Issue
You may notice that antivirus or endpoint security tools detect temporary files with the .ryk extension during an Automox patch deployment. These detections may appear as potential malware or suspicious activity alerts.
Environment
Automox® Agent 2.0 and later
Windows Operating Systems
Any environment using antivirus or endpoint protection tools (e.g., CrowdStrike, Microsoft Defender, SentinelOne, Sophos)
Cause
During patch installations, certain Microsoft installation processes and developer tools (such as Visual Studio or MSBuild) generate temporary files in the system’s %TEMP% directory. These files are formatted with 8 random alphanumerical characters followed by an 'extension' of 3 random alphanumerical characters.
These files are typically created when Windows Installer or Visual Studio components perform build or update operations. Automox patch jobs and scans that invoke these same system-level installation routines may trigger similar temporary file creation.
As these files are randomly named, it is possible for a file to be labeled with a .ryk extension, causing security tools to incorrectly flag these .ryk files as malicious due to their unfamiliar file type or creation behavior.
An example:
For more details, here are some user-reported instances:
Resolution
No action is required if the detections occur during legitimate Automox patching or scanning events and the files are located in the system’s temporary directories.
To verify the detection is a false positive:
Confirm the file path — the
.rykfiles should exist under%TEMP%orC:\Windows\Temp\.Verify that your antivirus definitions are up to date.
Additional Information
.rykfiles are transient by design and are automatically deleted after the installation process completes.These files do not contain executable code and are safe when associated with verified Automox or Microsoft installation events.