Anti-Ransomware Files

Anti-Ransomware creates honeypot files on client computers. It stops the attack immediately after it detects that the ransomware modified the files.

The Anti-Ransomware creates the honeypot files in these folders:

• C:\Users\Public\Music

• C:\Users\<User>\Music (MyMusic)

• C:\Users\Public\Documents

• C:\Users\<User>\Documents (MyDocuments)

• C:\Users\Public\Videos

• C:\Users\<User>\Videos (MyVideos)

• C:\Users\Public\Pictures

• C:\Users\<User>\Pictures (MyPictures)

• C:\Program Files (x86)

• C:\ProgramData

• C:\Users\<User>\AppData\Roaming

• C:\Users\<User>\AppData\Local

• C:\Users\<User>\Downloads

You can identify these folders by the lock icon that is associated with the name of the folder.

For example:

The file names include these strings, or similar:

• CP

• CheckPoint

• Check Point

• Check-Point

• Sandblast Agent

• Sandblast Zero-Day

• Endpoint

You can open and look at the files. They are real documents, images, videos, and music.

If a file is deleted, it is automatically recreated after the next system boot.