Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Ransomware Canaries
Environment: Windows
The File
You may have discovered a new file on your host that contains the following text from Huntress:
This is a Huntress Vaccine file. Huntress has created this file to disrupt variants of some known malware families.
Since the threat landscape is always changing, Huntress is constantly adjusting tactics to meet new or changing threats. Because of this, you may find similar files in multiple directories. If in doubt about authenticity, clicking on "Monitored Files" in your Huntress portal at an agent view will show you all of the files Huntress has placed on the machine.
Why is Huntress creating these files?
This file makes it appear that the endpoint is part of a Windows Defender Sandbox. This causes some malware to exit before completing its objective on a system. For example, QAKBOT malware which propagates rapidly through a local network, making it difficult to remove fully. The existence of this file can, in some cases, prevent QAKBOT from reaching the propagation stage of the attack.
Additional Information
The following external articles reference this technique as a method to hinder or prevent some malware families from successfully executing on systems:
https://asec.ahnlab.com/en/39537/