Carbon Black Cloud: Why Aren't Decoy/Canary Files Hidden?
book
Article ID: 288911
calendar_today
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Why are the decoy or canary files included with Enhanced Ransomware detection for the 3.0 Sensors and above not hidden?
Environment
Carbon Black Cloud Sensor: Version 3.0 and Higher
Microsoft Windows: All Supported Versions
Apple macOS: All Supported Versions
Resolution
Hiding these files reduces their effectiveness as some ransomware strains will intentionally skip hidden files. Keeping these files visible provides better ransomware detection efficacy.
Additional Information
If these files are modified in any way, the sensor will replace them with new copies as it checks on the files on a regular basis
Some false positives were introduced with these files, and those are being reviewed and resolved by Engineering