The key difference between these two types of features is that canary files are file specific, in that they monitor a single file and report on any "reading" of that file. Intrusion detection is folder specific and reports on any file that is being written to, within the entire folder.
When to use what?
Canary files - These are best suited to monitor file access, i.e reading or copying a file for the purposes of obtaining information.
Intrusion detection - This is best suited to monitor for ransomware and other process-based malware that actively modifies file content.
Comments
0 comments
Article is closed for comments.