Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 19, 2017 8:52 AM
Hi,
after the last Windows updates (18-Oct-2017) several users complain about unknown with weird names files on their desktops. We found out that those files are actually 'located' in c:\users\public. Virustotal as well as our AV software did not classify those files as suspicious. The files cannot be opened and reappear in every subfolder of c:\users\public. When I remove one of those files in c:\users\public, the file also disappears in the subfolders of c:\users\public. But if I remove one in a subfolder, it's 'sibling' stays in c:\users\public.
Here are some samples of these files and two 'interesting' symbolic links pointing to themselves
12.09.2017 07:22 9.999 !!!!!2686401769.jpg
06.10.2017 07:58 25.000 !!!!!3021557160.bmp
12.09.2017 06:54 300.000 !!!!!3291618339.avi
24.09.2017 06:49 249.998 !!!!!3966599596.pptx
12.09.2017 06:54 300.000 !!!!!598196464.avi
12.09.2017 06:39 150.000 !!!!!709113522.xlsx
24.09.2017 07:39 2.024 !!!!!766790218.doc
06.10.2017 07:58 50.238 !!!!!953858547.docx
12.09.2017 06:42 349.999 ZZZZZ1347510045.db
02.10.2017 08:14 175.000 ZZZZZ1402780980.mdb
12.09.2017 08:15 400.000 ZZZZZ1632887888.sql
02.10.2017 08:23 4.048 ZZZZZ1652870015.pem
06.10.2017 07:25 225.000 ZZZZZ1838507459.pps
18.10.2017 11:46 30.000 ZZZZZ1886056917.eml
18.10.2017 11:46 30.000 ZZZZZ1919100944.eml
06.10.2017 06:52 20.000 ZZZZZ1920832159.png
06.10.2017 07:58 50.238 !!!!!1132674683.docx
18.10.2017 09:31 <SYMLINKD> !!!!!1421178769 [C:\C:\Users\Public\!!!!1421178769]
18.10.2017 09:31 <SYMLINKD> !!!!!1502139928 [C:\C:\Users\Public\!!!!1502139928]
12.09.2017 08:09 350.000 !!!!!1721238704.pst
06.10.2017 07:13 200.000 !!!!!1728817476.ppt
Has anyone seen that behaviour?
Kind regards,
Nils
All replies (5)
Thursday, October 19, 2017 4:45 PM ✅Answered | 1 vote
I just had this issue and it is Palo Alto Traps AV software's new AntiMalware/Anti Ransomware module. Call PAN support and have them walk you through creating an exclusion.
Friday, October 20, 2017 7:14 AM
Hi Nils,
If your clients have installed third-party Anti-Virus software, please update it to the latest version and check again.
My Windows 10 1703 and 1709 computers with Windows Defender enabled don’t appear special-name files in Public desktop folder.
You could remove AV to see the result.
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, October 23, 2017 9:51 AM
same behavior here, we also use Paloalto Traps (4.1.0)
any responds from paloalto yet?
I've created a support case at PAN
case ID 00766215
Monday, October 23, 2017 10:48 AM
Hi Teemo,
many thanks for the information - Palo Alto tech support confirmed that those files are some kind of honey pot files used by Traps. They are shown when some uncommon Windows APIs were used or in unexpected situations (quote). We are waiting for a fix from engineering to hide those files :-/
Maybe not related but since we found those files we have major issues on some of our file servers: user home shares completely disappear. Our monitoring solution showed that the whole content has been deleted by the users recursively. Maybe just coincidence.
Greetings,
Nils
Monday, October 23, 2017 3:29 PM | 2 votes
update:
it's now a know bug in Palo Alto Traps and they'll fix this in the next content update.
to workaround you can do the following right now:
- From your ESM console navigate to Policies, then on the left side pan under Malware click on Protection Module.
- Click on the dropdown menu beside "Rows" and select Add.
- Select Anti-Ransomware Protection and turn activation Off
- From the Processes tab add setuphost.exe and click Add
- From the Objects tab, select and add the Objects where you want to apply this policy, hint leaving this blank will apply the policy to your entire environment.
- Click Apply and Save.
Palo Alto confirmed that files that were already created this way and are seen in explorer.exe, can be deleted by the user (they are regular files now) without worry.
cheers
Stephan