Write Operations Threshold

PreviousHoneypot and Decoy Files NextDetecting File Renaming with Abnormal File Extensions

Last updated 8 months ago

Write Operations Threshold

Note. YARA analysis can be used alongside write operations threshold monitoring to provide comprehensive file analysis. For details, see .

Catalogic GuardMode Agent is able to detect malware such as ransomware by counting write operations in the system. When the Agent detects an unusual number of write operations within a specific period, it sends a warning to the Catalogic DPX Master Server.

The Agent counts the write operations per second and creates a record (by default, every 7 seconds). Each record has "risk points", either High, Medium, Low, or none, depending on the number of write operations:

One-second assessment result

Record

Risk points

9 or more write operations per second

High risk

Between 4 and 8 write operations per second

Medium risk

Between 1 and 3 write operations per second

Low risk

No write operation per second

No risk

Then, it evaluates the past 12 records (after that the oldest record will be replaced with a new one) and when the total risk points exceed 100, you will receive an alert.

Tip. The number of threshold checks, their length, and threshold risk level can be modified in the Security tab of your Node

Risk point calculation example

This example assumes you start the Agent at 0:00:00 AM and use default values for the number of threshold checks, their length, and threshold level:

Time

Risk Points/Record

Cumulative Risk Points

Alert Triggered?

0:00:07

0:00:14

0:00:21

0:00:28

0:00:35

105

Yes

In this scenario, the alert is triggered at 0:00:35 when the cumulative risk points exceed the threshold of 100 risk points due to the occurrence of four high-risk and one low-risk event.

PreviousHoneypot and Decoy Files NextDetecting File Renaming with Abnormal File Extensions

Last updated 8 months ago