Getting started wizard
Once you have installed Anvil, Anvil will display the getting started wizard... this will apply protection rules on the following folders
- <USER_FOLDER>\appdata\local\microsoft\outlook (*)
- <USER_FOLDER>\appdata\roaming\microsoft\outlook (*)
- <USER_FOLDER>\appdata\roaming\microsoft\windows\start menu\programs\startup (**)
- \programdata\microsoft\windows\start menu\programs\startup (**)
The folders marked with (*) are to protect Outlook data files, the folders marked with (**) are folders protected if you choose to the "protect startup folders" option.
The wizard creates rules which only allow signed application to write to these folders. While there are malicious signed applications in existence, these are generally vectors to deploy exe's that are not signed... and as such would be caught by Anvil.
That said, you are able to lock this down to applications specifically signed by select vendors, or explicitly define the applications themselves.
Protecting a folder
Anvil is a very powerful tool, but we have taken a great deal of time in crafting an interface that is easy to use. There are a number of ways to interact with Anvil.
- The online portal at portal.anvil-fs.com, this is the main management tool.
- The Anvil tray application. The tray application is available from the taskbar, and is primarily a notification application, although it does have some limited UI feature.
- The Anvil terminal (command line) tool. This is more of a power user tool, and can be used to update rules, or manage advanced system options.
The portal contains a number of wizards used to protect folders, here, we are going to give you a quick run-through on protecting a demo folder, and only allowing common Windows application such as Notepad and Wordpad to access files with this folder.
- To start with, create a test folder (i.e. C:\My Test Folder)
- Next, we are going to protect this folder by only allowing "notepad" to write to the folder. From within the portal, select the "Protect folder" button for the target drive
- The initial dialog has a dropdown that you can pick a wizard from... select "Folder protection, limit access for selected applications", then "Next"
- From the folder dropdown, select the test folder you created earlier, then "Next"
- Here we need to "whitelist" applications, in this guide we want to whitelist Notepad only, but you can whitelist many applications, and add new applications later. Note - If you cannot find the application you are looking for in the list, start the application, then switch to "Running applications", here you will see all applications running on your system.
- Once you have selected your application(s)... select "Next"
- From here you can edit the name and description, recommend you do this when creating "real world" rules. As a side note, there is a "prompt" checkbox option, this tells Anvil to pop up a prompt if an unauthorized application attempts to write to the folder... for the moment, leave unchecked, we'll come back to it later.
- After selecting "Next", you'll get a summary, from here click "Create"
- Now... you'll notice the rule is display, but you'll also see options to "Save the changes", or "Roll back the changes". So it's obvious that you can save or abort... lets hit save.
Now you should have your first rule in place... and that test folder will be "well-protected"... let's see!
- Open Notepad, add some content, then save to your test folder... if we have done well, it will save without issue.
- Next open Wordpad (so similar), add some content, then save... you should be confronted with an error, asking you to save elsewhere.
At this point, you should be getting the idea! But let's try a few more tests. Open Windows Explorer, navigate to your test folder, right-click and select "New" -> "Text Document". You will get a "new text document"... but wait, our rule only allowed Notepad to write to the folder, what is going on here? The answer is simple, Anvil has a bunch of pre-approved whitelisted Microsoft (signed) applications, and Windows Explorer is one of them. Remember, Anvil is here to protect against unauthorized application or processes, hence the pre-approved apps! Note - You can override the pre-approved list, see here.
More to come... stay tuned.