Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Why Aren't Decoy/Canary Files Hidden?

Carbon Black Cloud: Why Aren't Decoy/Canary Files Hidden?


  • Carbon Black Cloud Sensor: Version 3.0 and Higher
  • Microsoft Windows: All Supported Versions
  • Apple macOS: All Supported Versions


Why are the decoy or canary files included with Enhanced Ransomware detection for the 3.0 Sensors and above not hidden? 


Hiding these files reduces their effectiveness as some ransomware strains will intentionally skip hidden files. Keeping these files visible provides better ransomware detection efficacy.

Additional Notes

  • If these files are modified in any way, the sensor will replace them with new copies as it checks on the files on a regular basis
  • Some false positives were introduced with these files, and those are being reviewed and resolved by Engineering

Related Content

Was this article helpful? Yes No
0% helpful (0/1)
Article Information
Creation Date: