Counting write operations

The Catalogic DPX GuardMode agent tries to detect malware such as ransomware by counting write operations in the system. When the agent service detects an unusual number of write operations within a specific period, it sends a notification to the Catalogic DPX Master Server and warns users.

By default, the agent service counts the write operations per second and creates a record. Each record has "risk points", either High, Medium, Low, or none, depending on the number of write operations. Then, the agent service evaluates the past 12 records and when the total risk points exceed 100, it warns users by creating an alert event.

For example, assume that you start the agent service with the default threshold settings at 0:00:00 AM.

The assessment takes place at 0:00:07, counts write operations in the system per second, detects 3 write operations, and creates a low-risk record with 5 risk points. At 0:00:14, there are 8 write operations per second so the agent service creates a medium-risk record with 15 risk points. At 0:02:27, there are 8 low-risk records and 4 medium-risk records, so the total number of risk points for the past 12 iterations is 100. In this case, the agent service does not create any alert event.

At 00:02:34, the agent service detects 9 write operations, creates a high-risk record with 25 risk points, and purges the 13th latest record of 0:00:00. Then, there are 7 low-risk records, 4 medium-risk records, and 1 high-risk records in the past 12 iterations, and the total number of risk points for these is 120, which exceeds the threshold value of 100 RPs, so the agent service produces an alert event to warn users.