Mid-year update… more banging on the Anvil, and free give away

This is our mid year update… along with an Anvil article we posted on our support channel which dives into the pros of running Anvil along side third-party AV solutions, backups, and even Microsoft’s Controlled Folder Access. We are also offering a limited time, free Anvil Premium life time license give away… don’t miss out.

Cloud Xtender

First out of the gate… a major update has been released for Cloud Xtender! v3 landed a few weeks ago and is a major update over v2… with most of the code base having been upgraded from our Drive Xtender development. If you havent upgraded, do so as there are many fixes and performance enhancments. There has also been a price rise, however, if you were trialling Cloud Xtender before the rise, drop a line to support and we’ll give you a discount.

Drive Bender

Drive Bender v3.2 is in the works… for the most part, this is a bug fix release, along with some minor feature updates which will include better Anvil integration. We are looking at an August/September release… as usual, subject to change 😉

Drive Xtender

We’ve had a bunch of users ask about Drive Xtender’s progress. While we are still actively developing Drive Xtender (it formed the core of the latest Cloud Xtender release), there is still much to do. Over the coming months, we will have a better idea of its future and will post an update.

AnviL

We have had some interesting feedback around Anvil… most notably, around the UI and getting Anvil up and running… of which, we have taken on board and made some major improvements (well, that’s the hope), along with constantly building on the documentation. We’ve also had many users ask what the benefit of running Anvil over Windows 10’s “Controlled Folder Access”, or other AV solutions? To answer that question (and others), I wrote an article in our support channel and thought I would share it here.

In addition, we have created and release a number of videos

Why Anvil

First, what is Anvil’s purpose? Its primary purpose is to protect files from unwanted or unintended modification. The most obvious source of which is malware and ransomware. Anvil does this by providing a rules-based engine that is very binary in nature… that is we don’t rely on guessing who are the good and bad actors, we simply have rules that determine access for all.

Doesn’t normal AV software protect files? Generally no, while a number of AV solutions do have some form of file monitoring, it’s often an afterthought and offers little in the way of configuration. Anti-virus mostly relies on process filtering, to catch malware as it attacks or infects your system. So to answer the question, no, they generally won’t offer the explicit file protect Anvil can.

Won’t backups protect my files? Well yes… and no. You should always backup regardless,  but backups can be a double-edged sword, if you have multiple backups in rotation, and you catch things quickly, you may be able to restore clean files… but in a lot of cases, you are left with backups of the very encrypted files you are trying to restore.

The exception as previously noted… how does Windows Defender differ? Windows Defender, under Windows 10 (1709 and above) has a feature called “Controlled Folder Access”, which, if configured correctly, can perform in a similar manner to Anvil… however, there are a number of caveats.

  • You must be running Windows 10, 1709 and later (duh).
  • You need to be running Windows Defender, if you run another AV solution, this feature is disabled.
  • You are relying on Windows Defender to determine which actors are good, and which actors are bad. Now, we would argue that, if such detection was robust, there would be no need for Controlled Folder Access in the first place. The key issue here is that a lot of malware can get through such detection either through Windows exploits, or trojan style attacks, for example, a malicious “signed” application (more on these later).
  • Lastly, and this biggest caveat is that an application, that has gained administrative rights, is able to programmatically “whitelist” itself, bypassing any scrutiny by Controlled Folder Access.

So in summary, AV solutions don’t offer explicit file protection, backups can be hit and miss, and all bets are off if running Controlled Folder Access and the malicious app bypasses detection or gains admin privileges… which can often be obtained through some form of social engineering (following a link in an email for example), so this is far easier than you might think.

Now, with regards to “signed” applications… unfortunately, signed applications are fast becoming an entry point for attacks. The number of major software vendors losing control of their certificates is growing at an alarming rate. Those users that have installed Anvil, and run the getting started wizard, would be aware that the default protection allows for “all” signed application… we do recommend locking access down to specific certificates, and we are working on improving this in future versions.

So this brings us to… why Anvil? Well, let’s start by saying, “prevention is better than a cure”… here is a rundown

  • Having explicit rules around folder access leaves no room for ambiguity
  • Rules cannot be changed even if the malicious app gains admin privileges
  • Rights to change folder access is determined “off machine”, that is, authentication occurs in the cloud, and not on the host machine. A token, with a limited life, is generated on the Anvil server and is required to modify any rules.
  • Anvil was developed with a security-first ethos, not a “safe default” mindset. We are working on a support channel article that will detail the security framework Anvil employs… I’ll post a link here when it is complete.
  • In addition, Anvil is a file system platform that allows us to bolt on features such as folder level file encryption, file duplication and cloud drive support.

The future ahead? The Anvil roadmap has a number of features which are locked in to version releases.

v1.3 – Folder level encryption. This feature allows you to specify a folder, and encrypt all content that is written to it. The encryption is TNO (trust no one) and is only accessable by the user. When accessing a folder protected by encryption for the first time, the user will be prompted for the passphase (certificates are coming), and how long the access will persist (i.e. just for the file/application instance, for the login session etc).

v1.4 – Enterprise support. These include, deploying and managing readonly configurations to clients (no Anvil account required, all is managed from a single user). Deploying and managing base configuration to existing Anvil users.

v1.5 – Folder level duplication. This feature is taken directly from Drive Bender, you can have a file duplicated, in realtime, to another location.

V1.?? – There are a number of other feature we are looking at, including cloud access (using technology taken straight out of Drive Xtender), and an “events” engine, that can fire based on file system access… plus a bunch of other features.

Finally… we have a number of free Anvil Premium lifetime licenses to give away. To get yours, simply create an Anvil account, install Anvil and send your first impression to support (good or bad) along with the email address used to create the Anvil account… we’ll then apply a lifetime license to your account, simple as that.

Ok, thats all for the moment… leave a comment, and lets us know what you think!

Anvil has landed

Anvil File Security has landed… with a thud, albiet, a later than planned thud! We had a false start on the initial day of release but got there in the end. So… what’s what?

Introduction

What is Anvil? Anvil is ransomware and malware file protection technology built around the premise of locking down folder access. Ransomware and malware is a significant issue with attacks becoming more sophisticated in how they are infecting targets. While there are any number of products to protect against infection, they generally rely on heuristic analysis to block malware, most often, the malicious application is missed, or discovered after files have been damaged. Anvil changes all that with a clever rules-based engine that gives full control over access to any folder on your system. I regularly listen to Security Now podcast with Steve Gibson, and he said it best… “In my opinion, this is the biggest concern that exists now is the threat from software that encrypts” (episode 696, 8th of January, this year). Well, Steve… I couldn’t agree more!

Features

The primary and most basic feature is Anvil’s rule-based technology. This is modelled on an old school firewall, using cascading rules to either allow or deny access to a target folder, for a given application or applications. That said, who wants to be working out a bunch of rules… well I would, but most others have little interest in such things, so we have a nice web-based interface that creates and manages the rules for you. Before we take a look at that, let’s talk rules!

Rule break down

Here we are going to get a little nerdy and break down what a rule is, and how they work. First, a rule is made up of 3 key components

  1. the target folder (or folders)
  2. the target application (or applications)
  3. the type of access… can write, cannot write, can read, cannot read etc. These are expressed as W+ to allow write, W- deny write, R+ allow read etc.

Each rule is evaluated, and if a match is found, access as per the matching rule is granted. If no match is found, the next rule is evaluated and so on. Consider the following example –

Rule 1
Folders: "\My Text Files", Applications: "Notepad.exe" Access:L+R+W+
Comment: Allow write access for Notepad

If no match, move on to the next rule
Rule 2
Folders: "\My Text Files", Applications: "*" Access:L+R+W-
Comment: Block write access for all applications

If no match, move on to the next rule
Rule 3
Folders: "*", Applications: "*" Access:L+R+W+
Comment: Allow full access for all folders and applications

So if you save a file into the folder “My Text Files”, using Notepad, rule 1 is a match, and write access is allowed (because of the W+). Rule 2 is a blocking rule and is in place to catch any application accessing the “My Text Files” folder (notice the W-). Basically, rules 1 and 2 combined, only allow Notepad to write to the folder. The final rule, rule 3, is a default rule created for each drive that allows full access. Obvious blocking an entire drive would not be a great idea, so if access is not matched by any other rule, then we allow full access. I should point out that while it is possible to modify this default rule, we do not recommend doing so.

Other than basic access rules (i.e. + for access, – for deny), Anvil also has a number of feature-based rules.

Request mode (W?) – So instead of a flat out “-” for deny, we can have a “?” for “request access”. When the rule is matched, Anvil displays a dialogue asking you how to process.

The request mode dialogue

Immutable mode (W1) – An immutable folder, or vault as we’ve called it, is a folder that allows full access, but no modification. That mean you can save a file there, but once written, it cannot be modified.

Encrypted mode (W*) – A folder where files are encrypted on the fly using TNO (trust no one) encryption. Note, this rule type is disable in the first releases.

Learning mode (W>) – This is more of a temporary rule, and when used, Anvil monitors and records all applications that access the target folder. When learning mode is disabled, the rule access if changed to W- and the applications that were recorded are added to the “allow” rule for future access.

A friendly face

Enough of the techie stuff, let’s talk interface. Having built a number of client/server style applications over the years, one of the killer issues is the UI/UX and maintaining client compatibility with every changing server code. In addition… building great looking clients is no walk in the park, and often, the best tools to do this may cause other issues. For example, the Drive Bender manager is built using .NET, while it looks great, the baggage that needs to be installed to make it work is not.

When designing Anvil, we wanted 1) Clean, easy to use and easy to maintain interface… 2) Minimum dependencies, the smallest number of files to install, which means all native code. So we decided on a web client, and any machine side code had to be native… you can literally dump the Anvil files anywhere and Anvil will run.

The client interface, running in Chrome

There are some additional client tools such as a taskbar application for notifications, and a command line tool, so users can go old school and manage rules with cryptic commands.

Where do you get it, and what’S the cost?

It is available now… if you head to https://portal.anvil-fs.com and register, then follow the bouncing ball all should be golden. We have written up an installation guide if you need more help. Once installed, you are good to go, again we have put together a guide to get started.

As noted in previous blog posts, we are limiting the number of early access users, as of this post more 50% of the available slots are gone, so don’t mess about getting registered.

As for cost, pretty straight forward
For “early access” users…

  • Premium license – $1.50/month ($18/year)
  • Premium license for existing Drive Bender / Xtender users – $1/month ($12/year)
  • For comparison, the standard, non early access license users will be $2/month

Finally, we would love to hear your feedback, good or bad. You can leave comments here, or in the Division-M community site. If you have any technical question, shoot us a support ticket at https://support.division-m.com

Anvil File Security, ransomware and malware file protection

Anvil File Security, a new Division-M product, is a ransomware and malware file protection technology. This article is a brief technical overview of why this technology is needed, and how it works.

… but first a quick note on the name. Those reading our previous post, Drive Bender v3, arrived… and 2019! would note the name changed from FolderWall to Anvil. After feedback from the community, we decided to change the name.

Why Anvil?

First the why… ransom/malware is a significant issue with attacks becoming more sophisticated in how they are infecting targets. While there are any number of products to protect against infection, they generally rely on heuristic analysis to block malware. For the most part, this works for common variants, however, as WannaCry and Locky (an example of some ransomware variants) have demonstrated, infection prevention is not 100% assured.

We looked at this issue in late 2016 and decided to add some form of file protection to our pooling product, Drive Bender, in its v3 roadmap. This development work was brought forward after a Drive Bender user’s pool became infected, and as a result, lost a large percentage of files.

Our approach and thinking around this issue was a little different… while protecting from infection is important, the only certain way to protect files is to control access to those files. Anvil is the technology we developed to be included with Drive Bender v3, and now we are releasing a standalone version of the same name.

How does Anvil work?

Well, the idea is simple (which is often the best): you create rules that dictate file access. So for example, a folder containing your Microsoft Office files, say a bunch of Word and Excel files (prime ransomware targets), is protected by a rule that only allows the Word and Excel processes to write to this folder. To prevent binary spoofing (i.e. a fake Word.exe process), Anvil validates the calling process during the initial rule processing, ensuring the binary in question is who it claims to be.

Now, that is a basic example… and while creating rules may work for advanced and enterprise users, for most, this is not a realistic option. So we have added a rule generating wizard to help with this (you can modify the underlying rules if you like). One of these wizards is a “Learning mode”, which allows you to interact with a folder (or folders) and Anvil dynamically builds the rules based on this interaction. Another mode we have is “Request mode”, whereby the user is prompted if an application wants to write to a folder (you can optionally remember the confirmation).

Here are the highlights shipping in the early access

  • File write restrictions to designated folders. This means that you get to specify the applications that can write to a folder.
  • File read and list restrictions on designated folders. In addition, to write restrictions, you can also limit what applications can read a file, or even list the contents of a folder.
  • A request option, file write restrictions based on a prompts to the user (failing to respond results in access denied). This allows you to selectively allow an application that wants to write to a folder at the time of access.
  • Learning mode captures what applications you use in a selected folder, then builds the rules to only allow those applications in the future.
  • An immutable folder allows any application to write to the folder, but once written, a file can never be modified.
  • Command line interface, if you’re keen, you can go old school and go to the console

Some premium features that are in the works, or being investigated

  • Encrypted folder, any writes to this folder are encrypted using TNO (trust no one) encryption, only you know the keys to decrypt files
  • Canary files… create any number of files named whatever you like, and if any of these files are ever accessed, you’ll know you have been compromised.
  • Action based file system changes, all file-based changes trigger actions that can perform external tasks
  • Cloud services access, use Drive Xtender cloud components to sync to cloud services

What’s it all worth?

Given the work that will be required to ensure Anvil remains secure, we are licensing Anvil File Security as a subscription-only model, here is a breakdown of pricing (billed annually)

  • Standard license – $2/month ($24/year)
  • Premium license – TBA

For “early access” users… happy days

  • Premium license – $1.50/month ($18/year)
  • Premium license for existing Drive Bender / Xtender users – $1/month ($12/year)

Cost is per a single machine, each additional machine, add $0.50/month

Note – The final Premium features are yet to be finalized, we do know encryption and canary files will be included… but other than that, we are still working on features and cost. We are also building an enterprise version, allowing an enterprise to protect files sitting on employee machines.

When’s it going to be available?

The early access version is scheduled for Valentine’s Day (the 14th of February) we are a little delayed, had to resolve a bug that was found on the day of release. As of the 6th of March, the bug has been sorted, we are now testing to ensure all is 100% before releasing. In the meantime, check out the “Request” mode demo video.

Finally, early access spots are limited, and we have had quite a number of registrations already (so much so that we released an extra batch), so register at https://portal.anvil-fs.com to secure your early access spot.

Become an early access user, register now