Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

Endpoint Standard (formerly CB Defense) Sensor: Version 3.0 and higher
Microsoft Windows: All Supported Versions
Apple Mac OS: All Supported Versions

Question

Why are there files (doc, jpg, xls, pptx) found in various folders on my system named $XXXXXXXX?

Answer

With version 3.x of the Endpoint Standard sensor, we introduced "Canary Files" into the sensor. The sensor seeds and monitors these files in various locations on the system to help in the detection of ransomware like activity on the endpoint.

Additional Notes

Canary files are automatically deployed on version 3.x sensor in any policy
There is currently no way to disable canary files
If a canary file is deleted, the sensor will deploy a replacement in the same or different location on the system

Related Content

Rolling Out the September ‘17 Release of Cb Defense

Cb Defense 3.0 Windows Release Notes

Cb Defense: How To Enable Enhanced Ransomware Protection

Cb Defense: How to Verify Authenticity of Canary Files

Cb Defense: Why Aren't Decoy/Canary Files Hidden?

Cb Defense: How do I determine which Ransomware Alerts are False Positives?

Article Information

Author:

Creation Date:

‎03-11-2019

Views:

11822

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.