Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


Strange folder and files created after capture client latest update ***MUST READ***

NSA2650NSA2650 Newbie ✭
edited August 2021 in Capture Client

Strange folder and files created after capture client latest update

Sentinel Agent -

Capture Client

This folder and files got created on all our workstations as a hidden folder with files in it that are text, pdf and word. The files contain strange text, verified all files were not viruses/malware.

@Micah Please help understand why this happened.

Please see attached files and screenshot

CASE 43772288

Category: Capture Client


  • Options
    LarryLarry All-Knowing Sage ✭✭✭✭

    @NSA2650 These are most likely "honeypot" files created by SentinelOne.

    They are monitored by S1 and if they are changed in anyway (delete/encrypted), it is likely due to a malware or ransomware attack.

    I believe they previously used the afterSentDocuments folder in My Documents, but moved to a more inconspicuous location with the new version level.

  • Options

    Hey @NSA2650, I moved this from CSC to the Capture Client category. I can also loop in @SuroopMC to confirm what Larry said above.

    @micah - SonicWall's Self-Service Sr. Manager

  • Options
    NSA2650NSA2650 Newbie ✭

    Thanks I'll wait for @SuroopMC to confirm this is normal.

  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭

    These files were added in SentinelOne 21.6 as decoy files for monitoring bad Activities. They are enabled per default and can be disabled in the Threat Protection Policy at Advanced Settings -> Agent Configuration


  • Options
    lutluclutluc Newbie ✭

    Here is the response I have received from S1:

    Having reviewed the screenshots provided, I can confirm that these are in fact files that have been created on the system by the Sentinel Agent.

    These are canary files and form part of the Sentinel Agent's ransomware detection suite. As shown within your screenshot, all files will show the owner as SentinelOne and will be contained in various folders on the system.

    This mechanism was first introduced in Agent V21.6.2.272, please see below an exert from our release notes:

    "Enhanced ransomware detection, the agent drops files (Canary files) with open read/write permission, which are used for detection purposes. These files are dropped under C:\, C:\Users, and shared folders."

Sign In or Register to comment.