ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
I have found thousands of files starting with ZZZZZ* and !!!!!* on my HDD. It seams to be related to Traps activity.
I'm unable to delete this files because Traps don't allow for that.
I checked my system with few antiviruses and nothing was found.
Google sugest that this is related with Traps Bug.
I recommend reaching out to support as they will be able to confirm the issue and help resolve it if it is related to an issue with Traps, and probably also help you troubleshoot if it is not related to traps
please keep us posted on your situation as it may help other people if they encounter this issue
Yes, this is a Traps issue. The files you see are dummy/decoy files related to the anti-Ransomware capabilities introduced in Traps v4.1.0. Under normal conditions, you're not supposed to see these files. TAC should be able to help you figure out what's not working properly.
I found those files in my computer when I perform on-demand scan with my AV, using CMD I couldn't find them, but using Power Shell that was possible, then I asked to support for that, the answer:
"those files are a tramp injected by paloalto traps, that works when is a new ransomware, the ransomware try to encrypt the files and traps catch it and block the ransomware."
So I put that concept on the run in effect, traps stop the action. Please look at the picture attached.
Files and folders with ZZZZZ* or !!!!!* may be displayed not only in PowerShell but also in programs that use file/folder dialog boxes.
I am experiencing it with some text editors.
In order not to display it, you need to add a rule to disable Anti-Ransomware Protection for the program in which it appears.
It would have been nice, if Palo Alto, had put a notice about this SOMEWHERE, during the Traps installation maybe...
...maybe a nice picture of Admiral Ackbar warning us about these files.
I've just lost 2 half days trying to find SOMETHING to clean up this !!!!! and ZZZZZ mess left by my-imagined mystery malware!
Only to find out it is a "red-herring" created by Traps!
These things are hidden very well, with only System and Guest having special permissions... BUT some applications or file-dialog windows show them... leading one to think something is wrong... when it isn't.
The file manager "File Voyager" shows them clear as day.
The file manager "File Locater Lite" shows them in the results of searches.
The information about the files created for the Anti-Ransomware module was shared in the Traps 4.1 documentation under new features. Palo is rapidly adding new features to Traps so I highly advise you review that section of the documentation before you upgrade. If you have the resources for a UA environment where you can keep several handfuls of production machines that will help as well.
That's great, but not all of us front-line administrators get access to...
A.) the administrative features of Traps.
B.) any of the documentation.
Some of us front-line administrators merely get told... "Use this. It has been tested."
We just install it, or uninstall it, or look at the limited interface the client-end-point product has.
AND remember all those installations already done... when the chief administrator controlling the Traps server said "okay"... all those installations automatically updated... so us front-line guys don't even know when those are updating.
AND it is a COMMON cultural joke, that men DON'T READ the manual first...
So to expect that behavior, even if you are just saying for legal reasons...
...that expectation is poorly made.
Many pieces of software announce "New features!" during the installation.
Something like this would be good to put there.
A simple graphic showing:
!!!!! and ZZZZ <--- Don't Panic!
Traps created these!
That's all you need to do during the install...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!