in ransomware/artifact.lua [1866:1900]
function globals.Lua_CanaryCheck(eventData)
local subDir = nil
local filePath = eventData.filePath:lower()
for _, dirName in ipairs(globals.namespace.canaryDirNames) do
subDir = string.find(filePath, dirName, nil, true)
if nil ~= subDir then
break
end
end
if nil == subDir then
return false
end
local fileName = eventData.fileName:lower()
for _, canaryFileName in ipairs(globals.namespace.canaryFileNames) do
local subFile = string.find(fileName, canaryFileName, nil, true)
if globals.FILE_CREATE_NEW == eventData.operation then
utils.DebugLog('NEW FILE IN CANARY DIRECTORY!!!!!')
if globals.namespace.totalCanaryCreateFileAlerts >= globals.CANARY_CREATE_FILE_ALERT_CAP then
utils.DebugLog('CANARY CREATE FILE THRESHOLD REACHED')
else
globals.namespace.totalCanaryCreateFileAlerts = globals.namespace.totalCanaryCreateFileAlerts + 1
return true
end
elseif (nil ~= subFile) and (globals.FILE_DELETE ~= eventData.operation) and
(globals.FILE_OPEN ~= eventData.operation) then
utils.DebugLog('CANARY FILE EVENT!!!!!!')
return true
end
end
return false
end