Canary files help with protection against ransomware by rapidly identifying that an infection has occurred. Like a canary in a coal mine, a Canary file is a sacrificial test to indicate a hazard.
Canary files, and files on canary shares, look desirable for ransomware to infect, but are not valuable to the business.
Rule Creation
- To create a Canary File rule, from the ZeroLock® Management Console (ZMC), go to Dashboard | Control Policies | Rules. Under the Actions drop-down menu, select Add New Rule.
- When you select Add New Rule, the New Policy Rule screen appears. Complete the form with the following information:
- Enter a name. Ex. Spreadsheet Canary File
- Description. Ex. Protecting important spreadsheets.
- From the drop-down menu, select Canary File.
- Enter the path to a file you wish to protect. Ex. /etc/passwords.txt
Note: ZeroLock will recognize when the path is accessed but will NOT allow it to be over-written. - It’s recommended to use an odd number to appear realistic. Example - 243
- Lastly, select CREATE.
Add New Policy
Once the rule is created, it must be applied to a policy.
- From the Dashboard menu, select Policies, then Add New Policy.
- On the New Policy pop-up screen, give your new policy a name and description. To add the new Canary File rule to the policy, click the Add Rules button.
- Selecting the Add Rules button opens the Policy Rules screen from which you select the rule(s) you want for the policy you’re creating.
- Select the Canary rule, then click Add Selected, which returns to the New Policy screen. Select Create, and you have a new policy.
Create a New Configuration Profile
This new Canary File policy needs to be added to a configuration profile to be applied to an endpoint.
- To do this, System Configuration | Config Profiles, where you will click the Add New Profile tab.
- Enter a name and description for the configuration profile you are creating. From the Default Control Policy box, select Canary File Policy from the default drop-down menu, then click Create.
- The Canary File Profile is now listed among the available profiles.
Apply a New Profile to an Endpoint
The final step is to apply this profile to an endpoint.- Go to Endpoints and select an endpoint to apply the Canary File policy. Then, from the Actions drop-down menu, select Set Endpoint Config.
- From the drop-down menu, select Canary File Profile, then click Set Configs.
- Now, when you return to the Endpoints screen, you see the profile for Endpoint #2 has changed to reflect the Canary File profile.