Anchor by Process

What is Anchor-by-Process, and how does it work?

Anchor-by-Process (AxP) is a set of features that give you the ability to control and protect files created by specific applications and processes.

AxP is designed to automate the protection of files created and handled by applications (or processes) that you select. As an administrator you can select which process or groups of processes will automatically create Anchored files for a specific user role. You can also determine which file types these processes create are protected or ignored. The steps below explain how to configure any application as an AxP application.

Configuring a new AxP application.

Step 1 - Select a User Role to edit.

1. In the Anchor admin dashboard, go to Settings > User Roles.

2. Under the specific User Role for which you want to enable Anchor-by-Process, click on the vertical dots icon under Actions. Then click Edit.

Step 2 - Add a new Anchor-by-Process collection.

1. Click Anchor by Process > Collections > Add New.

Step 3 - Configure a new Anchor-by-Process collection.

1. Under Collection Name, enter a name for the collection.

2. Choose whether or not you would like to allow users to save Anchored data to unprotected plaintext using the Enforce Anchor outside of protected folders checkbox. Click here for more information on this feature.

   • Use the Allow process to open Anchored files in non protected folders checkbox to allow this application to open Anchored files in non protected folders. Click here for more information on this option.
   • Use the Revoke Access option to deny access to files to users who go out of context. Click here for more information on the Revoke Access option.

3. Next, using the radio buttons, select whether you want to specify AxP processes by name or folder.

   • By name: Files created by processes specifically named will be automatically
     Anchored. This is recommended when working with a small number of
     processes.

   • By folder: Files created by all processes located in the folder path(s) you have specified will automatically be Anchored. This is recommended when working with many processes or if the processes are subject to change

4. Enter the path to the folder(s) or the process(es), depending on which radio button option you selected. Note: You cannot add Office applications as AxP applications by folder, you must add them using the process name. This prevents unintended data loss.

5. Select how you want Anchor to handle data saved by your selected process(es) and the protected file extensions.

   • Protect: Files with the file extensions you specify in the next step will be protected when they are created, saved, and exported by Anchor-by-Process applications. This option tells Anchor to protect the chosen extensions and not protect everything else.

   • Ignore: Files with the file extensions you specify in the next step will not be protected when they are created, saved, and exported by Anchor-by-Process applications. Ignore tells Anchor not to protect the files with those extensions and protect everything else. If one or more of the file extensions in the list is also configured as an Anchor Protected file extension, Anchor will Anchor the ignored extensions when they are in a protected folder.

6. Choose which file extensions you want to protect or ignore. You should not prefix extension names with a dot "." when completing this field. Use a comma to separate multiple extensions, e.g., txt, rtf, xlsx.

7. Finally,click Add new collection.

This warning dialog appears if you choose not to enforce Anchor outside of protected folders in step 2.

Using wildcards in AxP process paths.

You can add the full path to the process executable, for example, C:\Program Files\acad\acad.exe. You can repeat this to add as many process paths as you like.

However, it may be more efficient to use wildcards. Wildcards are very useful if, for instance, you want to add a process in many individual users' Desktop folders. You can do this once, for all users, rather than once for each user.

You can use this syntax, C:\Users\%username%\Desktop\example.exe.

Anchor will substitute the %username% wildcard for all the different usernames in your organization.

Currently, Anchor only supports the %username% wildcard.

You should be careful to avoid using the %username% wildcard at the end of the path, for example like this, C:\Users\%username%\, because it tells Anchor that you want all the applications for all users to be AxP applications. Only do this if you are absolutely sure of what you are doing!

Note: After configuring an AxP application, users will see a notification informing them that AxP will anchor all files created by that application. The notification will be displayed when the AxP application is launched.

Known Limitations of Anchor-by-Process

If I revoke access to a file Anchored via AxP, when will it take effect?

• If you revoke access to a file Anchored via Anchor-by-Process while it is open, Anchor will behave differently depending on the application.

• If the Anchored file is opened with an Anchor-by-process application, the User will still have access to the file until they close it. Only after closing the file will the revoked access take effect.

• If the file was anchored via an Admin Approved Application, and the file is not open, it will not be accessible the next time the user tries to open it. If the file is open, the user will still have access until they close it. Only after closing the file will the revoked access take effect.

What file extensions are not Anchored by AxP?

AxP will not automatically anchor the following files extensions.

.dll .exe .bat .rdp .iso .atcf .lib .wbk .msi .ini 

If you want to automatically Anchor any of the above file extensions, you must work with and save them in a protected folder.

Will files Anchored by AxP show comprehensive access logs?

Files anchored via Anchor-by-Process do not show comprehensive access logs. The access logs will only show where the file was Anchored. However, the full logs are still held in our secure cloud.