- An immutable folder allows any application to write to the folder, but once written, a file can never be modified.
- Command line interface, if you’re keen, you can go old school and go to the console
Some premium features that are in the works, or being investigated
- Encrypted folder, any writes to this folder are encrypted using TNO (trust no one) encryption, only you know the keys to decrypt files
- Canary files… create any number of files named whatever you like, and if any of these files are ever accessed, you’ll know you have been compromised.
- Action based file system changes, all file-based changes trigger actions that can perform external tasks
- Cloud services access, use Drive Xtender cloud components to sync to cloud services
What’s it all worth?
Given the work that will be required to ensure Anvil remains secure, we are licensing Anvil File Security as a subscription-only model, here is a breakdown of pricing (billed annually)
- Standard license – $2/month ($24/year)
- Premium license – TBA
For “early access” users… happy days
- Premium license – $1.50/month ($18/year)
- Premium license for existing Drive Bender / Xtender users – $1/month ($12/year)
Cost is per a single machine, each additional machine, add $0.50/month
Note – The final Premium features are yet to be finalized, we do know encryption and canary files will be included… but other than that, we are still working on features and cost. We are also building an enterprise version, allowing an enterprise to protect files sitting on employee machines.
When’s it going to be available?
The early access version is scheduled for Valentine’s Day (the 14th of February) we are a little delayed, had to resolve a bug that was found on the day of release. As of the 6th of March, the bug has been sorted, we are now testing to ensure all is 100% before releasing. In the meantime, check out the “Request” mode demo video.
Finally, early access spots are limited, and we have had quite a number of registrations already (so much so that we released an extra batch), so register at https://portal.anvil-fs.com to secure your early access spot.