Is it possible to disable elastic defend ransomware canary?

We have tried setting 'windows.advanced.ransomware.canary' to false but shortly after a new Windows workstation agent is enrolled we are still seeing the pair of canary directories created. We do not have a 'Platinum' account, so ransomware protection isn't even enabled. Is it possible to prevent the creation of these directories?

C:\aaAntiRansomElastic-DO-NOT-TOUCH-def...
C:\zzAntiRansomElastic-DO-NOT-TOUCH-def...

1 Like

Yes, setting the windows.advanced.diagnostic.enabled advanced policy option to false should prevent the creation of those canary directories. Please let us know if you experience any further issues!

Thank you! This worked and removed the directories without needing to uninstall/reinstall the agents.

1 Like