Environment
- Carbon Black Cloud Sensor: Version 3.0 and Higher
- Microsoft Windows: All Supported Versions
- Apple macOS: All Supported Versions
Question
Why are the decoy or canary files included with Enhanced Ransomware detection for the 3.0 Sensors and above not hidden?
Answer
Hiding these files reduces their effectiveness as some ransomware strains will intentionally skip hidden files. Keeping these files visible provides better ransomware detection efficacy.
Additional Notes
- If these files are modified in any way, the sensor will replace them with new copies as it checks on the files on a regular basis
- Some false positives were introduced with these files, and those are being reviewed and resolved by Engineering
Related Content