Anti-Ransomware creates honeypot files on client computers. It stops the attack immediately after it detects that the ransomware modified the files.
The files are in these folders that Anti-Ransomware creates:
/Volumes
/Users/Shared
/Users/<User>
/Users/<User>/Documents
You can identify these folders by the lock icon that is associated with the name of the folder. For example:
The file names include these strings, or similar:
CP
CheckPoint
Check Point
Check-Point
Sandblast Agent
Sandblast Zero-Day
Endpoint
You can open and look at the files. They are real documents, images, videos, and music.
If a file is deleted, it is automatically recreated after the next system boot.