Directory.getFiles返回怪异,不存在但存在的文件
我目前正在使用用户备件备份解决方案。
起初,我注意到了这个问题,因为我在备份中挂起奇怪的文档,例如:
ZZZZZ2292124227.doc
经过进一步检查,我发现directory.getfiles()返回这些文件。 文件似乎是各种类型的类型,都非常小,不包含有效的,可读的数据,并且在Windows File Explorer或PowerShell中不可见。 例如(powerShell dir):
PS C:\Users\user> dir -Force
Verzeichnis: C:\Users\user
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 13.01.2022 10:00 3D Objects
d--hsl 13.01.2022 10:00 Anwendungsdaten
d--h-- 13.01.2022 10:00 AppData
d-r--- 13.01.2022 10:00 Contacts
d--hsl 13.01.2022 10:00 Cookies
d-r--- 09.02.2022 12:52 Desktop
d-r--- 01.02.2022 08:33 Documents
d-r--- 13.01.2022 10:00 Downloads
d--hsl 13.01.2022 10:00 Druckumgebung
d--hsl 13.01.2022 10:00 Eigene Dateien
d-r--- 13.01.2022 10:00 Favorites
d--hs- 09.02.2022 12:52 IntelGraphicsProfiles
d-r--- 13.01.2022 10:00 Links
d--hsl 13.01.2022 10:00 Lokale Einstellungen
d-r--- 13.01.2022 10:00 Music
d--hsl 13.01.2022 10:00 Netzwerkumgebung
d-r--- 13.01.2022 10:01 OneDrive
d-r--- 13.01.2022 10:00 Pictures
d--hsl 13.01.2022 10:00 Recent
d-r--- 13.01.2022 10:00 Saved Games
d-r--- 13.01.2022 10:00 Searches
d--hsl 13.01.2022 10:00 SendTo
d--hsl 13.01.2022 10:00 Startmenü
d-r--- 13.01.2022 10:00 Videos
d--hsl 13.01.2022 10:00 Vorlagen
-a-h-- 06.07.2022 11:06 1572864 NTUSER.DAT
-a-hs- 13.01.2022 10:00 0 ntuser.dat.LOG1
-a-hs- 13.01.2022 10:00 262144 ntuser.dat.LOG2
-a-hs- 13.01.2022 10:25 65536 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
-a-hs- 13.01.2022 10:00 524288 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
-a-hs- 13.01.2022 10:00 524288 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
---hs- 13.01.2022 10:00 20 ntuser.ini
PS C:\Users\user>
但是,fileInfo [] files = currentDirectory.getFiles();将返回更多的内容,例如:
C:\Users\user\XORXOR1982804314.txt
C:\Users\user\XORXOR3753157645.png
C:\Users\user\!!!!!2857851130.jpg
C:\Users\user\fVAYIy1051591475.docx
Eventever,Eventer,Explorer和PowerShell均未显示这些文件,我可以放置他们的路径进入资源管理器,它将尝试打开它(尽管没有成功,但数据是垃圾)。例如,对于PNG文件,Windows Photo View无法打开该文件,但可以显示文件详细信息:
这些文件都是相对较新的(最多2个月大),它们完全写成,最多是kb大。有人知道这些文件是什么吗?
更新: 这些文件(和文件夹)不是来自恶意软件,而不是来自我们的公司防病毒软件,称为陷阱/Cortex XDR
这些文件似乎是“虚拟文件”。它们不存在于磁盘上,而是在软件上显示,以防止勒索软件攻击。此外,我的用户配置文件复制/备份将在输出目录中复制这些不存在的文件,从而有效地垃圾备份。
可以在Cortex社区论坛上找到更多信息: https://live.paloaltonetworks.com/t5/endpoint-traps-discussions/zzzz-andzzz-and-th-th----------------------------------------files-files-on-hdd/td-pd-p/191025
那么如何绕过这些东西呢?目前,我已经应用了文本过滤器,但是这些文件的命名将来可能会发生变化。
I am currently working on a user-folder backup solution.
At first I noticed the issue because I hat weird Documents in my backup such as:
ZZZZZ2292124227.doc
Upon further inspection, i found that Directory.GetFiles() returns these files.
Files seem to be all kinds of types, all very small, do not contain valid, readable data and are not visible in the windows file explorer or in powershell.
For example (powershell dir):
PS C:\Users\user> dir -Force
Verzeichnis: C:\Users\user
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 13.01.2022 10:00 3D Objects
d--hsl 13.01.2022 10:00 Anwendungsdaten
d--h-- 13.01.2022 10:00 AppData
d-r--- 13.01.2022 10:00 Contacts
d--hsl 13.01.2022 10:00 Cookies
d-r--- 09.02.2022 12:52 Desktop
d-r--- 01.02.2022 08:33 Documents
d-r--- 13.01.2022 10:00 Downloads
d--hsl 13.01.2022 10:00 Druckumgebung
d--hsl 13.01.2022 10:00 Eigene Dateien
d-r--- 13.01.2022 10:00 Favorites
d--hs- 09.02.2022 12:52 IntelGraphicsProfiles
d-r--- 13.01.2022 10:00 Links
d--hsl 13.01.2022 10:00 Lokale Einstellungen
d-r--- 13.01.2022 10:00 Music
d--hsl 13.01.2022 10:00 Netzwerkumgebung
d-r--- 13.01.2022 10:01 OneDrive
d-r--- 13.01.2022 10:00 Pictures
d--hsl 13.01.2022 10:00 Recent
d-r--- 13.01.2022 10:00 Saved Games
d-r--- 13.01.2022 10:00 Searches
d--hsl 13.01.2022 10:00 SendTo
d--hsl 13.01.2022 10:00 Startmenü
d-r--- 13.01.2022 10:00 Videos
d--hsl 13.01.2022 10:00 Vorlagen
-a-h-- 06.07.2022 11:06 1572864 NTUSER.DAT
-a-hs- 13.01.2022 10:00 0 ntuser.dat.LOG1
-a-hs- 13.01.2022 10:00 262144 ntuser.dat.LOG2
-a-hs- 13.01.2022 10:25 65536 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TM.blf
-a-hs- 13.01.2022 10:00 524288 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms
-a-hs- 13.01.2022 10:00 524288 NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000002.regtrans-ms
---hs- 13.01.2022 10:00 20 ntuser.ini
PS C:\Users\user>
However, FileInfo[] files = currentDirectory.GetFiles(); will return a lot more such as:
C:\Users\user\XORXOR1982804314.txt
C:\Users\user\XORXOR3753157645.png
C:\Users\user\!!!!!2857851130.jpg
C:\Users\user\fVAYIy1051591475.docx
eventhough, neither explorer nor powershell show these files, I can put their path into explorer and it will attempt to open it (although unsuccessfully, the data is garbage). For the png file, for example, windows photo view fails to open the file but can show the file details:
The files are all relatively recent (max 2 months old), they have been exactly one time written to and are at most a few kb large. Has anyone an idea what these files are?
UPDATE:
Rather than coming from a malware these files (and folders) come from our corporate antivirus called Traps/ Cortex XDR
These Files appear to be "virtual files". They do not exist on the disk but get displayed to the software in order to prevent ransomeware attacks. Furthermore, my user profile copy/backup will replicate these non existent files in the output directory, effectively junking up the backup.
some more information can be found in the Cortex community forums:
https://live.paloaltonetworks.com/t5/endpoint-traps-discussions/zzzzz-and-thousands-of-that-kind-of-files-on-hdd/td-p/191025
so how to circumvent that stuff? for now, I have applied a text filter but the namings of these files might change in the future.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论