Cb Defense: How to Verify Authenticity of Canary Files
Version Cb Defense Windows Sensor Versions 3.x+
Four new files with the extensions .pptx, .doc, .jpg, and .xls are found in various locations throughout the system drive after installing Cb Defense Sensor version 3.x+
The files are found directly in the root of system drive or another location following the installation or update to Cb Defense Windows Sensor 3.x+
The files in question are part of the enhanced ransomware protection introduced in Cb Defense Windows Sensor 3.0. They are known as "canary" files and are used in conjunction with several other techniques to detect ransomware-like behavior.
If you wish to confirm that files found on your device are authentic canary files created by Cb Defense Sensor, please open a Support case and provide the following information to Carbon Black Support who will be able to verify authenticity of the files for you.
Exact names of the files in question and their location
SHA-256 hashes of the files in question
If you delete canary files, they will be automatically re-created by Cb Defense Sensor in the same or different location on system drive.
Canary files are created on the device as soon as sensor 3.x+ is installed regardless of policy settings.
There is currently no way to turn canary files on/off nor control the locations where they are placed.