Why Anvil... well, let's answer that question
First, what is Anvil's purpose? Its primary purpose is to protect files from unwanted or unintended modification. The most obvious source of which is malware and ransomware. Anvil does this by providing a rules-based engine that is very binary in nature... that is we don't rely on guessing who are the good and bad actors, we simply have rules that determine access for all.
Doesn't normal AV software protect files? Generally no, while a number of AV solutions do have some form of file monitoring, it's often an afterthought and offers little in the way of configuration. Anti-virus mostly relies on process filtering, to catch malware as it attacks or infects your system. So to answer the question, no, they generally won't offer the explicit file protect Anvil can.
Won't backups protect my files? Well yes... and no. You should always backup regardless, but backups can be a double-edged sword, if you have multiple backups in rotation, and you catch things quickly, you may be able to restore clean files... but in a lot of cases, you are left with backups of the very encrypted files you are trying to restore.
The exception as previously noted... how does Windows Defender differ? Windows Defender, under Windows 10 (1709 and above) has a feature called "Controlled Folder Access", which, if configured correctly, can perform in a similar manner to Anvil... however, there are a number of caveats.
- You must be running Windows 10, 1709 and later.
- You need to be running Windows Defender, if you run another AV solution, this feature is disabled.
- You are relying on Windows Defender to determine which actors are good, and which actors are bad. Now, we would argue that, if such detection was robust, there would be no need for Controlled Folder Access in the first place. The key issue here is that a lot of malware can get through such detection either through Windows exploits, or trojan style attacks, for example, a malicious "signed" application (more on these later).
- One of the biggest caveats is that an application, that has gained administrative rights, is able to programmatically "whitelist" itself, bypassing any scrutiny by Controlled Folder Access.
- Last, but not least... there are a number of documented exploits that can circumvent Controlled Folder Access.
So in summary, AV solutions don't offer explicit file protection, backups can be hit and miss, and all bets are off if running Controlled Folder Access and the malicious app bypasses detection or gains admin privileges... which can often be obtained through some form of social engineering (following a link in an email for example), so this is far easier than you might think.
Now, with regards to "signed" applications... unfortunately, signed applications are fast becoming an entry point for attacks. The number of major software vendors losing control of their certificates is growing at an alarming rate. Those users that have installed Anvil, and run the getting started wizard, would be aware that the default protection allows for "all" signed application... we do recommend locking access down to specific certificates, and we are working on improving this in future versions.
So this brings us to... why Anvil? Well, let's start by saying, "prevention is better than a cure"... here is a rundown
- Having explicit rules around folder access leaves no room for ambiguity
- Rules cannot be changed even if the malicious app gains admin privileges
- Rights to change folder access is determined "off machine", that is, authentication occurs in the cloud, and not on the host machine. A token, with a limited life, is generated on the Anvil server and is required to modify any rules.
- Anvil was developed with a security-first ethos, not a "safe default" mindset. For a more complete breakdown of how Anvil secures itself, see "Securing Anvil".
- In addition, Anvil is a file system platform that allows us to bolt on features such as folder level file encryption (coming in v1.2), file duplication and cloud drive support.
Hopefully, we have answered some of the questions users have asked, if you have any more, feel free to submit a support request.
Article is closed for comments.