Carbon Black Cloud: Why Aren't Decoy/Canary Files Hidden?
Article ID: 288911
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Issue/Introduction
Why are the decoy or canary files included with Enhanced Ransomware detection for the 3.0 Sensors and above not hidden?
Environment
- Carbon Black Cloud Sensor: Version 3.0 and Higher
- Microsoft Windows: All Supported Versions
- Apple macOS: All Supported Versions
Resolution
Hiding these files reduces their effectiveness as some ransomware strains will intentionally skip hidden files. Keeping these files visible provides better ransomware detection efficacy.
Additional Information
- If these files are modified in any way, the sensor will replace them with new copies as it checks on the files on a regular basis
- Some false positives were introduced with these files, and those are being reviewed and resolved by Engineering
Feedback
Yes
No
Powered by
