Rules
      Back to home
      1. Vali Cyber Knowledge Base
      2. ZeroLock®
      3. Rules

      How to Create and Apply a Canary File Rule

      Canary files help with protection against ransomware by rapidly identifying that an infection has occurred. Like a canary in a coal mine, a Canary file is a sacrificial test to indicate a hazard.

        Canary files, and files on canary shares, look desirable for ransomware to infect but are not valuable to the business. 

        Rule Creation

        1. To create a Canary File rule, from the ZeroLock® Management Console (ZMC) go to Dashboard | Control Policies | Rules. Under the Actions drop-down menu select Add New Rule.
          Step_1_Add New Rule Selection-1

        2. On selecting Add New Rule the New Policy Rule screen appears.  Complete the form with the following information:
          1. Enter a name.   Ex. Spreadsheet Canary File
          2. Description.   Ex. Protecting important spreadsheets.
          3. From the drop-down menu select Canary File.
          4. Enter the path to a file you wish to protect.  Ex. /etc/passwords.txt
            Note:  ZeroLock will recognize when the path is accessed but will NOT allow it to be over-written.  
          5. It’s recommended to use an odd number to look realistic.  Example - 243
          6. Lastly, select CREATE.
            Step_2_New Policy Rule

        Add New Policy


        Once the rule is created it must be applied to a policy.

        1. From the Dashboard menu select Policies then Add New Policy.
          Step_1_Add New Policy Selection

        2. On the New Policy pop-up screen, give your new policy a name and description. To add the new Canary File rule to the policy, click the Add Rules button.Step_2_New Policy Add Rules
        3. Selecting the Add Rules button opens the Policy Rules screen from which you select the rule(s) you want for the policy you’re creating.
          Step_3_New Canary Rule-1

        4. Select the Canary rule then click Add Selected which returns to the New Policy screen.  Select Create and you have a new policy.
          Step_4_New Policy Created

        Create a New Configuration Profile

        This new Canary File policy needs to be added to a configuration profile to be applied to an endpoint.

        1. To do this, System Configuration | Config Profiles where you will click the Add New Profile tab.
          Step_1_Config Profile_Add New Profile

        2. Enter a name and description for the configuration profile you are creating.   From the Default Control Policy box select Canary File Policy from the default drop-down menu, then click Create. Step_2_Default Control Policy
        3. The Canary File Profile is now listed among the available profiles.
          Step_3_Canary Profile Listed

        Apply to New Profile to an Endpoint

        The final step is to apply this profile to an endpoint.
        1. Go to Endpoints and select an endpoint to apply the Canary File policy.  Then, from the Actions drop-down menu, select Set Endpoint Config.
          Step_1_Set Endpoint Config-3 
        2. From the drop-down menu select Canary File Profile then click Set Configs.
          Step_2_Set Endpoint Configs-2

        3. Now, when you go back to the Endpoints screen, you see the profile for Endpoint #2 has changed to reflect the Canary File profile.
          Step_3_Canary Profile Applied