Team: Huntress Managed Endpoint Detection and Response (EDR)
Product: Ransomware Canaries
Summary: There are a few known limitations with Ransomware Canaries, mainly with 3rd party encryption software.
- There are problems with Legitimate Encryption applications
- Windows EFS - We will ignore files encrypted with EFS
- Due to us being unable to see encryption keys in EFS systems, Canary reports are automatically ignored for EFS systems and the service does not work for those machines.
- Beachhead - We can see the canary as long as the user is logged in.
- Beachhead is a form of Managed EFS
- Files are encrypted when the user logs out. We can see the file while they are logged in.
- Beachhead lets SYSTEM read the key when the user is logged in.
- Third-Party Applications - we do not support any 3rd-party encryption applications such as:
- Dell Encryption
- Windows EFS - We will ignore files encrypted with EFS
- OneDrive - Known Folder Management will not allow folders containing canaries to be moved or copied. When moving, migrating or restoring Known Folders, first delete the old canaries from the user's OneDrive.