I have done some testing with canary files. One thing I have noticed is that it does not seem like encrypting a canary file causes the agent to sync early. As in both tests it took 15-20 minutes for it to detect the canary has been encrypted. Then 5-10 minutes for the host to be isolated and a report sent. With things like SSD's being more common that time period allows a lot of damage to be done and for network shares to be encrypted. Maybe have it check the canaries every 60 seconds and force sync with Huntress if one turns up missing. This would take down the time to around 10-15 minutes for a response instead of 25-30 minutes. It appears this happened to someone on reddit already. It probably would have been stopped much earlier if it force synced. Full conversation here for context: https://www.reddit.com/r/msp/comments/16xfmou/bitdefender_mdr/k32q8fp/?context=3