Canary files help with protection against ransomware by rapidly identifying that an infection has occurred. Like a canary in a coal mine, a Canary file is a sacrificial test to indicate a hazard.
Canary files, and files on canary shares, are files that look desirable for ransomware to infect but are not valuable to the business.
- To create a Canary File rule, from the ZeroLock™ Management Console (ZMC) go to Dashboard | Control Policies | Rules. Under the Actions drop down menu select Add New Rule.
- On selecting Add New Rule the New Policy Rule screen appears. Complete the form with the following information:
- Enter a name. Ex. Spreadsheet Canary File
- Description. Ex. Protecting important spreadsheets.
- From the drop down menu select Canary File.
- Enter the path to a file you wish to protect. Ex. /etc/passwords.txt
Note: ZeroLock™ will recognize when the path is accessed but will NOT allow it to be over-written.
- It’s recommended using an odd number to look realistic. Example - 243
- Lastly, select CREATE.
Add New Policy
Once the rule is created it must be applied to a policy.
- From the Dashboard menu select Policies then Add New Policy.
- On the New Policy pop-up screen, give your new policy a name and description. To add the new Canary File rule to the policy, click the Add Rules button.
- Selecting the Add Rules button opens the Policy Rules screen from which you select the rule(s) you want for the policy you’re creating.
- Select the Canary rule then click Add Selected which returns you to the New Policy screen. Select Create and you have a new policy.
Create a New Configuration Profile
Now, this new Canary File policy needs to be added to a configuration profile in order to be applied to an endpoint.
- To do this, System Configuration | Config Profiles where you will click the Add New Profile tab.
- On the next screen, enter a name and description for the configuration profile you are creating. In the Default Control Policy box select Canary File Policy from the default drop-down menu. Lastly, click Create.
- The Canary File Profile is now listed among the available profiles.
Apply to New Profile to an EndpointThe final step is to apply this profile to an endpoint.
- Go to Endpoints and select an endpoint that you want to apply the Canary File policy to. Then, from the Actions drop-down menu, select Set Endpoint Config.
- From the drop-down menu select Canary File Profile then click Set Configs.
- Now, when you go back to the Endpoints screen, you see the profile for Endpoint #2 has changed to reflect the Canary File profile.