Hi. My organization forced the installation of Cortex XDR 22.214.171.124695 on my workstation and When I use Cygwin it lists the anti-ransomware decoy files. It's especially troublesome when I copy directories because real files are created then.
ncdu 1.10 ~ Use the arrow keys to navigate, press ? for help --- /cygdrive/c --------------------------------------------------- 38.5GiB [##########] /thinprotect 18.6GiB [#### ] /Windows 16.1GiB [#### ] /basin 4.8GiB [# ] /Program Files 3.6GiB [ ] /Users 2.3GiB [ ] /Program Files (x86) . 1.4GiB [ ] /ProgramData 1.1GiB [ ] pagefile.sys 902.8MiB [ ] /MSOCache 736.2MiB [ ] /cygwin64 296.1MiB [ ] /1 256.0MiB [ ] swapfile.sys 12.3MiB [ ] /Documentum 2.8MiB [ ] /XORXOR4126218990 2.8MiB [ ] /XORXOR1064362899 2.0MiB [ ] /Config.Msi 408.0KiB [ ] bootmgr 392.0KiB [ ] !!!!!799332160.sql 392.0KiB [ ] !!!!!3223451420.sql 344.0KiB [ ] ZZZZZ645627275.pst 344.0KiB [ ] ZZZZZ3146620641.pst 344.0KiB [ ] idkly3277070484.db 344.0KiB [ ] idkly3001650135.db 296.0KiB [ ] XORXOR931676610.avi 296.0KiB [ ] XORXOR3426034462.avi 272.0KiB [ ] !!!!!256638085.pdf 272.0KiB [ ] !!!!!1691332449.pdf 248.0KiB [ ] ZZZZZ4195668344.pptx 248.0KiB [ ] ZZZZZ1463078207.pptx 220.0KiB [ ] idkly3286739305.pps 220.0KiB [ ] idkly2330628165.pps 196.0KiB [ ] XORXOR891410119.ppt 196.0KiB [ ] XORXOR2069512772.ppt 172.0KiB [ ] !!!!!598367306.mdb 172.0KiB [ ] !!!!!4182570797.mdb 148.0KiB [ ] ZZZZZ3353227124.xlsx 148.0KiB [ ] ZZZZZ1182828942.xlsx 100.0KiB [ ] idkly527731576.xls 100.0KiB [ ] idkly3709225634.xls 52.0KiB [ ] XORXOR3150957765.docx 52.0KiB [ ] XORXOR2098631876.docx 32.0KiB [ ] !!!!!76528373.eml 32.0KiB [ ] !!!!!2586505270.eml 28.0KiB [ ] ZZZZZ3471376957.bmp 28.0KiB [ ] ZZZZZ1305786034.bmp 27.0KiB [ ] /$Recycle.Bin 26.0KiB [ ] /System Volume Information Total disk usage: 88.4GiB Apparent size: 88.4GiB Items: 507089
xdr decoy files for ransomware detection start with !!!!! and ZZZZZ
So the recommendation is to avoid to copy/touch those files (with the usage of regex or something to exclude them from your copy)
Touching those files is not recomended if you dont want to have unexpected effects on ransomware detection/prevention.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!