Anvil, by default, pre-approves a number of signed, Windows applications or processes. This is done to improve performance, however, it can mean file modification is possible under some conditions. Some of the more popular applications we pre-approve, which could allow for file modifications are
- explorer.exe - This is the file manager used in Windows
- dllhost.exe - This is a surrogate process that works on behalf of other processes.
Having these pre-approved application means, that, Windows Explorer is able to delete a file without an explicit rule in place. For most users this is fine (remember we are only wanting to protect from malicious application and processes), however, there may be times when you do not want this behaviour, and want to control every process that interacts with the file system.
Overriding the pre-approved list
The easiest way to override this list and allow the above applications and processes is via the Anvil Terminal. From the Anvil tray application, right-click and select "Open Anvil terminal". From the prompt, type the following (note the -d:X is the target drive, change X to drive letter)
option -n:preapproved_cache_override -d:X -v:explorer.exe,dllhost.exe
Important - You need to restart after applying this change
In the above example, we are applying this to the C: drive. If you wish to apply this globally (i.e. all drives), omit the -d option.
option -n:preapproved_cache_override -v:explorer.exe,dllhost.exe
Resetting the pre-approved override list
To reset the values back to the default
option -n:preapproved_cache_override -d:X -v:<empty>
option -n:preapproved_cache_override -v:<empty>