How to configure 4.0+ sensor to use hard links for canary files rather than actual files

• Carbon Black Cloud Sensor: 4.0 and Higher
• Microsoft Windows: All Supported Versions

1. Enable bypass mode on the sensor from the Carbon Black Cloud Console
2. Open cfg.ini (C:\ProgramData\CarbonBlack\DataFiles\cfg.ini) with Notepad (Notepad++.exe with Admin privilege is recommended)
3. Add the following line:
   

   UseHardLinksForCanaries=true

4. Save changes to cfg.ini with "Save As" option; maintain the same file name and select a destination outside of the cfg.ini directory
5. Move the old cfg.ini file out of it's current directory (to keep as a backup)
6. Move the new cfg.ini file with the "UseHardLinksForCanaries" entry into C:\ProgramData\CarbonBlack\DataFiles\cfg.ini
7. Run the following repcli command. Review the following KB if needed: How to Access RepCLI Utility
   

   c:\program files\confer\repcli" updateconfig

8. Disable bypass mode on the sensor from the Carbon Black Cloud Console

• This configuration will be persistent on the endpoint until manually removed
• UseHardLinksForCanaries can also be set by our Cloud backend:  a Support case should be logged if that needed, and case should include a request to enable UseHardLinksForCanaries, and which policies/endpoints (or entire org) you would like to apply
• Hard Links are considered less secure than actual canary files, as randsomware may skip non-physical files
• Hard Links will take up less storage on physical disk than individual files, and may improve performance