Ransomware Canaries - Ability to put deploy canaries to network drives/custom locations
J
Jeff Roback
I like the concept of watching for this on network drives. My concern with this approach would be if you have all the agents creating an monitoring canaries on a network share, you could end up creating a significant volume of network and file server traffic if everyone's pounding on the same files. This could be especially problematic for remote/vpn users who already suffer from SMB related latency issues.
Perhaps a better way to accomplish this would be to have the ability to specify multiple locations from a single agent? I'm thinking on the file server agent, you'd specify one canary location for each network share. That way the canaries are only being monitored by 1 device, but you're accomplishing the same result.
J
Jonathan Pilkington
I feel like this is a good example of why this is needed. I have heard of ransomware that will go after network shares first. In that, case the ransomware canaries would not be effective. I feel like it should be a per agent setting and you can specify folders you want to put random canaries that way you only have to have one agent check. To be clear Huntress did prevent major damage in the situation below but might have prevented more damage and caught it sooner if the canaries had been on the file share.
Full conversation here for context: https://www.reddit.com/r/msp/comments/16xfmou/bitdefender_mdr/k32q8fp/?context=3
J
Julienne'la Harvey'la
Please implement this!
My company just ran through a simulated ransomware scenario where the 'infected' computer had a mapped drive on our file server and encrypted that mapped drive but nothing else. The canaries on the system drive of the fileserver do no good there. We need them on our data shares!
L
Love'la Hodkiewicz'la
This would be lovely!
b
bill jerrett
If implementing adding to network shares, instead of specifying paths, maybe just a toggle switch? If enabled, agent scans local computer (which is sharing out its files and is presumably some type of server) for its list of shared folders and deploys canaries to each.
T
Tarsha'la O'Keefe'la
Keeping this going. The ability to have canaries on shared network drives would be great. Configuring it on the file server agent would make sense. Monitoring a NAS would understandably carry some caveats.
S
Salley'la Auer'la
C
Calvin'la Konopelski'la
Agreed this is a needed feature. Being able to specify a "Host or Hosts" server that has access to create and monitor these files would be ideal
One thing to consider s how DFS replication might interact with the copies and device interaction.
A
Annice'la Crona'la
I agree that this shouldnt be something that the workstations are doing. The canary should be placed by the agent on the file server. It should be pretty easy to index all shares and drop some canaries in those paths.
W
Wes Wilson
I second (third?) the previous comments. You wouldn't want to put a canary file on at the mapped drive level from a user's computer as this could put lots of hidden folders and files. The agent would identify that it is a server OS and possibly present the shares in the Huntress portal for an admin to check a box to add one canary instance to that share.
J
Joseph Bacino
Adding a vote for this. On a server, it would be beneficial to specify a location (or multiple locations) to shares on that device.
Load More
→