How to Create and Apply a Canary File Rule

Canary files help with protection against ransomware by rapidly identifying that an infection has occurred. Like a canary in a coal mine, a Canary file is a sacrificial test to indicate a hazard.

    Canary files, and files on canary shares, look desirable for ransomware to infect, but are not valuable to the business. 

    Rule Creation

    1. To create a Canary File rule, from the ZeroLock® Management Console (ZMC), go to Dashboard | Control Policies | Rules. Under the Actions drop-down menu, select Add New Rule.
      Image_1_Add New Rule_v4.1.10

    2. When you select Add New Rule, the New Policy Rule screen appears.  Complete the form with the following information:
      1. Enter a name.   Ex. Spreadsheet Canary File
      2. Description.   Ex. Protecting important spreadsheets.
      3. From the drop-down menu, select Canary File.
      4. Enter the path to a file you wish to protect.  Ex. /etc/passwords.txt
        Note:  ZeroLock will recognize when the path is accessed but will NOT allow it to be over-written.Step_2_Note-2  
      5. It’s recommended to use an odd number to appear realistic.  Example - 243
      6. Lastly, select CREATE.
        Image_2_New Policy Rule_v4.1.10


    Add New Policy


    Once the rule is created, it must be applied to a policy.

    1. From the Dashboard menu, select Policies, then Add New Policy.
      Step_1_Add new Policy_v4.1.10

    2. On the New Policy pop-up screen, give your new policy a name and description. To add the new Canary File rule to the policy, click the Add Rules button.Step_2_New Policy Add Rules_v4.1.10
    3. Selecting the Add Rules button opens the Policy Rules screen from which you select the rule(s) you want for the policy you’re creating.
      Step_3_New Canary Rule_v4.1.10

    4. Select the Canary rule, then click Add Selected, which returns to the New Policy screen.  Select Create, and you have a new policy.
      Step_4_New Policy Created_v4.1.10


    Create a New Configuration Profile

    This new Canary File policy needs to be added to a configuration profile to be applied to an endpoint.

    1. To do this, System Configuration | Config Profiles, where you will click the Add New Profile tab.
      Step_1_Add new Profile_v4.1.10-1

    2. Enter a name and description for the configuration profile you are creating.   From the Default Control Policy box, select Canary File Policy from the default drop-down menu, then click Create. Step_2_New Config Profile Screen_v4.1.10-1
    3. The Canary File Profile is now listed among the available profiles.
      Step_3_New Profile Listed_v4.1.10-1


    Apply a New Profile to an Endpoint

    The final step is to apply this profile to an endpoint.
    1. Go to Endpoints and select an endpoint to apply the Canary File policy.  Then, from the Actions drop-down menu, select Set Endpoint Config.
      Step_1_Actions Dropdown_v4.1.10-1 
    2. From the drop-down menu, select Canary File Profile, then click Set Configs.
      Step_2_Set Endpoint Configs_v4.1.10-1

    3. Now, when you return to the Endpoints screen, you see the profile for Endpoint #2 has changed to reflect the Canary File profile.
      Step_3_New Profile Visible_v4.1.10_KB