Testing Canary Files

A canary file is a decoy file placed within the IFS by the system administrator. If a defined canary file is modified, renamed, or deleted, it will immediately block the user.

There are two steps needed to run a canary file test:

1. Create the canary file

   1. Use this command to create the canary file:

      STANDGUARD/AVCRTTEST TYPE(*CANARY) FILE('/home/avtestdir/avcanarytest.txt')

2. Configure the canary file:

   You now need to configure the canary file.

   1. Either use the following command:

      STANDGUARD/ AVCFGCNY CANARY('/home/avtestdir/AVCANARYTEST.txt') ENABLED(*YES)

   2. OR menu option to configure the canary file as follows:

      1. Type AVMENU

      2. Select option 50. Setup Menu

      3. Select option 10. Anti-Ransomware Menu

      4. Select option 10. Work with Canary Files

      5. Use F6 to add the canary file with the full path and the exact file name

Testing the Canary File

You can test the newly created canary file, paying attention to the following conditions:

• Anti-ransomware exit programs must be registered on the file server exit point

• Either use a mapped network drive, or the Integrated File System application in IBM Access Client Solutions, to access the test file

Now attempt to modify, rename or delete the file. The attempt will be immediately blocked. The user profile used to attempt the change will be immediately blocked by the anti-ransomware from performing any actions over the file server. If you are using a mapped drive, you will no longer be able to list the content of any directory on that IBM i system.

Unblocking the user

You can unblock the profile using the following menu options:

1. Type AVMENU

2. Select option 50. Setup Menu

3. Select option 10. Anti-Ransomware Menu

4. Select option 40. Work with Blocked User