SOVLED: What are afterSentDocuments Folder and Files?

If you see a folder named “afterSentDocuments” in your Documents folder it might cause some concern because no human intentionally added that.  It turns out that that folder and files are the ‘honey pot’ for excellent corporate security software named SentinelOne.

Click to Enlarge


After talking to a pile of vendors including Microsoft, SentinalOne told me:

They’re our Malware/Ransomware decoys!

The SentinelOne Agent Installer installs a number of files on the endpoint. Most of these files are directly related to product functionality, but some are used to assist with detections. A handful of these files are called decoys. These files are planted on the system in user accessible locations in order to act as a honeypot for malware and ransomware. These files are monitored by the SentinelOne Agent for modification, deletion, and encryption that could indicate an attack.

Some of the locations of these files are:

C:\Users\(each users folder)\Documents\afterSentDocuments

The locations listed above contain additional folders and files that are hidden but accessible without special permissions. The files themselves are harmless but play an integral part in ransomware detections. Deleting these files somewhat reduces the chance some ransomware activities can be identified, so it is best to leave the files as they are.



  1. Avatar
    Mike Renna March 5, 2020 at 3:59 am

    Thanks for explaining this! But how long till ransomware starts excluding these folder locations / these file names. Just like they exclude windows operating files?

    I just started using S1 on client machines. Just like they pitch that comparing malware against signatures is not viable anymore, having static names of folders, files and fixed text inside them seems to not be viable.

    • Ian Matthews
      Ian Matthews March 13, 2020 at 12:22 pm

      Hi Mike;

      I have certainly had the same thought. I expected S1 to change the name of those files and folders periodically, but apparently they do not.

Questions or Comments?