There are a few known limitations with Ransomware Canaries, mainly with 3rd party encryption software.
- There are problems with Legitimate Encryption applications
- Windows EFS - We will ignore files encrypted with EFS
- Due to us being unable to see encryption keys in EFS systems, Canary reports are automatically ignored for EFS systems and the service does not work for those machines.
- Beachhead - We can see the canary as long as the user is logged in.
- Beachhead is a form of Managed EFS
- Files are encrypted when the user logs out. We can see the file while they are logged in.
- Beachhead lets SYSTEM read the key when the user is logged in.
- Third-Party Applications - we do not support any 3rd-party encryption applications such as:
- Dell Encryption
- Windows EFS - We will ignore files encrypted with EFS
- OneDrive - Known Folder Management will not allow folders containing canaries to be moved or copied. When moving, migrating or restoring Known Folders, first delete the old canaries from the user's OneDrive.
Comments
0 comments
Please sign in to leave a comment.