How to Create a Canary File Rule

Canary files help with protection against ransomware by rapidly identifying that an infection has occurred. Like a canary in a coal mine, a Canary file is a sacrificial test to indicate a hazard.

    Canary files, and files on canary shares, are files that look desirable for ransomware to infect but are not valuable to the business. 

    Rule Creation

    1. To create a Canary File rule, from the ZeroLock® Management Console (ZMC) go to Dashboard | Control Policies | Rules. Under the Actions drop down menu select Add New Rule.
      Policy Rules Actions Add New Rule 2.0.1

    2. On selecting Add New Rule the New Policy Rule screen appears.  Complete the form with the following information:
      1. Enter a name.   Ex. Spreadsheet Canary File
      2. Description.   Ex. Protecting important spreadsheets.
      3. From the drop down menu select Canary File.
      4. Enter the path to a file you wish to protect.  Ex. /etc/passwords.txt
        Note:  ZeroLock™ will recognize when the path is accessed but will NOT allow it to be over-written.  
      5. It’s recommended using an odd number to look realistic.  Example - 243
      6. Lastly, select CREATE.
        Canary File Policy Rule Create 2.0.1-1

    Add New Policy

    Once the rule is created it must be applied to a policy.

    1. From the Dashboard menu select Policies then Add New Policy.
      Add New Policy Page 2.0.1

    2. On the New Policy pop-up screen, give your new policy a name and description. To add the new Canary File rule to the policy, click the Add Rules button.New Policy Form with Add Rules 2.0.1
    3. Selecting the Add Rules button opens the Policy Rules screen from which you select the rule(s) you want for the policy you’re creating.
      Policy Rule List Canary 2.0.1-1

    4. Select the Canary rule then click Add Selected which returns you to the New Policy screen.  Select Create and you have a new policy.
      Canary File Policy Create 2.0.1

    Create a New Configuration Profile

    Now, this new Canary File policy needs to be added to a configuration profile in order to be applied to an endpoint.

    1. To do this, System Configuration | Config Profiles where you will click the Add New Profile tab.
      Add New Profile Canary 2.0.1

    2. On the next screen, enter a name and description for the configuration profile you are creating.   In the Default Control Policy box select Canary File Policy from the default drop-down menu. Lastly, click Create. Canary Profile Configuration 2.0.1
    3. The Canary File Profile is now listed among the available profiles.
      Canary File Policy Profile 2.0.1

    Apply to New Profile to an Endpoint

    The final step is to apply this profile to an endpoint.
    1. Go to Endpoints and select an endpoint that you want to apply the Canary File policy to.  Then, from the Actions drop-down menu, select Set Endpoint Config.
      Endpoints Actions Drop Down 2.0.1 
    2. From the drop-down menu select Canary File Profile then click Set Configs.
      Set Endpoint Config Canary File Profile 2.0.1

    3. Now, when you go back to the Endpoints screen, you see the profile for Endpoint #2 has changed to reflect the Canary File profile.
      Endpoint Configed with Canary File Profile 2.0.1