Mystery Assets

If you’re seeing unexpected assets appear — even though you haven’t installed the Gorelo RMM Agent on those endpoints — it can be a bit concerning. But in most cases, there’s no need to worry.

What’s actually happening?

This usually comes down to how antivirus and other security tools work. Many modern security products automatically upload unfamiliar executables (like the Gorelo RMM Agent installer) to cloud-based sandbox environments for analysis. When that sandbox runs the executable, the agent is installed and shows up in your list of assets.

How to Spot Assets Created by Sandboxing

When unknown assets appear, they’re often the result of anti-malware vendors testing the Gorelo RMM Agent in sandbox environments. Unfortunately, these vendors don’t publish naming conventions for their test machines, so identifying them isn’t always straightforward.

That said, there are a few common signs that an asset was created during automated AV/EDR testing:

What to look for

• Weird or generic hostnames
  Think names like John-PC, Wilbert, Cuckoo, CWS, or ABC — basically anything that doesn’t follow your site’s usual naming standards.

• External IP address doesn’t match your environment
  Look up the IP — if it resolves to something like Microsoft, AWS, or a security software provider, that’s a big clue.

• Missing or minimal audit data
  These test assets usually don’t do much. Some may show a full audit, but most have little or no info.

• The asset only checked in once
  It was online when created but hasn’t been back since? Classic behavior of a sandboxed execution.

• Low hardware specs
  The asset may show the bare minimum hardware needed to run Windows or whatever OS is reported.

• Generic usernames
  Usernames like Administrator, User, or Johndoe are typical on test machines.