> ## Documentation Index
> Fetch the complete documentation index at: https://help.gorelo.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Mystery assets

> Understand why unknown assets appear in Gorelo when antivirus sandboxes run the agent installer, how to spot test machines, and how to safely remove them.

If you’re seeing unexpected assets appear — even though you haven’t installed the Gorelo RMM Agent on those endpoints — it can be a bit concerning. But in most cases, there’s no need to worry.

## What’s actually happening?

This usually comes down to how antivirus and other security tools work. Many modern security products automatically upload unfamiliar executables (like the Gorelo RMM Agent installer) to cloud-based sandbox environments for analysis. When that sandbox runs the executable, the agent is installed and shows up in your list of assets.

## How to spot assets created by sandboxing

When unknown assets appear, they’re often the result of anti-malware vendors testing the Gorelo RMM Agent in sandbox environments. Unfortunately, these vendors don’t publish naming conventions for their test machines, so identifying them isn’t always straightforward.

That said, there are a few common signs that an asset was created during automated AV/EDR testing:

### What to look for

| What to look for                                   | Description                                                                                           | Examples/Causes                                                                                             |
| -------------------------------------------------- | ----------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| Weird or generic hostnames                         | Anything that doesn’t follow your site’s usual naming standards.                                      | `John-PC`, `Wilbert`, `Cuckoo`, `CWS`, or `ABC`                                                             |
| External IP address doesn’t match your environment | Look up the IP.                                                                                       | It resolves to something like: <ul><li>Microsoft</li><li>AWS</li><li>A security software provider</li></ul> |
| Missing or minimal audit data                      | These test assets usually don’t do much. Some may show a full audit, but most have little or no info. |                                                                                                             |
| The asset only checked in once                     | It was online when created but hasn’t been back since.                                                | Classic behavior of a sandboxed execution.                                                                  |
| Low hardware specs                                 | The asset may show the bare minimum hardware needed to run Windows or whatever OS is reported.        |                                                                                                             |
| Generic usernames                                  | Usernames that are typical on test machines.                                                          | <ul><li>`Administrator`</li><li>`User`</li><li>`Johndoe`</li></ul>                                          |

Even if your antivirus or EDR solution doesn’t use offsite sandbox testing, mystery assets can still appear if someone uploads the Gorelo RMM Agent installer to an online malware scanner.

For example, tools like **VirusTotal** let you upload files to scan across dozens of antivirus engines. If a teammate, security vendor, or anyone with access to your installer does this, it can trigger the agent to run in a sandbox — and that can create a new asset.
