A Windows system administrator in a corporate environment recently discovered an unexpected and ominously named empty folder, C:\virus, appearing on multiple client machines. This anomaly triggered immediate concern, as the folder’s name and sudden creation suggested a potential security threat.
The company, using Trend Micro Vision One as its endpoint security solution, could not initially determine the root cause. Despite extensive internal investigations and escalation to Trend Micro’s Security Operations Center (SOC), the issue persisted, with the folder reappearing even after deletion and spreading to more clients over time.
The folder’s owner was always the “local administrators” group, and audit logs traced its creation to the coreServiceShell.exe process running with SYSTEM privileges—a core component of Trend Micro’s security software.
Table of Contents
Technical Analysis & Findings
Folder Creation Pattern
- The C:\virus folder appeared sporadically across the network, with no clear pattern or user action linked to its creation.
- Deleting the folder resulted in its immediate recreation on some systems, indicating an automated or service-level process.
Trend Micro Involvement
- Audit logs revealed coreServiceShell.exe (Trend Micro’s main service process) was responsible for creating the folder with SYSTEM rights.
- The folder was not the standard quarantine directory for Trend Micro, which is typically located in C:\ProgramData\.
- Trend Micro initially denied responsibility, suggesting a PowerShell script used for network scanning (via PDQ Connect) was the cause, but this was not substantiated.
Reproducibility
The administrator was able to reliably trigger the folder’s creation by enabling/disabling Trend Micro XDR, further implicating the security product.
Trend Micro’s Response
After persistent follow-up, Trend Micro support conceded that their product could be responsible and admitted to receiving similar reports from other customers.
Resolution Steps
While the root cause within Trend Micro’s software remains officially undocumented, the evidence strongly implicates Trend Micro Vision One’s coreServiceShell.exe process in the creation of the C:\virus folder. Here’s a recommended approach to manage and mitigate the issue:
Document and Monitor
Continue auditing folder creation events (Event ID 4656) and monitor for any changes in behavior after Trend Micro updates.
Engage Trend Micro Support
Reference your audit findings and reproducibility steps in your support case. Request a formal statement and ETA for a patch or workaround.
Temporary Workarounds
If business policy allows, consider disabling or limiting the Trend Micro XDR component until a fix is released. Automate deletion of the folder if it poses no operational risk, but monitor for unexpected changes in folder content.
Communicate with Stakeholders
Inform IT leadership and end-users that the folder is not indicative of an actual infection but is a byproduct of the security software. Document all actions and communications for compliance and audit purposes.
Stay Updated
Monitor Trend Micro’s advisories and community forums for updates or hotfixes.
Supplementary Information
- coreServiceShell.exe is a legitimate Trend Micro process responsible for managing core modules and services.
- The folder’s creation does not indicate a malware infection but is likely a programming or configuration oversight in Trend Micro’s product.
- Malicious software can sometimes masquerade as coreServiceShell.exe, but in this scenario, the process was verified as legitimate and signed by Trend Micro.
This incident highlights a frustrating failure in vendor support and product quality assurance. The administrator’s persistence led to a reluctant admission by Trend Micro, but the lack of transparency and initial deflection is disappointing for organizations relying on enterprise-grade security solutions.
Stay vigilant, document thoroughly, and continue pressing for a formal resolution from Trend Micro. You are not alone in facing this issue, and your diligence is a positive example for IT professionals everywhere.