Write Operations Threshold
Note. YARA analysis can be used alongside write operations threshold monitoring to provide comprehensive file analysis. For details, see Configuring YARA.
Catalogic GuardMode Agent is able to detect malware such as ransomware by counting write operations in the system. When the Agent detects an unusual number of write operations within a specific period, it sends a warning to the Catalogic DPX Master Server.
The Agent counts the write operations per second and creates a record (by default, every 7 seconds). Each record has "risk points", either High, Medium, Low, or none, depending on the number of write operations:
9 or more write operations per second
High risk
25
Between 4 and 8 write operations per second
Medium risk
15
Between 1 and 3 write operations per second
Low risk
5
No write operation per second
No risk
0
Then, it evaluates the past 12 records (after that the oldest record will be replaced with a new one) and when the total risk points exceed 100, you will receive an alert.
Tip. The number of threshold checks, their length, and threshold risk level can be modified in the Security tab of your Node
Risk point calculation example
This example assumes you start the Agent at 0:00:00 AM and use default values for the number of threshold checks, their length, and threshold level:
0:00:07
5
5
No
0:00:14
25
30
No
0:00:21
25
55
No
0:00:28
25
80
No
0:00:35
25
105
Yes
In this scenario, the alert is triggered at 0:00:35 when the cumulative risk points exceed the threshold of 100 risk points due to the occurrence of four high-risk and one low-risk event.
Last updated