What’s actually happening?
This usually comes down to how antivirus and other security tools work. Many modern security products automatically upload unfamiliar executables (like the Gorelo RMM Agent installer) to cloud-based sandbox environments for analysis. When that sandbox runs the executable, the agent is installed and shows up in your list of assets.How to Spot Assets Created by Sandboxing
When unknown assets appear, they’re often the result of anti-malware vendors testing the Gorelo RMM Agent in sandbox environments. Unfortunately, these vendors don’t publish naming conventions for their test machines, so identifying them isn’t always straightforward. That said, there are a few common signs that an asset was created during automated AV/EDR testing:What to look for
| What to look for | Description | Examples/Causes |
|---|---|---|
| Weird or generic hostnames | Anything that doesn’t follow your site’s usual naming standards. | John-PC, Wilbert, Cuckoo, CWS, or ABC |
| External IP address doesn’t match your environment | Look up the IP. | It resolves to something like:
|
| Missing or minimal audit data | These test assets usually don’t do much. Some may show a full audit, but most have little or no info. | |
| The asset only checked in once | It was online when created but hasn’t been back since. | Classic behavior of a sandboxed execution. |
| Low hardware specs | The asset may show the bare minimum hardware needed to run Windows or whatever OS is reported. | |
| Generic usernames | Usernames that are typical on test machines. |
|