I am currently working on a user-folder backup solution.
At first I noticed the issue because I hat weird Documents in my backup such as:
ZZZZZ2292124227.doc
Upon further inspection, i found that Directory.GetFiles() returns these files.
Files seem to be all kinds of types, all very small, do not contain valid, readable data and are not visible in the windows file explorer or in powershell.
For example (powershell dir):
PS C:\Users\user> dir -Force
Verzeichnis: C:\Users\user
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 13.01.2022 10:00 3D Objects
d--hsl 13.01.2022 10:00 Anwendungsdaten
d--h-- 13.01.2022 10:00 AppData
d-r--- 13.01.2022 10:00 Contacts
d--hsl 13.01.2022 10:00 Cookies
d-r--- 09.02.2022 12:52 Desktop
d-r--- 01.02.2022 08:33 Documents
d-r--- 13.01.2022 10:00 Downloads
d--hsl 13.01.2022 10:00 Druckumgebung
d--hsl 13.01.2022 10:00 Eigene Dateien
d-r--- 13.01.2022 10:00 Favorites
d--hs- 09.02.2022 12:52 IntelGraphicsProfiles
d-r--- 13.01.2022 10:00 Links
d--hsl 13.01.2022 10:00 Lokale Einstellungen
d-r--- 13.01.2022 10:00 Music
d--hsl 13.01.2022 10:00 Netzwerkumgebung
d-r--- 13.01.2022 10:01 OneDrive
d-r--- 13.01.2022 10:00 Pictures
d--hsl 13.01.2022 10:00 Recent
d-r--- 13.01.2022 10:00 Saved Games
d-r--- 13.01.2022 10:00 Searches
d--hsl 13.01.2022 10:00 SendTo
d--hsl 13.01.2022 10:00 Startmenü
d-r--- 13.01.2022 10:00 Videos
d--hsl 13.01.2022 10:00 Vorlagen
-a-h-- 06.07.2022 11:06 1572864 NTUSER.DAT
-a-hs- 13.01.2022 10:00 0 ntuser.dat.LOG1
-a-hs- 13.01.2022 10:00 262144 ntuser.dat.LOG2
-a-hs- 13.01.2022 10:25 65536 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
-a-hs- 13.01.2022 10:00 524288 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
-a-hs- 13.01.2022 10:00 524288 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
---hs- 13.01.2022 10:00 20 ntuser.ini
PS C:\Users\user>
However, FileInfo[] files = currentDirectory.GetFiles(); will return a lot more such as:
C:\Users\user\XORXOR1982804314.txt
C:\Users\user\XORXOR3753157645.png
C:\Users\user\!!!!!2857851130.jpg
C:\Users\user\fVAYIy1051591475.docx
eventhough, neither explorer nor powershell show these files, I can put their path into explorer and it will attempt to open it (although unsuccessfully, the data is garbage). For the png file, for example, windows photo view fails to open the file but can show the file details:
The files are all relatively recent (max 2 months old), they have been exactly one time written to and are at most a few kb large. Has anyone an idea what these files are?
UPDATE:
Rather than coming from a malware these files (and folders) come from our corporate antivirus called Traps/ Cortex XDR
These Files appear to be "virtual files". They do not exist on the disk but get displayed to the software in order to prevent ransomeware attacks. Furthermore, my user profile copy/backup will replicate these non existent files in the output directory, effectively junking up the backup.
some more information can be found in the Cortex community forums: https://live.paloaltonetworks.com/t5/endpoint-traps-discussions/zzzzz-and-thousands-of-that-kind-of-files-on-hdd/td-p/191025
so how to circumvent that stuff? for now, I have applied a text filter but the namings of these files might change in the future.