Write Operations Threshold
Catalogic DPX GuardMode Agent is able to detect malware such as ransomware by counting write operations in the system. When the Agent detects an unusual number of write operations within a specific period, it sends a warning to the Catalogic DPX Master Server.
The Agent counts the write operations per second and creates a record (by default, every 7 seconds). Each record has "risk points", either High, Medium, Low, or none, depending on the number of write operations:
| One-second assessment result | Record | Risk points |
|---|---|---|
9 or more write operations per second | High risk | 25 |
Between 4 and 8 write operations per second | Medium risk | 15 |
Between 1 and 3 write operations per second | Low risk | 5 |
No write operation per second | No risk | 0 |
Then, it evaluates the past 12 records (after that the oldest record will be replaced with a new one) and when the total risk points exceed 100, you will receive an alert.
Tip. The number of threshold checks, their length, and threshold risk level can be modified in the Security tab of your Node
Risk point calculation example
This example assumes you start the Agent at 0:00:00 AM and use default values for the number of threshold checks, their length, and threshold level:
| Time | Risk Points/Record | Cumulative Risk Points | Alert Triggered? |
|---|---|---|---|
0:00:07 | 5 | 5 | No |
0:00:14 | 25 | 30 | No |
0:00:21 | 25 | 55 | No |
0:00:28 | 25 | 80 | No |
0:00:35 | 25 | 105 | Yes |
In this scenario, the alert is triggered at 0:00:35 when the cumulative risk points exceed the threshold of 100 risk points due to the occurrence of four high-risk and one low-risk event.