We have tried setting 'windows.advanced.ransomware.canary' to false but shortly after a new Windows workstation agent is enrolled we are still seeing the pair of canary directories created. We do not have a 'Platinum' account, so ransomware protection isn't even enabled. Is it possible to prevent the creation of these directories?
C:\aaAntiRansomElastic-DO-NOT-TOUCH-def...
C:\zzAntiRansomElastic-DO-NOT-TOUCH-def...
Yes, setting the windows.advanced.diagnostic.enabled advanced policy option to false should prevent the creation of those canary directories. Please let us know if you experience any further issues!
Thank you! This worked and removed the directories without needing to uninstall/reinstall the agents.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.