Catalogic DPX GuardMode Agent is able to detect malware such as ransomware by counting write operations in the system. When the Agent detects an unusual number of write operations within a specific period, it sends a warning to the Catalogic DPX Master Server.
The Agent counts the write operations per second and creates a record (by default, every 7 seconds). Each record has "risk points", either High, Medium, Low, or none, depending on the number of write operations:
One-second assessment result
Record
Risk points
9 or more write operations per second
Between 4 and 8 write operations per second
Between 1 and 3 write operations per second
No write operation per second
Then, it evaluates the past 12 records (after that the oldest record will be replaced with a new one) and when the total risk points exceed 100, you will receive an alert.
Risk point calculation example
This example assumes you start the Agent at 0:00:00 AM and use default values for the number of threshold checks, their length, and threshold level:
Time
Risk Points/Record
Cumulative Risk Points
Alert Triggered?
In this scenario, the alert is triggered at 0:00:35 when the cumulative risk points exceed the threshold of 100 risk points due to the occurrence of four high-risk and one low-risk event.
