Hi, I know this is an old thread but I would like to add a bit more as this is still a current feature of Cortex XDR (formerly known as Traps. Although the installation directory is still called "Traps"). These files are typically not visible even when you are showing hidden files (Windows). They are called "decoy" files (as someone already mentioned). This module is part of the "Malware Profile". They are completely normal and necessary to protect endpoints from ransomware attacks. When ransomware is doing its thing in your OS, it will try to encrypt the decoy files and Cortex XDR agent will stop the attack. If the existence of these is not desired, you can check if the current setting is "Aggressive" for Ransomware protection affecting the endpoint in question and switch it to "Normal" which is the default value. However, if your security posture is "zero trust" I would not suggest using the default value which is less strict. If you ever end up uninstalling the agent, these files will go away. In fact, they go away if you disable the agent for an endpoint. You can confirm this by running the command "attrib" for any directory while the agent is enabled. Then disable the agent and run the same command, you will notice the decoy files are gone (I obviously would not recommend disabling the agent).
... View more