Product: Huntress Managed Endpoint Detection and Response (EDR)
Environment: Ransomware Canaries
Summary: This guide will cover how to disable or re-enabled the Ransomware Canaries feature at the Account or Org or Host level.
This is NOT recommended as this will limit the visibility of the Huntress' SOC in alerting you of potential ransomware incidents. This action allows you to remove all canaries from managed endpoint machines and turn off the ransomware canaries service. The removal of canaries will be processed as a low-priority task and may take a few hours after they are disabled at the Account, Orginization, or Host level.
How to Disable Canary Files
Account Level
- Navigate to the 3 Bar Hamburger menu in the top right corner of the dashboard
- Select Settings
- Scroll down to Ransomeware Canaries and select the Disable Button
Orginization or Host Level
- Navigate to the 3 Bar Hamburger menu in the top right corner of the dashboard
- Select Settings
- Select Managed Response from the Menu on the left
- Scroll down to the Exclusions Section then select the Add Exclusion Button
- Choose Ransomware Canaries in the drop-down menu to bring up the Exclusion menu
- Choose the Exclusion type as either Orginization or Host
- Select either the Orginization or Host where you would like the exclusion applied to
- Select the Save button
How to re-enable Canary Files if they were previously disabled
Account Level
- Navigate to the 3 Bar Hamburger menu in the top right corner of the dashboard
- Select Settings
- Scroll down to Ransomeware Canaries and select the Re-Enable Button
Orginization or Host Level
- Navigate to the 3 Bar Hamburger menu in the top right corner of the dashboard
- Select Settings
- Select Managed Response from the Menu on the left
- Scroll down to the Exclusions Section and select the Ransomware Canaries tab
- Select the Trashcan Icon to Delete the Orginization, or host level exclusion.