Counting Write Operations
The Catalogic DPX GuardMode agent tries to detect malware such as ransomware by counting write operations in the system. When the agent service detects an unusual number of write operations in a specific period, it sends a notification to the Catalogic DPX Master Server and warn users.
By default, the agent service counts the write operations for a second and creates a record. Each record has the „risk points”, either High, Medium, Low, or none, depending on the number of write operations. Then, the agent service evaluates the past 12 records, and when the total risk points exceed 100, it warns users by creating an alert event.
One-second assessment result | Record | Risk points |
---|---|---|
9 or more write operations in a second | High risk | 25 |
Between 4 and 8 write operations in a second | Medium risk | 15 |
Between 1 and 3 write operations in a second | Low risk | 5 |
No write operation in a second | No risk | 0 |
For example, assume that you start the agent service with the default threshold settings at 0:00:00 AM.
The assessment takes place at 0:00:07, counts write operations in the system for a second, detects 3 write operations, and creates a low-risk record with 5 risk points. At 0:00:14, there are 8 write operations in a second so that the agent service creates a medium-risk record with 15 risk points. At 0:02:27, there are 8 low-risk records and 4 medium-risk records, so that the total risk points of the past 12 iterations are 100. In this case, the agent service does not create any alert event.
At 00:02:34, the agent service detects 9 write operations, creates a high-risk record with 25 risk points, and purges the 13th latest record of 0:00:00. Then, there are 7 low-risk records, 4 medium-risk records, and 1 high-risk records in the past 12 iterations, and the total risk points of these are 120 which exceeds the threshold value of 100 risk points, so that the agent service produces an alert event to warn users.
Last updated