Special Files Monitoring

Note. YARA analysis complements special files monitoring by providing pattern-based detection for potential threats. See Configuring YARA to learn how to integrate YARA with special files monitoring.

The Special Files Monitoring feature in Catalogic GuardMode allows users to configure the GuardMode Agent to monitor specific locations on a file system. This feature is designed to detect and alert users if files in these locations are being encrypted or modified in a way that destroys their metadata or magic numbers.

Adding directories to Special Files Monitoring

Go to the section Special files monitoring of the Security tab.
Add the path you want to configure.
Toggle the switch to enable or disable alerts for unknown file types.
- Toggle Off: Any modification to files in the protected path will be reported.
- Toggle On: After modifying a file in the protected path, it will be checked for magic numbers and entropy. If anomalies are detected, an alert will be sent.
Click Save.

Attention! Ensure that the directories you add for monitoring are correctly specified and accessible by the GuardMode Agent to avoid false negatives.

PreviousDetecting File Renaming with Abnormal File Extensions NextSecurity Incident Detection

Last updated 23 days ago