Canary Files Force Sync
J
Jonathan Pilkington
I have done some testing with canary files. One thing I have noticed is that it does not seem like encrypting a canary file causes the agent to sync early. As in both tests it took 15-20 minutes for it to detect the canary has been encrypted. Then 5-10 minutes for the host to be isolated and a report sent. With things like SSD's being more common that time period allows a lot of damage to be done and for network shares to be encrypted.
Maybe have it check the canaries every 60 seconds and force sync with Huntress if one turns up missing. This would take down the time to around 10-15 minutes for a response instead of 25-30 minutes. It appears this happened to someone on reddit already. It probably would have been stopped much earlier if it force synced.
Full conversation here for context: https://www.reddit.com/r/msp/comments/16xfmou/bitdefender_mdr/k32q8fp/?context=3
C
Charlie Klemm
I completely agree here on the timing. When we were evaluating Huntress, one of our main concerns was the speed of response and I had similar experience when doing some testing. I hope you don't mind me linking a few other similar concepts - https://feedback.huntress.com/feature-requests/p/add-force-survey-button & https://feedback.huntress.com/feature-requests/p/defender-finding-triggers-survey. I think we would all agree that any sort of detection (whether that being from a canary or defender threat) should trigger an immediate 'sync' of the agent. I had made the post about defender triggering a sync and didn't think about the canary files which I think is equally important. Anyways, just trying to help get more visibility into this concept!