SOVLED: What are afterSentDocuments Folder and Files?

If you see a folder named “afterSentDocuments” in your Documents folder it might cause some concern because no human intentionally added that.  It turns out that that folder and files are the ‘honey pot’ for excellent corporate security software named SentinelOne.

Click to Enlarge
afterSentDocuments

 

After talking to a pile of vendors including Microsoft, SentinalOne told me:

They’re our Malware/Ransomware decoys!

The SentinelOne Agent Installer installs a number of files on the endpoint. Most of these files are directly related to product functionality, but some are used to assist with detections. A handful of these files are called decoys. These files are planted on the system in user accessible locations in order to act as a honeypot for malware and ransomware. These files are monitored by the SentinelOne Agent for modification, deletion, and encryption that could indicate an attack.

Some of the locations of these files are:

C:\Users\Public\Documents\afterSentDocuments
C:\Users\Public\appdata\local\afterSentDocuments
C:\Users\Default\Documents\afterSentDocuments
C:\Users\(each users folder)\Documents\afterSentDocuments

The locations listed above contain additional folders and files that are hidden but accessible without special permissions. The files themselves are harmless but play an integral part in ransomware detections. Deleting these files somewhat reduces the chance some ransomware activities can be identified, so it is best to leave the files as they are.

 

Leave a Reply