Anvil has landed

Anvil File Security has landed… with a thud, albiet, a later than planned thud! We had a false start on the initial day of release but got there in the end. So… what’s what?

Introduction

What is Anvil? Anvil is ransomware and malware file protection technology built around the premise of locking down folder access. Ransomware and malware is a significant issue with attacks becoming more sophisticated in how they are infecting targets. While there are any number of products to protect against infection, they generally rely on heuristic analysis to block malware, most often, the malicious application is missed, or discovered after files have been damaged. Anvil changes all that with a clever rules-based engine that gives full control over access to any folder on your system. I regularly listen to Security Now podcast with Steve Gibson, and he said it best… “In my opinion, this is the biggest concern that exists now is the threat from software that encrypts” (episode 696, 8th of January, this year). Well, Steve… I couldn’t agree more!

Features

The primary and most basic feature is Anvil’s rule-based technology. This is modelled on an old school firewall, using cascading rules to either allow or deny access to a target folder, for a given application or applications. That said, who wants to be working out a bunch of rules… well I would, but most others have little interest in such things, so we have a nice web-based interface that creates and manages the rules for you. Before we take a look at that, let’s talk rules!

Rule break down

Here we are going to get a little nerdy and break down what a rule is, and how they work. First, a rule is made up of 3 key components

  1. the target folder (or folders)
  2. the target application (or applications)
  3. the type of access… can write, cannot write, can read, cannot read etc. These are expressed as W+ to allow write, W- deny write, R+ allow read etc.

Each rule is evaluated, and if a match is found, access as per the matching rule is granted. If no match is found, the next rule is evaluated and so on. Consider the following example –

Rule 1
Folders: "\My Text Files", Applications: "Notepad.exe" Access:L+R+W+
Comment: Allow write access for Notepad

If no match, move on to the next rule
Rule 2
Folders: "\My Text Files", Applications: "*" Access:L+R+W-
Comment: Block write access for all applications

If no match, move on to the next rule
Rule 3
Folders: "*", Applications: "*" Access:L+R+W+
Comment: Allow full access for all folders and applications

So if you save a file into the folder “My Text Files”, using Notepad, rule 1 is a match, and write access is allowed (because of the W+). Rule 2 is a blocking rule and is in place to catch any application accessing the “My Text Files” folder (notice the W-). Basically, rules 1 and 2 combined, only allow Notepad to write to the folder. The final rule, rule 3, is a default rule created for each drive that allows full access. Obvious blocking an entire drive would not be a great idea, so if access is not matched by any other rule, then we allow full access. I should point out that while it is possible to modify this default rule, we do not recommend doing so.

Other than basic access rules (i.e. + for access, – for deny), Anvil also has a number of feature-based rules.

Request mode (W?) – So instead of a flat out “-” for deny, we can have a “?” for “request access”. When the rule is matched, Anvil displays a dialogue asking you how to process.

The request mode dialogue

Immutable mode (W1) – An immutable folder, or vault as we’ve called it, is a folder that allows full access, but no modification. That mean you can save a file there, but once written, it cannot be modified.

Encrypted mode (W*) – A folder where files are encrypted on the fly using TNO (trust no one) encryption. Note, this rule type is disable in the first releases.

Learning mode (W>) – This is more of a temporary rule, and when used, Anvil monitors and records all applications that access the target folder. When learning mode is disabled, the rule access if changed to W- and the applications that were recorded are added to the “allow” rule for future access.

A friendly face

Enough of the techie stuff, let’s talk interface. Having built a number of client/server style applications over the years, one of the killer issues is the UI/UX and maintaining client compatibility with every changing server code. In addition… building great looking clients is no walk in the park, and often, the best tools to do this may cause other issues. For example, the Drive Bender manager is built using .NET, while it looks great, the baggage that needs to be installed to make it work is not.

When designing Anvil, we wanted 1) Clean, easy to use and easy to maintain interface… 2) Minimum dependencies, the smallest number of files to install, which means all native code. So we decided on a web client, and any machine side code had to be native… you can literally dump the Anvil files anywhere and Anvil will run.

The client interface, running in Chrome

There are some additional client tools such as a taskbar application for notifications, and a command line tool, so users can go old school and manage rules with cryptic commands.

Where do you get it, and what’S the cost?

It is available now… if you head to https://portal.anvil-fs.com and register, then follow the bouncing ball all should be golden. We have written up an installation guide if you need more help. Once installed, you are good to go, again we have put together a guide to get started.

As noted in previous blog posts, we are limiting the number of early access users, as of this post more 50% of the available slots are gone, so don’t mess about getting registered.

As for cost, pretty straight forward
For “early access” users…

  • Premium license – $1.50/month ($18/year)
  • Premium license for existing Drive Bender / Xtender users – $1/month ($12/year)
  • For comparison, the standard, non early access license users will be $2/month

Finally, we would love to hear your feedback, good or bad. You can leave comments here, or in the Division-M community site. If you have any technical question, shoot us a support ticket at https://support.division-m.com

Anvil File Security, ransomware and malware file protection

Anvil File Security, a new Division-M product, is a ransomware and malware file protection technology. This article is a brief technical overview of why this technology is needed, and how it works.

… but first a quick note on the name. Those reading our previous post, Drive Bender v3, arrived… and 2019! would note the name changed from FolderWall to Anvil. After feedback from the community, we decided to change the name.

Why Anvil?

First the why… ransom/malware is a significant issue with attacks becoming more sophisticated in how they are infecting targets. While there are any number of products to protect against infection, they generally rely on heuristic analysis to block malware. For the most part, this works for common variants, however, as WannaCry and Locky (an example of some ransomware variants) have demonstrated, infection prevention is not 100% assured.

We looked at this issue in late 2016 and decided to add some form of file protection to our pooling product, Drive Bender, in its v3 roadmap. This development work was brought forward after a Drive Bender user’s pool became infected, and as a result, lost a large percentage of files.

Our approach and thinking around this issue was a little different… while protecting from infection is important, the only certain way to protect files is to control access to those files. Anvil is the technology we developed to be included with Drive Bender v3, and now we are releasing a standalone version of the same name.

How does Anvil work?

Well, the idea is simple (which is often the best): you create rules that dictate file access. So for example, a folder containing your Microsoft Office files, say a bunch of Word and Excel files (prime ransomware targets), is protected by a rule that only allows the Word and Excel processes to write to this folder. To prevent binary spoofing (i.e. a fake Word.exe process), Anvil validates the calling process during the initial rule processing, ensuring the binary in question is who it claims to be.

Now, that is a basic example… and while creating rules may work for advanced and enterprise users, for most, this is not a realistic option. So we have added a rule generating wizard to help with this (you can modify the underlying rules if you like). One of these wizards is a “Learning mode”, which allows you to interact with a folder (or folders) and Anvil dynamically builds the rules based on this interaction. Another mode we have is “Request mode”, whereby the user is prompted if an application wants to write to a folder (you can optionally remember the confirmation).

Here are the highlights shipping in the early access

  • File write restrictions to designated folders. This means that you get to specify the applications that can write to a folder.
  • File read and list restrictions on designated folders. In addition, to write restrictions, you can also limit what applications can read a file, or even list the contents of a folder.
  • A request option, file write restrictions based on a prompts to the user (failing to respond results in access denied). This allows you to selectively allow an application that wants to write to a folder at the time of access.
  • Learning mode captures what applications you use in a selected folder, then builds the rules to only allow those applications in the future.
  • An immutable folder allows any application to write to the folder, but once written, a file can never be modified.
  • Command line interface, if you’re keen, you can go old school and go to the console

Some premium features that are in the works, or being investigated

  • Encrypted folder, any writes to this folder are encrypted using TNO (trust no one) encryption, only you know the keys to decrypt files
  • Canary files… create any number of files named whatever you like, and if any of these files are ever accessed, you’ll know you have been compromised.
  • Action based file system changes, all file-based changes trigger actions that can perform external tasks
  • Cloud services access, use Drive Xtender cloud components to sync to cloud services

What’s it all worth?

Given the work that will be required to ensure Anvil remains secure, we are licensing Anvil File Security as a subscription-only model, here is a breakdown of pricing (billed annually)

  • Standard license – $2/month ($24/year)
  • Premium license – TBA

For “early access” users… happy days

  • Premium license – $1.50/month ($18/year)
  • Premium license for existing Drive Bender / Xtender users – $1/month ($12/year)

Cost is per a single machine, each additional machine, add $0.50/month

Note – The final Premium features are yet to be finalized, we do know encryption and canary files will be included… but other than that, we are still working on features and cost. We are also building an enterprise version, allowing an enterprise to protect files sitting on employee machines.

When’s it going to be available?

The early access version is scheduled for Valentine’s Day (the 14th of February) we are a little delayed, had to resolve a bug that was found on the day of release. As of the 6th of March, the bug has been sorted, we are now testing to ensure all is 100% before releasing. In the meantime, check out the “Request” mode demo video.

Finally, early access spots are limited, and we have had quite a number of registrations already (so much so that we released an extra batch), so register at https://portal.anvil-fs.com to secure your early access spot.

Become an early access user, register now