How to Verify a Decoy/Canary File is involved in an Alert
Article ID: 290539
Updated On:
Products
Carbon Black Cloud Endpoint Standard (formerly Cb Defense)
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Provide guidance on identifying Alerts linked to a decoy or canary file
Environment
- Carbon Black Cloud Console: All Versions
- Endpoint Standard
- Carbon Black Cloud Sensor: All Supported Versions
- Microsoft Windows: All Supported Versions
- Apple macOS: All Supported Versions
Resolution
- Go to the Alerts page
- Search for alerts where the reason code is T_CANARY
reason_code:T_CANARY
- Resulting list is Alerts linked to canary files
Additional Information
- If 'T_CANARY' is listed as the reason for the Alert the file is a canary or decoy file; the alert should still be investigated to determine if it's a threat
- Canary or decoy files are created by the sensor for Ransomware Protection
Feedback
Yes
No
Powered by
