cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ZZZZZ* and !!!!!* - thousands of that kind of files on HDD

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Pawel_Kaczanowski
L0 Member
‎12-11-2017 04:18 AM
‎12-11-2017 04:18 AM

ZZZZZ* and !!!!!* - thousands of that kind of files on HDD

I have found thousands of files starting with ZZZZZ* and !!!!!* on my HDD. It seams to be related to Traps activity.

I'm unable to delete this files because Traps don't allow for that.

 

I checked my system with few antiviruses and nothing was found.

 

Google sugest that this is related with Traps Bug.

3 people had this problem.
0 Likes
Reply
Highlighted
reaper
L7 Applicator
‎12-11-2017 04:27 AM
‎12-11-2017 04:27 AM

 

hi @Pawel_Kaczanowski

 

I recommend reaching out to support as they will be able to confirm the issue and help resolve it if it is related to an issue with Traps, and probably also help you troubleshoot if it is not related to traps

 

please keep us posted on your situation as it may help other people if they encounter this issue

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
0 Likes
Reply
Highlighted
jvalentine
L7 Applicator
‎12-11-2017 06:27 AM
‎12-11-2017 06:27 AM

Yes, this is a Traps issue.  The files you see are dummy/decoy files related to the anti-Ransomware capabilities introduced in Traps v4.1.0.  Under normal conditions, you're not supposed to see these files.  TAC should be able to help you figure out what's not working properly.  

Reply
Highlighted
wtobar
L2 Linker
‎12-11-2017 11:10 AM
‎12-11-2017 11:10 AM

Hello,

 

I found those files in my computer when I perform on-demand scan with my AV, using CMD I couldn't find them, but using Power Shell that was possible, then I asked to support for that, the answer:

 

"those files are a tramp injected by paloalto traps, that works when is a new ransomware, the ransomware try to encrypt the files and traps catch it and block the ransomware."

 

So I put that concept on the run in effect, traps stop the action. Please look at the picture attached.

traps.PNG

Regards,

wtobar

Reply
Highlighted
KS
L2 Linker
‎12-11-2017 04:42 PM
‎12-11-2017 04:42 PM

Files and folders with ZZZZZ* or !!!!!* may be displayed not only in PowerShell but also in programs that use file/folder dialog boxes.

I am experiencing it with some text editors.

In order not to display it, you need to add a rule to disable Anti-Ransomware Protection for the program in which it appears.

Reply
Highlighted
SeanCM
L1 Bithead
‎12-15-2017 01:46 PM
‎12-15-2017 01:46 PM

It would have been nice, if Palo Alto, had put a notice about this SOMEWHERE, during the Traps installation maybe...

...maybe a nice picture of Admiral Ackbar warning us about these files.

 

I've just lost 2 half days trying to find SOMETHING to clean up this !!!!! and ZZZZZ mess left by my-imagined mystery malware!

 

Only to find out it is a "red-herring" created by Traps!

 

These things are hidden very well, with only System and Guest having special permissions... BUT some applications or file-dialog windows show them... leading one to think something is wrong... when it isn't.

 

The file manager "File Voyager" shows them clear as day.

The file manager "File Locater Lite" shows them in the results of searches.

 

0 Likes
Reply
Highlighted
thinson
L2 Linker
‎12-20-2017 05:55 AM
‎12-20-2017 05:55 AM

The information about the files created for the Anti-Ransomware module was shared in the Traps 4.1 documentation under new features. Palo is rapidly adding new features to Traps so I highly advise you review that section of the documentation before you upgrade. If you have the resources for a UA environment where you can keep several handfuls of production machines that will help as well.

 

https://www.paloaltonetworks.com/documentation/41/endpoint/newfeaturesguide/security-features/anti-r...

 

0 Likes
Reply
Highlighted
SeanCM
L1 Bithead
‎12-20-2017 07:26 AM
‎12-20-2017 07:26 AM

That's great, but not all of us front-line administrators get access to...

A.) the administrative features of Traps.

B.) any of the documentation.

 

Some of us front-line administrators merely get told... "Use this.  It has been tested."

We just install it, or uninstall it, or look at the limited interface the client-end-point product has.

 

AND remember all those installations already done... when the chief administrator controlling the Traps server said "okay"... all those installations automatically updated... so us front-line guys don't even know when those are updating.

 

AND it is a COMMON cultural joke, that men DON'T READ the manual first... 

So to expect that behavior, even if you are just saying for legal reasons... 

...that expectation is poorly made.

 

Many pieces of software announce "New features!" during the installation.

Something like this would be good to put there.

A simple graphic showing: 

 

!!!!! and ZZZZ <--- Don't Panic! 

Traps created these!

 

That's all you need to do during the install...

 

0 Likes
Reply
Highlighted
Christoff_Gosse
L0 Member
‎12-21-2017 04:34 AM
‎12-21-2017 04:34 AM

on every USB Stick or HDD you plug in, you will get the files on it.

 

That´s not i want to have!!!

 

How can i disable these zzzz !!!! Files on removeble storage devices ?

0 Likes
Reply
Highlighted
MarkusKnappe
L0 Member
‎12-21-2017 07:52 AM
‎12-21-2017 07:52 AM

These files are only virtual and are pretended to be Windows processes by the Traps processes. None of these files and folders are physically located on a disk.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks