- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-19-2021 01:23 AM
Hi. My organization forced the installation of Cortex XDR 7.4.2.35695 on my workstation and When I use Cygwin it lists the anti-ransomware decoy files. It's especially troublesome when I copy directories because real files are created then.
ncdu 1.10 ~ Use the arrow keys to navigate, press ? for help
--- /cygdrive/c ---------------------------------------------------
38.5GiB [##########] /thinprotect
18.6GiB [#### ] /Windows
16.1GiB [#### ] /basin
4.8GiB [# ] /Program Files
3.6GiB [ ] /Users
2.3GiB [ ] /Program Files (x86)
. 1.4GiB [ ] /ProgramData
1.1GiB [ ] pagefile.sys
902.8MiB [ ] /MSOCache
736.2MiB [ ] /cygwin64
296.1MiB [ ] /1
256.0MiB [ ] swapfile.sys
12.3MiB [ ] /Documentum
2.8MiB [ ] /XORXOR4126218990
2.8MiB [ ] /XORXOR1064362899
2.0MiB [ ] /Config.Msi
408.0KiB [ ] bootmgr
392.0KiB [ ] !!!!!799332160.sql
392.0KiB [ ] !!!!!3223451420.sql
344.0KiB [ ] ZZZZZ645627275.pst
344.0KiB [ ] ZZZZZ3146620641.pst
344.0KiB [ ] idkly3277070484.db
344.0KiB [ ] idkly3001650135.db
296.0KiB [ ] XORXOR931676610.avi
296.0KiB [ ] XORXOR3426034462.avi
272.0KiB [ ] !!!!!256638085.pdf
272.0KiB [ ] !!!!!1691332449.pdf
248.0KiB [ ] ZZZZZ4195668344.pptx
248.0KiB [ ] ZZZZZ1463078207.pptx
220.0KiB [ ] idkly3286739305.pps
220.0KiB [ ] idkly2330628165.pps
196.0KiB [ ] XORXOR891410119.ppt
196.0KiB [ ] XORXOR2069512772.ppt
172.0KiB [ ] !!!!!598367306.mdb
172.0KiB [ ] !!!!!4182570797.mdb
148.0KiB [ ] ZZZZZ3353227124.xlsx
148.0KiB [ ] ZZZZZ1182828942.xlsx
100.0KiB [ ] idkly527731576.xls
100.0KiB [ ] idkly3709225634.xls
52.0KiB [ ] XORXOR3150957765.docx
52.0KiB [ ] XORXOR2098631876.docx
32.0KiB [ ] !!!!!76528373.eml
32.0KiB [ ] !!!!!2586505270.eml
28.0KiB [ ] ZZZZZ3471376957.bmp
28.0KiB [ ] ZZZZZ1305786034.bmp
27.0KiB [ ] /$Recycle.Bin
26.0KiB [ ] /System Volume Information
Total disk usage: 88.4GiB Apparent size: 88.4GiB Items: 507089
09-20-2021 03:14 AM
Hi Basinilya,
xdr decoy files for ransomware detection start with !!!!! and ZZZZZ
So the recommendation is to avoid to copy/touch those files (with the usage of regex or something to exclude them from your copy)
Touching those files is not recomended if you dont want to have unexpected effects on ransomware detection/prevention.
KR,
Luis
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!