topic Re: All Cygwin apps see the decoy files in Cortex XDR Discussions https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/all-cygwin-apps-see-the-decoy-files/m-p/435198#M1068 <P>Hi Basinilya,&nbsp;</P><P>xdr decoy files for ransomware detection start with&nbsp;!!!!! and&nbsp;ZZZZZ</P><P>So the recommendation is to avoid to copy/touch those files (with the usage of regex or something to exclude them from your copy)&nbsp;</P><P>Touching those files is not recomended if you dont want to have unexpected effects on ransomware detection/prevention.</P><P>&nbsp;KR,</P><P>Luis&nbsp;</P> Mon, 20 Sep 2021 10:14:27 GMT eluis 2021-09-20T10:14:27Z All Cygwin apps see the decoy files https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/all-cygwin-apps-see-the-decoy-files/m-p/435084#M1067 <P>Hi. My organization forced the installation of Cortex XDR 7.4.2.35695 on my workstation and When I use Cygwin it lists the anti-ransomware decoy files. It's especially troublesome when I copy directories because real files are created then.</P><LI-CODE lang="markup">ncdu 1.10 ~ Use the arrow keys to navigate, press ? for help --- /cygdrive/c --------------------------------------------------- 38.5GiB [##########] /thinprotect 18.6GiB [#### ] /Windows 16.1GiB [#### ] /basin 4.8GiB [# ] /Program Files 3.6GiB [ ] /Users 2.3GiB [ ] /Program Files (x86) . 1.4GiB [ ] /ProgramData 1.1GiB [ ] pagefile.sys 902.8MiB [ ] /MSOCache 736.2MiB [ ] /cygwin64 296.1MiB [ ] /1 256.0MiB [ ] swapfile.sys 12.3MiB [ ] /Documentum 2.8MiB [ ] /XORXOR4126218990 2.8MiB [ ] /XORXOR1064362899 2.0MiB [ ] /Config.Msi 408.0KiB [ ] bootmgr 392.0KiB [ ] !!!!!799332160.sql 392.0KiB [ ] !!!!!3223451420.sql 344.0KiB [ ] ZZZZZ645627275.pst 344.0KiB [ ] ZZZZZ3146620641.pst 344.0KiB [ ] idkly3277070484.db 344.0KiB [ ] idkly3001650135.db 296.0KiB [ ] XORXOR931676610.avi 296.0KiB [ ] XORXOR3426034462.avi 272.0KiB [ ] !!!!!256638085.pdf 272.0KiB [ ] !!!!!1691332449.pdf 248.0KiB [ ] ZZZZZ4195668344.pptx 248.0KiB [ ] ZZZZZ1463078207.pptx 220.0KiB [ ] idkly3286739305.pps 220.0KiB [ ] idkly2330628165.pps 196.0KiB [ ] XORXOR891410119.ppt 196.0KiB [ ] XORXOR2069512772.ppt 172.0KiB [ ] !!!!!598367306.mdb 172.0KiB [ ] !!!!!4182570797.mdb 148.0KiB [ ] ZZZZZ3353227124.xlsx 148.0KiB [ ] ZZZZZ1182828942.xlsx 100.0KiB [ ] idkly527731576.xls 100.0KiB [ ] idkly3709225634.xls 52.0KiB [ ] XORXOR3150957765.docx 52.0KiB [ ] XORXOR2098631876.docx 32.0KiB [ ] !!!!!76528373.eml 32.0KiB [ ] !!!!!2586505270.eml 28.0KiB [ ] ZZZZZ3471376957.bmp 28.0KiB [ ] ZZZZZ1305786034.bmp 27.0KiB [ ] /$Recycle.Bin 26.0KiB [ ] /System Volume Information Total disk usage: 88.4GiB Apparent size: 88.4GiB Items: 507089</LI-CODE><P>&nbsp;</P> Sun, 19 Sep 2021 08:23:23 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/all-cygwin-apps-see-the-decoy-files/m-p/435084#M1067 basinilya 2021-09-19T08:23:23Z Re: All Cygwin apps see the decoy files https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/all-cygwin-apps-see-the-decoy-files/m-p/435198#M1068 <P>Hi Basinilya,&nbsp;</P><P>xdr decoy files for ransomware detection start with&nbsp;!!!!! and&nbsp;ZZZZZ</P><P>So the recommendation is to avoid to copy/touch those files (with the usage of regex or something to exclude them from your copy)&nbsp;</P><P>Touching those files is not recomended if you dont want to have unexpected effects on ransomware detection/prevention.</P><P>&nbsp;KR,</P><P>Luis&nbsp;</P> Mon, 20 Sep 2021 10:14:27 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/all-cygwin-apps-see-the-decoy-files/m-p/435198#M1068 eluis 2021-09-20T10:14:27Z