Anvil File Security, ransomware and malware file protection

Anvil File Security, a new Division-M product, is a ransomware and malware file protection technology. This article is a brief technical overview of why this technology is needed, and how it works.

… but first a quick note on the name. Those reading our previous post, Drive Bender v3, arrived… and 2019! would note the name changed from FolderWall to Anvil. After feedback from the community, we decided to change the name.

Why Anvil?

First the why… ransom/malware is a significant issue with attacks becoming more sophisticated in how they are infecting targets. While there are any number of products to protect against infection, they generally rely on heuristic analysis to block malware. For the most part, this works for common variants, however, as WannaCry and Locky (an example of some ransomware variants) have demonstrated, infection prevention is not 100% assured.

We looked at this issue in late 2016 and decided to add some form of file protection to our pooling product, Drive Bender, in its v3 roadmap. This development work was brought forward after a Drive Bender user’s pool became infected, and as a result, lost a large percentage of files.

Our approach and thinking around this issue was a little different… while protecting from infection is important, the only certain way to protect files is to control access to those files. Anvil is the technology we developed to be included with Drive Bender v3, and now we are releasing a standalone version of the same name.

How does Anvil work?

Well, the idea is simple (which is often the best): you create rules that dictate file access. So for example, a folder containing your Microsoft Office files, say a bunch of Word and Excel files (prime ransomware targets), is protected by a rule that only allows the Word and Excel processes to write to this folder. To prevent binary spoofing (i.e. a fake Word.exe process), Anvil validates the calling process during the initial rule processing, ensuring the binary in question is who it claims to be.

Now, that is a basic example… and while creating rules may work for advanced and enterprise users, for most, this is not a realistic option. So we have added a rule generating wizard to help with this (you can modify the underlying rules if you like). One of these wizards is a “Learning mode”, which allows you to interact with a folder (or folders) and Anvil dynamically builds the rules based on this interaction. Another mode we have is “Request mode”, whereby the user is prompted if an application wants to write to a folder (you can optionally remember the confirmation).

Here are the highlights shipping in the early access

  • File write restrictions to designated folders. This means that you get to specify the applications that can write to a folder.
  • File read and list restrictions on designated folders. In addition, to write restrictions, you can also limit what applications can read a file, or even list the contents of a folder.
  • A request option, file write restrictions based on a prompts to the user (failing to respond results in access denied). This allows you to selectively allow an application that wants to write to a folder at the time of access.
  • Learning mode captures what applications you use in a selected folder, then builds the rules to only allow those applications in the future.
  • An immutable folder allows any application to write to the folder, but once written, a file can never be modified.
  • Command line interface, if you’re keen, you can go old school and go to the console

Some premium features that are in the works, or being investigated

  • Encrypted folder, any writes to this folder are encrypted using TNO (trust no one) encryption, only you know the keys to decrypt files
  • Canary files… create any number of files named whatever you like, and if any of these files are ever accessed, you’ll know you have been compromised.
  • Action based file system changes, all file-based changes trigger actions that can perform external tasks
  • Cloud services access, use Drive Xtender cloud components to sync to cloud services

What’s it all worth?

Given the work that will be required to ensure Anvil remains secure, we are licensing Anvil File Security as a subscription-only model, here is a breakdown of pricing (billed annually)

  • Standard license – $2/month ($24/year)
  • Premium license – TBA

For “early access” users… happy days

  • Premium license – $1.50/month ($18/year)
  • Premium license for existing Drive Bender / Xtender users – $1/month ($12/year)

Cost is per a single machine, each additional machine, add $0.50/month

Note – The final Premium features are yet to be finalized, we do know encryption and canary files will be included… but other than that, we are still working on features and cost. We are also building an enterprise version, allowing an enterprise to protect files sitting on employee machines.

When’s it going to be available?

The early access version is scheduled for Valentine’s Day (the 14th of February) we are a little delayed, had to resolve a bug that was found on the day of release. As of the 6th of March, the bug has been sorted, we are now testing to ensure all is 100% before releasing. In the meantime, check out the “Request” mode demo video.

Finally, early access spots are limited, and we have had quite a number of registrations already (so much so that we released an extra batch), so register at https://portal.anvil-fs.com to secure your early access spot.

Become an early access user, register now

Roon and Smooth Stream using Drive Bender

Recently we had a user ask how to improve pool performance when using Roon while connected to Drive Bender backed storage…. let’s take a look!

A Roon with a view

Roon is a high-end music management and streaming solution that can deliver music to many different audio platforms (see What is Roon). Personally, I’m a big fan of Roon (kudos to the dev team, IMHO very well engineered software), and have been running Roon using a Drive Bender pool as the storage endpoint for some time… so I thought I would share my experience.

The setup

The Roon platform is a powerful piece of kit, and, in my case, it streams upsampled content to my Devialet Expert Pro 220 (I’ve just ordered a Denafrips Terminator)… all transported over ethernet. The Roon server is a dedicated Linux machine, with the music files stored on a Drive Bender pool, sitting on an oldish Windows Home Server 2011 machine (out of interest, this is the old server we tested on back in the day). As anyone that has used Roon knows, it can be quite demanding on the hardware it interacts with, while the Roon server hardware is fine (Core i7 with plenty of RAM), the Drive Bender pool server is a rather old, bloated machine attached to 12 hard drives that are anywhere from 3 to 10 years old (I say bloated as it has never been rebuilt). The music pool itself contains some 10,000 music files, consisting of lossless WMA and WAV files (Roon does not support WMA). Most of these files are lossless rips of my CD collection, however, there are quite a few 192/24 and DSD hi-res files.

In operation

During playback, Roon pulls the files from the Drive Bender pool over ethernet, processes it, then sends it on to the Devialet, resulting in some magically musically experiences right? Well, not always… when I first set everything up, I would get the odd stutter every few tracks, which was very annoying, to say the least. After eliminating the Roon server hardware as the cause, I started to look at the pool and discovered a couple of the hard drives, while still healthy, had less than stellar performance, which is a Roon no-no. Luckily I know a thing or two about hard drives, and decided to do some testing and connected these same drives directly to Roon via USB, no real improvement… bugger! Now I’m not privy to how the Roon team go about pulling data from the assigned storage and didn’t have the time to investigate. So it seemed to me the only solution was to replace these otherwise healthy drives with new, faster ones… but wait, I hadn’t tried Smooth Stream, a feature that has been part of Drive Bender since v1 (yes I know, you would have thought this would have been my first go to fix… but hey, forest for the trees blah blah blah). I enabled Smooth Stream, and boom, I’ve never heard a single stutter since!

smooth_stream

Hindsight is 20 20

This was the very same problem experienced by our Drive Bender user recently… and thanks to my own experience, I suggested he enable Smooth Stream, and bingo… all was golden!

Safety first

Re my old drives… I’ve spent many years building my ripped library, I can’t imagine how many hours have been consumed ensuring rips are error-free, and all metadata was in place (pre Roon). For those reading this and concerned over the age of some of the drives in my music pool… fear not, I run duplication on my music folder, so I’m happy that nothing will be lost.

Final thoughts

Being a Roon fan, and a fan of cloud storage, the next logical step is to combine the two. While Roon does support Dropbox, I prefer a local storage endpoint, or to clarify, an endpoint that appears to be local. Using a modded version of the Smooth Stream code, and some other cloud components I had laying around, I’ve been doing some prototyping on a solution and will be using the Denafrips Terminator to test the results. In my view, having Roon stream your own collection directly from the cloud is a no brainer, and Smooth Stream may well be the key. Let me know what you think, and is this something other users would be interested in?

Drive Bender v3, arrived… and 2019!

First up, welcome to 2019. It’s been a busy year for us here at Division-M, as we’ve also been involved in a number of side projects that have impacted our 2018 schedule… but, such is the software business, onwards we go into 2019!

We have just released v3 of Drive Bender. This particular release, while having a long beta cycle, does bring with it a number of security-focused features. The first of which is the “Pool Firewall”. This world first feature allows a user to lock down access to a specific folder, by only granting access to pre-approved applications. This protects files from ransomware and other malicious application wanting to alter files without authorization. This is achieved using rules that allow a user to lock down access to folders for specific “approved” applications. For example, you can specify an “Office” folder (and subfolders) that only allow “Word”, “Excel” etc to write to the “Office” folder(s). We have posted a short tutorial on the Pool Firewall here.

The next security based feature we have included is “Side Channel Protection”. This is a technology that has been requested for some time and protects the individual drives that make up the pool from being modified outside of the pool itself. So, even if a drive letter has been mapped to any of the physical drives, any attempts to write to these drives will be blocked… once again ensuring file integrity. The last feature I want to mention is “Drive Idle”… this is more of a performance/eco feature. While it is included in the v3 release, it is disabled by default due to some ongoing issues experienced by some users… we will circle back to this in the new year and work towards sorting the bugs. FYI – The Drive Idle feature was the cause of the lengthy beta cycle, in the end, we decided to push v3 with this disabled, just to get it out the door.

A couple of final Drive Bender notes… first I’d like to give a shout out to all the users that helped with the v3 beta, we have a lot of users involved in this version, so thanks to all! Finally, there is a price increase coming before the end of January… so spread the word.

The next piece of news revolves around Drive Xtender, and what is happening with its progress. All was on track until we switched gears and decided to work on Drive Bender v3, and it’s Pool Firewall feature (you can read why here)… we are expecting to resume moving forward with Drive Xtender early 2019.

Finally… we have some exciting news about a new product that has been developed in parallel with our Drive Bender v3 and Drive Xtender work, but first, some background. During the Drive Bender v3 development phase, the idea of a Pool Firewall raised a lot of interest… so much so that one of the most commonly asked questions was, “can we create a single pool drive (i.e. basically mapping an existing drive via a Drive Bender mount point) and use this new feature to protect files and documents on this drive”?  Well, you could, but that is a lot of overhead given you are not using Drive Bender for its primary intended purpose, pooling!

So, late in 2018, we decided to release a new product called “FolderWALL”. FYI – This was the internal name given to the Pool Firewall technology used in Drive Bender. This is a standalone product designed to protect files sitting on non pooled drives, and again, it works by allowing access to folders for given processes. Now, as users running v3 of Drive Bender will note, the configuration of these rules can be a little complex… so we have gone to great lengths to make FolderWALL easy to set up and maintain. The FolderWALL interface is based on our Drive Xtender interface technology, and is web-based, requiring very minimal effort to install and get up and running. Here is a brief list of features (* denotes premium features, ** not implemented, will depend on feedback):-

  • File write restrictions to designated folders
  • File read and list restrictions on designated folders
  • A request option, file write restrictions based on a prompts to the user (failing to respond results in access denied)
  • Learning mode, instead of defining rules, simply run in learning mode and allow FolderWALL to build the rules for you
  • An immutable file system, files can be written to the folder but once written, can never be changed
  • Command line interface, if your keen, you can go old school and go to the console
  • Encrypted writes, files are written using TNO (trust no one) encryption, only you hold the keys to decrypt files*
  • Action based file system changes, all file-based changes trigger actions that can perform external tasks*
  • Cloud services access, use Drive Xtender cloud components to sync to cloud services**

Now, when is FolderWALL going to made available? Well… it has been in development for some time and is all but ready to go. The “early release” version is set to drop on the 1st of February 2019… this is not a beta, but a full release, minus some incomplete features, this release will be limited to a small number of users, you can secure your license by registering at portal.folderwall.com. While you can sign up, you cannot install FolderWALL until the 1st of February, however, as I’ve noted, we are limiting the number of initial users, so if you are interested, get in quick!

The wrap-up… we are excited about FolderWALL, and given the rise in ransomware attacks, FolderWALL offers “world first”, rule-based file protection against such attacks. In the coming days, I will post further details of FolderWALL, including pricing, stay tuned!

Update – The early access release date has been changed to the 14th of February