GuardMode 2024.3
  • Welcome to GuardMode!
  • Intro
  • Installation
    • System requirements
    • Installing GuardMode Agent on Windows
      • Updating GuardMode Agent on Windows
    • Installing GuardMode Agent on Linux
      • Using Containerized GuardMode Agent
    • Uninstalling GuardMode Agent on Windows
    • Uninstalling GuardMode Agent on Linux
    • Configuring GuardMode Agent for SAMBA setup
    • Uninstalling GuardMode Agent on SAMBA setup
  • Agent Configuration
    • General Settings
    • Excluded Paths Configuration
    • Adding malware detection rules
      • Honeypot and Decoy Files
      • Write Operations Threshold
      • Detecting File Renaming with Abnormal File Extensions
      • Special Files Monitoring
    • Security Incident Detection
    • SMB Monitoring (Linux Only)
    • Event Reports
      • Configuring Event Reports
      • Excluding Paths From Event Reports
      • Tagging Agent
    • NFS Share Monitoring
    • Altering Audit Rules
    • Blocklist Management
      • Configuring DPX for Automatic Blocklist Updates
    • Using TLS
    • Configuring YARA-X
  • Using GuardMode Agent Command Line
  • REST API Documentation
  • On-demand Scanning
  • Logging
  • FAQ
  • Technical Support
Powered by GitBook
On this page
  1. Agent Configuration
  2. Adding malware detection rules

Detecting File Renaming with Abnormal File Extensions

PreviousWrite Operations ThresholdNextSpecial Files Monitoring

Last updated 3 months ago

In many cases, ransomware attempts to change or encrypt files in an infected system and renames these files with a new file extension. GuardMode Agent stores a block list of suspicious file extensions for known malware and periodically updates this block list (the update can be triggered manually from Agent Node’s Security tab). When the GuardMode Agent detects files containing any file extension in the block list, you will receive an alert via your selected notification providers like DPX Master Server.

Attention! To allow the Agent to automatically synchronize the list with a list on our servers, you need to set the value of the environmental variable BLOCKLIST_NETWORK_FETCH_ENABLED to true. This environmental variable should be added to the file dpx.yml. For details, see .

Excluding file extensions from the block list

You can create a list of excluded extensions for custom exclusion patterns.

To add a new extension pattern, add a new pattern (e.g. *.lsas or *.deeep) to the blocklist.json file located in the GuardMode’s root directory.

Changing Blocklist Configuration