Detecting File Renaming with Abnormal File Extensions
In many cases, ransomware attempts to change or encrypt files in an infected system and renames these files with a new file extension. GuardMode Agent stores a block list of suspicious file extensions for known malware and periodically updates this block list (the update can be triggered manually from Agent Node's Security tab). When the GuardMode Agent detects files containing any file extension in the block list, you will receive an alert via your selected notification providers like DPX Master Server.
Attention! To allow the Agent to automatically synchronize the list with a list on our servers, you need to set the value of environmental variable BLOCKLIST_NETWORK_FETCH_ENABLED
to true
. This environmental variable should be added to the file dpx.yml
. For details, see Changing Blocklist Configuration.
Excluding file extensions from the block list
You can create a list of excluded extensions to allow for custom exclusion patterns.
To add a new extension pattern, simply add a new pattern (e.g. *.lsas
or *.deeep
) to the blocklist.json
file located in the GuardMode's root directory.