Windows: Mysterious folder C:\Virus; Trend Micro involved?

[German]I am posting a very unusual observation by an administrator among the blog readers here on the blog. He noticed that an ominous folder c:\virus was "suddenly" created on his clients on the system drive. The cause has not yet been proven, but there are some indications that Trend Micro is the root cause. Perhaps someone else from the readership has made such an observation.

A reader observation about the C:\Virus folder

German blog reader Christian P. works as an administrator in a corporate environment and has just informed me by email about a very unusual observation on his Windows clients (thanks for the info). In IT, people are faced with a curious problem and they are hoping for the swarm intelligence of the blog readership.

Suddenly found a folder c:\virus

According to Christian, "the week before last" (i.e. from around April 7, 2025), a colleague discovered an empty folder called virus directly under C:\. It's easy to understand why all the alarm bells immediately went off in IT and the reader went to investigate the cause.

No pattern of creation found

A quick network scan by the blog reader via PDQ Connect revealed another 22 affected clients in the company. Christian wrote that a detailed report showed that the first folder was created on one client on 10.04.2024. The other folders were created sporadically on other days. In total, around 600 clients are in use at the company and the reader was unable to recognize any pattern in the creation.

Trend Micro Vision One in use

The reader wrote that the company was using Vision One from Trend Micro as endpoint security. As Vision One is used as a managed XDR solution, the reader naturally first created a support case with the manufacturer in order to involve the Security Operations Center (SOC).

Security Operations Center (SOC) didn't help

After the support case was created, there was initially silence at Trend Micro (TM). After another request from the customer, the response came back that the SOC could not detect any threatening activities in the network and that the folder should be deleted as it was empty anyway.

Further analysis by IT

Christian wrote that he found this response from the TM SOC "somehow unsatisfactory", as the ACLs clearly identified the "local administrators" group as the owner of the C:\virus folder. He can therefore rule out the possibility that the folder was created by a normal user for fun.

What created the folder?

The following weekend, the blog reader wrote, consisted of checking all administrative accounts and changing all passwords. There was also no evidence of a "golden ticket" in the domain. So everything seemed to be clean.

Effect continues on other clients

Unfortunately, the folder continued to spread to a total of 30 clients over the following week, as the blog reader discovered. At this point, IT then deleted the folder on some clients as a test. The IT staff discovered that the folder was immediately recreated on some devices.

The audit policy was therefore activated on one of the clients and it could be verified that the folder had been created by a coreServiceShell.exe with SYSTEM rights, according to event 4656.

According to Trend Micro, coreServiceShell.exe is the main process of the Trend Micro program. That's the fence post waving the barn door, isn't it?

Trend Micro negates its own products as the cause

The blog reader then confronted Trend Micro with the latest findings. Their support only said that they would pass the information on to a system engineer. The quick response the following day was that the affected folder was not created by a Trend Micro product. The quarantine directory used by Vision One is located in C:\ProgramData\ and not under C:\virus.

The reader reported that Trend Micro also sent an almost illegible screenshot showing the Powershell script of the reader's PDQ Connect scan. Trend Micro also claimed that this script was the cause of the folder creation.

A client caught in the act

The blog reader stayed on top of the problem and in the meantime found a Windows client where he could trigger the creation of the C:\virus folder by activating and deactivating the Trend Micro XDR solution.

The reader considers this to be "the ultimate proof" that the folder was created by Trend Micro. So he contacted Trend Micro again and asked for an explanation of what exactly could be seen in the screenshot sent to him. Specifically, he asked which command from the Powershell script of the PDQ Connect scan, which could be seen in the screenshot, was responsible for the creation of the c:\Virus folder.

TM support must be able to justify and substantiate its statement that the Powershell script of the PDQ Connect Scan creates the folder. The blog reader wrote to me that Trend Micro support probably gave in on Monday, April 14, 2025, and vaguely admitted that the folder could have been created by their product after all. Trend Micro has now received more reports of such incidents.

Are there more people affected?

Blog reader Christian wrote that the whole process has been dragging on for over 2 weeks now and that he has already wasted X hours on the case. He is of the opinion that it is quite a fail on the part of a SOC and the support of an MDR provider to react to the case outlined above in this way and to first of all "reject everything and flimsily blame the problem on another software".

If the blog reader had not vehemently followed up, the support case would most likely have been closed without anyone investigating the problem.

The final cause of what created the C:\virus folder is still unknown. The blog reader asked me in his email whether there might be others among the readership who are affected and asked me to post the case briefly on the blog – which I have now done. Perhaps the swarm intelligence of the readership can solve the mystery.