Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Strange folder and files created after capture client latest update ***MUST READ***

NSA2650NSA2650 Newbie ✭
edited August 31 in Capture Client

Strange folder and files created after capture client latest update

Sentinel Agent -

Capture Client

This folder and files got created on all our workstations as a hidden folder with files in it that are text, pdf and word. The files contain strange text, verified all files were not viruses/malware.

@Micah Please help understand why this happened.

Please see attached files and screenshot

CASE 43772288

Category: Capture Client


  • LarryLarry Cybersecurity Overlord ✭✭✭

    @NSA2650 These are most likely "honeypot" files created by SentinelOne.

    They are monitored by S1 and if they are changed in anyway (delete/encrypted), it is likely due to a malware or ransomware attack.

    I believe they previously used the afterSentDocuments folder in My Documents, but moved to a more inconspicuous location with the new version level.

  • Hey @NSA2650, I moved this from CSC to the Capture Client category. I can also loop in @SuroopMC to confirm what Larry said above.

    🖐️ Sr. Manager, Web and Digital, SonicWall. Say "hi" by tagging me at @micah.

  • NSA2650NSA2650 Newbie ✭

    Thanks I'll wait for @SuroopMC to confirm this is normal.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    These files were added in SentinelOne 21.6 as decoy files for monitoring bad Activities. They are enabled per default and can be disabled in the Threat Protection Policy at Advanced Settings -> Agent Configuration


Sign In or Register to comment.