All Cygwin apps see the decoy files

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

All Cygwin apps see the decoy files

L0 Member

Hi. My organization forced the installation of Cortex XDR 7.4.2.35695 on my workstation and When I use Cygwin it lists the anti-ransomware decoy files. It's especially troublesome when I copy directories because real files are created then.

ncdu 1.10 ~ Use the arrow keys to navigate, press ? for help       
--- /cygdrive/c ---------------------------------------------------
   38.5GiB [##########] /thinprotect                               
   18.6GiB [####      ] /Windows                                   
   16.1GiB [####      ] /basin                                     
    4.8GiB [#         ] /Program Files                             
    3.6GiB [          ] /Users                                     
    2.3GiB [          ] /Program Files (x86)                       
.   1.4GiB [          ] /ProgramData                               
    1.1GiB [          ]  pagefile.sys                              
  902.8MiB [          ] /MSOCache                                  
  736.2MiB [          ] /cygwin64                                  
  296.1MiB [          ] /1                                         
  256.0MiB [          ]  swapfile.sys                              
   12.3MiB [          ] /Documentum                                
    2.8MiB [          ] /XORXOR4126218990                          
    2.8MiB [          ] /XORXOR1064362899                          
    2.0MiB [          ] /Config.Msi                                
  408.0KiB [          ]  bootmgr                                   
  392.0KiB [          ]  !!!!!799332160.sql                        
  392.0KiB [          ]  !!!!!3223451420.sql                       
  344.0KiB [          ]  ZZZZZ645627275.pst                        
  344.0KiB [          ]  ZZZZZ3146620641.pst                       
  344.0KiB [          ]  idkly3277070484.db                        
  344.0KiB [          ]  idkly3001650135.db                        
  296.0KiB [          ]  XORXOR931676610.avi                       
  296.0KiB [          ]  XORXOR3426034462.avi                      
  272.0KiB [          ]  !!!!!256638085.pdf                        
  272.0KiB [          ]  !!!!!1691332449.pdf                       
  248.0KiB [          ]  ZZZZZ4195668344.pptx                      
  248.0KiB [          ]  ZZZZZ1463078207.pptx                      
  220.0KiB [          ]  idkly3286739305.pps                       
  220.0KiB [          ]  idkly2330628165.pps                       
  196.0KiB [          ]  XORXOR891410119.ppt                       
  196.0KiB [          ]  XORXOR2069512772.ppt                      
  172.0KiB [          ]  !!!!!598367306.mdb                        
  172.0KiB [          ]  !!!!!4182570797.mdb                       
  148.0KiB [          ]  ZZZZZ3353227124.xlsx                      
  148.0KiB [          ]  ZZZZZ1182828942.xlsx                      
  100.0KiB [          ]  idkly527731576.xls                        
  100.0KiB [          ]  idkly3709225634.xls                       
   52.0KiB [          ]  XORXOR3150957765.docx                     
   52.0KiB [          ]  XORXOR2098631876.docx                     
   32.0KiB [          ]  !!!!!76528373.eml                         
   32.0KiB [          ]  !!!!!2586505270.eml                       
   28.0KiB [          ]  ZZZZZ3471376957.bmp                       
   28.0KiB [          ]  ZZZZZ1305786034.bmp                       
   27.0KiB [          ] /$Recycle.Bin                              
   26.0KiB [          ] /System Volume Information                 
 Total disk usage:  88.4GiB  Apparent size:  88.4GiB  Items: 507089

 

1 REPLY 1

L4 Transporter

Hi Basinilya, 

xdr decoy files for ransomware detection start with !!!!! and ZZZZZ

So the recommendation is to avoid to copy/touch those files (with the usage of regex or something to exclude them from your copy) 

Touching those files is not recomended if you dont want to have unexpected effects on ransomware detection/prevention.

 KR,

Luis 

  • 2535 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!