Anvil File Security, a new Division-M product, is a ransomware and malware file protection technology. This article is a brief technical overview of why this technology is needed, and how it works.
… but first a quick note on the name. Those reading our previous post, Drive Bender v3, arrived… and 2019! would note the name changed from FolderWall to Anvil. After feedback from the community, we decided to change the name.
First the why… ransom/malware is a significant issue with attacks becoming more sophisticated in how they are infecting targets. While there are any number of products to protect against infection, they generally rely on heuristic analysis to block malware. For the most part, this works for common variants, however, as WannaCry and Locky (an example of some ransomware variants) have demonstrated, infection prevention is not 100% assured.
We looked at this issue in late 2016 and decided to add some form of file protection to our pooling product, Drive Bender, in its v3 roadmap. This development work was brought forward after a Drive Bender user’s pool became infected, and as a result, lost a large percentage of files.
Our approach and thinking around this issue was a little different… while protecting from infection is important, the only certain way to protect files is to control access to those files. Anvil is the technology we developed to be included with Drive Bender v3, and now we are releasing a standalone version of the same name.
How does Anvil work?
Well, the idea is simple (which is often the best): you create rules that dictate file access. So for example, a folder containing your Microsoft Office files, say a bunch of Word and Excel files (prime ransomware targets), is protected by a rule that only allows the Word and Excel processes to write to this folder. To prevent binary spoofing (i.e. a fake Word.exe process), Anvil validates the calling process during the initial rule processing, ensuring the binary in question is who it claims to be.
Now, that is a basic example… and while creating rules may work for advanced and enterprise users, for most, this is not a realistic option. So we have added a rule generating wizard to help with this (you can modify the underlying rules if you like). One of these wizards is a “Learning mode”, which allows you to interact with a folder (or folders) and Anvil dynamically builds the rules based on this interaction. Another mode we have is “Request mode”, whereby the user is prompted if an application wants to write to a folder (you can optionally remember the confirmation).
Here are the highlights shipping in the early access
- File write restrictions to designated folders. This means that you get to specify the applications that can write to a folder.
- File read and list restrictions on designated folders. In addition, to write restrictions, you can also limit what applications can read a file, or even list the contents of a folder.
- A request option, file write restrictions based on a prompts to the user (failing to respond results in access denied). This allows you to selectively allow an application that wants to write to a folder at the time of access.
- Learning mode captures what applications you use in a selected folder, then builds the rules to only allow those applications in the future.
- An immutable folder allows any application to write to the folder, but once written, a file can never be modified.
- Command line interface, if you’re keen, you can go old school and go to the console
Some premium features that are in the works, or being investigated
- Encrypted folder, any writes to this folder are encrypted using TNO (trust no one) encryption, only you know the keys to decrypt files
- Canary files… create any number of files named whatever you like, and if any of these files are ever accessed, you’ll know you have been compromised.
- Action based file system changes, all file-based changes trigger actions that can perform external tasks
- Cloud services access, use Drive Xtender cloud components to sync to cloud services
What’s it all worth?
Given the work that will be required to ensure Anvil remains secure, we are licensing Anvil File Security as a subscription-only model, here is a breakdown of pricing (billed annually)
- Standard license – $2/month ($24/year)
- Premium license – TBA
For “early access” users… happy days
- Premium license – $1.50/month ($18/year)
- Premium license for existing Drive Bender / Xtender users – $1/month ($12/year)
Cost is per a single machine, each additional machine, add $0.50/month
Note – The final Premium features are yet to be finalized, we do know encryption and canary files will be included… but other than that, we are still working on features and cost. We are also building an enterprise version, allowing an enterprise to protect files sitting on employee machines.
When’s it going to be available?
The early access version is scheduled for
Valentine’s Day (the 14th of February) we are a little delayed, had to resolve a bug that was found on the day of release. As of the 6th of March, the bug has been sorted, we are now testing to ensure all is 100% before releasing. In the meantime, check out the “Request” mode demo video.
Finally, early access spots are limited, and we have had quite a number of registrations already (so much so that we released an extra batch), so register at https://portal.anvil-fs.com to secure your early access spot.
9 thoughts on “Anvil File Security, ransomware and malware file protection”
What a great idea! I know someone that was caught out when he opening a word doc attached to a CV that was emailed from his own HR department.
As a Drive Bender user, is the $1 month for the first year, or forever?
And where to I purchase?
The price is grandfathered in, so forever.
Re payment… we are still working on the payment and licensing system. This will be available a short time after the initial release on the 14th.
What is a canary file, can you explain in more detail?
A canary file is a file that is monitored for access (based on the canary in a coal mine). Canary files are not visible to the applications approved for a given folder, so if accessed, the user is notified… and should investigate to ensure nothing unauthorised is poking around their system.
What happened with the release, when is this coming out?
We do apologise for the delay in the release. One of our internal testers discovered a bit of a show stopper bug on the day of release, so it was pulled. This bug only affected the tester’s machine, and was incredibly hard to reproduce and rectify. That said, it is sorted, so now we are back to testing and will release when we are 100% happy the issue is resolved.
In the meantime, you can check out a video on how the new “request” mode works… https://media.anvil-fs.com/anvil_request_mode_demo_1/index.html
Can you explain how this is better / different than the in-box Windows 10 “Controlled Folder Access?”
Good question… so to start with, to run “Controlled Folder Access”
– You need to be running Windows 10, at least Creator Update from memory
– You need to be running Windows Defender, if you run any other virus protection, it’s not available as it is using Windows Defender Threat Detection.
– As just noted, it uses a detection model… so you are relying on this to determine what is “good” and what is “bad”, and we know this type of protection is hit and miss.
– Anvil’s rules are explicit, there is no “best guess”. In addition, we are adding feature based rules that do more than protect, such encryption, immutable file and actions (i.e. ability to do stuff when files are changed/added).
Windows integrated features, for the most part, sit on the side of convenience over security… we are on the other side of the fence, security first.