Blog

SentinelOne Detection Anomaly Involving Zone.Identifier Metadata

sentinelone-logo

SentinelOne Alert Surge Related to :Zone.Identifier Files

Date: February 2, 2026
Prepared by: Critical Path Security

Executive Summary

On February 2, 2026, Critical Path Security observed a brief but widespread surge of SentinelOne “Malware” alerts across multiple monitored environments. These alerts were triggered almost simultaneously and referenced otherwise legitimate business documents containing the Windows :Zone.Identifier alternate data stream.

Based on initial analysis, this activity does not indicate active malware infections. Instead, it appears consistent with a SentinelOne detection anomaly related to how :Zone.Identifier metadata is interpreted.

What Is :Zone.Identifier?

Zone.Identifier is a standard Windows alternate data stream (ADS) used to mark files that originate from external sources, such as:

  • Web downloads

  • Email attachments

  • Files transferred from external systems

Alert Characteristics Observed

  • Threat Name Format: [filename]:Zone.Identifier

  • Detection Classification: Malware

  • Confidence Level: Malicious

  • Analyst Verdict: Undefined

  • Incident Status: Unresolved (pending vendor clarification)

  • Detection Window: Approximately two minutes

  • File Types Involved:

    • PDF

    • XLSX / XLSB

    • TMP

Example Filename Patterns (Sanitized):

  • Document_Name.pdf:Zone.Identifier

  • Spreadsheet_Report.xlsb:Zone.Identifier

  • TemporaryFile.xlsx:Zone.Identifier

Assessment

At this time, Critical Path Security assesses this activity as a false positive condition, likely triggered by a SentinelOne detection update or rule change affecting :Zone.Identifier metadata rather than the underlying file contents.

Notably:

  • The flagged files were legitimate business documents

  • No malicious payloads were identified

  • No post-execution or lateral movement behavior was observed

A peer industry assessment shared during the event stated:

“SentinelOne pushed a block file hash for .Zone.Identifier. Microsoft does not uniquely hash that file for Mark of the Web.”

This aligns with our current findings.

Recommended Actions

  • Avoid mass remediation or file deletion unless corroborated by additional indicators

  • Continue monitoring SentinelOne alerts for confirmation or follow-up detections

  • Await official guidance, clarification, or hotfix from SentinelOne Support

  • Treat affected alerts as likely false positives until vendor validation is provided

Critical Path Security is actively tracking this issue and will update guidance as new information becomes available.

Preliminary Conclusion

This event appears to be a SentinelOne detection anomaly involving normal :Zone.Identifier metadata, not a true malware outbreak. Organizations are advised to proceed cautiously, avoid unnecessary disruption, and rely on behavioral and contextual validation rather than alert volume alone.

If you have questions or are observing similar behaviour in your environment, contact the Critical Path Security team for assistance.