User data files are decoy files that are owned by the sensor and which are hidden throughout the filesystem. These files are designed to be interesting to ransomware and are encrypted early in a ransomware attack. To determine if the alert was caused by a canary file use this
process.
Since these false positives are generated because of the Enhanced Ransomware Detection available in Sensor version 3.0.x.x and higher, both of the aforementioned false positives will occur regardless of application reputation or policy. While we are working to provide a resolution to these issues, there are two things you can do to filter out these false positives from your Alert view.
- When using the alerts page use the search query: NOT (KERNEL_ACCESS OR SET_SYSTEM_FILE OR DATA_TO_ENCRYPTION OR ACCESS_DATA_FILES)
- Dismiss alerts for trusted applications and select the checkbox, ‘Apply for future instances’. Please ensure that the 'Group Alerts' option is turned on otherwise the 'Apply for future instances' option does not take effect.