Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Environment

Carbon Black Cloud Console: All Versions
- Endpoint Standard (was CB Defense)
Carbon Black Cloud Sensor: 3.0.x.x and Higher
Microsoft Windows: All Supported Versions
Apple macOS: All Supported Versions

Objective

Provide guidance on identifying Alerts linked to a decoy or canary file

Resolution

Go to the Alerts page
Search for alerts where the reason code is T_CANARY
```
reason_code:T_CANARY
```
Resulting list is Alerts linked to canary files

Additional Notes

If 'T_CANARY' is listed as the reason for the Alert the file is a canary or decoy file; if not, investigate the Alert further
Canary or decoy files were introduced with the 3.0.x.x Sensor for Endpoint Standard (was CB Defense) and are included in the Carbon Black Cloud Sensors of higher versions

Related Content

Carbon Black Cloud: Why Aren't Decoy/Canary Files Hidden?
Endpoint Standard: What are these $XXXXXXXX files found on a computer?
Cb Defense: How To Enable Enhanced Ransomware Protection

Article Information

Author:

Creation Date:

‎08-28-2020

Views:

3595

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.