ZZZZZ* and !!!!!* - thousands of that kind of files on HDD

Showing results for 
Search instead for 
Did you mean: 

ZZZZZ* and !!!!!* - thousands of that kind of files on HDD

I have found thousands of files starting with ZZZZZ* and !!!!!* on my HDD. It seams to be related to Traps activity.

I'm unable to delete this files because Traps don't allow for that.


I checked my system with few antiviruses and nothing was found.


Google sugest that this is related with Traps Bug.


Just for the fun of it, I...

- Plugged in a USB stick.

- Ran File Voyager and saw all the !!!!! and ZZZZZ created on the USB drive.

- Yanked out the USB stick, without giving anything a chance to clean it.

- Took the USB stick to a computer WITHOUT Traps and plugged it in.

- Ran File Voyager and did NOT see the files.


So they are "virtual files"... cute.


But I'm guessing we need to EXCLUDE these folders/files in our Backup software, IF the Backup software sees the folders/files.

Since normal file operations work on them.

(Selecting them and sending them to a compressed file, works.)


"Virtual files"... interesting idea...

(That explains why opening them with any app associated with their extensions... does NOT work... since they are "fake" and not formed properly.)


L3 Networker

L1 Bithead

Hi, I know this is an old thread but I would like to add a bit more as this is still a current feature of Cortex XDR (formerly known as Traps. Although the installation directory is still called "Traps").


These files are typically not visible even when you are showing hidden files (Windows).

They are called "decoy" files (as someone already mentioned). This module is part of the "Malware Profile". They are completely normal and necessary to protect endpoints from ransomware attacks.


When ransomware is doing its thing in your OS, it will try to encrypt the decoy files and Cortex XDR agent will stop the attack.


If the existence of these is not desired, you can check if the current setting is "Aggressive" for Ransomware protection affecting the endpoint in question and switch it to "Normal" which is the default value. However, if your security posture is "zero trust" I would not suggest using the default value which is less strict.




If you ever end up uninstalling the agent, these files will go away. In fact, they go away if you disable the agent for an endpoint. You can confirm this by running the command "attrib" for any directory while the agent is enabled. Then disable the agent and run the same command, you will notice the decoy files are gone (I obviously would not recommend disabling the agent).


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!