The Cyber Canary is a feature that provides fully automated, set and forget ransomware and malware protection. The Cyber Canary installs ghost "canary" files on your system and monitors these files for real-time access. If access is detected, The Cyber Canary is triggered, and you are notified of the offending process, and it is terminated (for server-based installations, there is an optional server shutdown that is also commanded).
What is a canary file?
A canary file is a file the entraps ransomware and malware, and only lives while The Cyber Canary is monitoring a folder. All applications see canary files as normal files, however, canary files themselves, use content provided from a separate reference file. By default, all ghost files have their hidden file attribute set, so are not visible to the user.
Intrusion detection - If enabled, the option will detect any read access to any of the ghost files. This option should only be used in environments that are passive (i.e. server environments), as any file indexing can cause The Cyber Canary feature to trigger. Note - For more information on this feature, see "Ransomeware and intrusion detection".
Display alert - If enabled, a full-screen alert is displayed when The Cyber Canary is triggered.
Terminate process - If enabled, the process that triggered The Cyber Canary is terminated, ensure that no further damage can take place.
Shutdown server - If enabled, once a trigger of The Cyber Canary has occurred, the server will be commanded to shut down. Important - It is possible for this shutdown command to be circumvented, so we recommend that the kill process option is also enabled.
Hide from Windows Explorer - If enabled, this adds an additional rule that physically hides all canary files from Windows Explorer, even if you have "show hidden files" enabled for Windows Explorer. This additional rule can be updated to include any applications you like, which is a great way to prevent unintended intrusion detection triggering.
Important - Any application added to this rule will never see the canary files regardless of the hidden attribute.
Protect all users - When enabled, all user folders are monitored for activity. If disabled, you need to specify the target files.
Ransomeware vs intrusion detection
There is often some confusion around these terms, both indicate a breach of your environment, however, they have a very different meaning.
Ransomeware is generally a malicious process or application that autonomously encrypt files it finds in its path, and once finished, will often display some sort of message indicating that files have been encrypted. The Cyber Canary is able to detect this activity by watching real-time writes to "canary" files and thus alerting the user to a threat.
Intrusion detection, on the other hand, deals with "Advanced Persistent Threats" (APT's), which are mostly real hackers gaining access, and compromising or stealing files. The Cyber Canary, when using the intrusion detection feature, is able to determine in real-time, if a ghost file is being read (an action that is likely to occur if a bad guy comes across a file called "password.txt" or "bank details.doc").