CB Connect 2020 early-bird discount pricing expires on February 21. Learn more and reserve your spot today!
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cb Defense: How to Verify Authenticity of Canary Files

Cb Defense: How to Verify Authenticity of Canary Files

Cb Defense Windows Sensor Versions 3.x+


Four new files with the extensions .pptx, .doc, .jpg, and .xls are found in various locations throughout the system drive after installing Cb Defense Sensor version 3.x+


The files are found directly in the root of system drive or another location following the installation or update to Cb Defense Windows Sensor 3.x+


The files in question are part of the enhanced ransomware protection introduced in Cb Defense Windows Sensor 3.0. They are known as "canary" files and are used in conjunction with several other techniques to detect ransomware-like behavior.


If you wish to confirm that files found on your device are authentic canary files created by Cb Defense Sensor, please open a Support case and provide the following information to Carbon Black Support who will be able to verify authenticity of the files for you.

  • Exact names of the files in question and their location
  • SHA-256 hashes of the files in question

Important Note(s)

  • If you delete canary files, they will be automatically re-created by Cb Defense Sensor in the same or different location on system drive.
  • Canary files are created on the device as soon as sensor 3.x+ is installed regardless of policy settings.
  • There is currently no way to turn canary files on/off nor control the locations where they are placed.

Related Content

Cb Defense: How To Enable Enhanced Ransomware Protection

Cb Defense: Why Aren't Decoy/Canary Files Hidden?

Cb Defense: How do I determine which Ransomware Alerts are False Positives?

Announcing the Release of Cb Defense Windows Sensor 3.0

Cb Defense Ransomware False Positives

Labels (1)
Was this article helpful? Yes No
No ratings
Article Information
Creation Date: