GuardMode 2024.3
  • Welcome to GuardMode!
  • Intro
  • Installation
    • System requirements
    • Installing GuardMode Agent on Windows
      • Updating GuardMode Agent on Windows
    • Installing GuardMode Agent on Linux
      • Using Containerized GuardMode Agent
    • Uninstalling GuardMode Agent on Windows
    • Uninstalling GuardMode Agent on Linux
    • Configuring GuardMode Agent for SAMBA setup
    • Uninstalling GuardMode Agent on SAMBA setup
  • Agent Configuration
    • General Settings
    • Excluded Paths Configuration
    • Adding malware detection rules
      • Honeypot and Decoy Files
      • Write Operations Threshold
      • Detecting File Renaming with Abnormal File Extensions
      • Special Files Monitoring
    • Security Incident Detection
    • SMB Monitoring (Linux Only)
    • Event Reports
      • Configuring Event Reports
      • Excluding Paths From Event Reports
      • Tagging Agent
    • NFS Share Monitoring
    • Altering Audit Rules
    • Configuring DPX for Automatic Blocklist Updates
    • Using TLS
    • Configuring YARA-X
  • Using GuardMode Agent Command Line
  • REST API Documentation
  • On-demand Scanning
  • Logging
  • FAQ
  • Technical Support
Powered by GitBook
On this page
  • Adding a New Honeypot
  • Adding Custom Decoy Files
  1. Agent Configuration
  2. Adding malware detection rules

Honeypot and Decoy Files

PreviousAdding malware detection rulesNextWrite Operations Threshold

Last updated 3 months ago

The Catalogic GuardMode has the Honeypot feature, which creates decoy files in a designated folder. These files are intentionally vulnerable to malware, so the Catalogic GuardMode Agent can detect suspicious activities before the malware spreads.

You can set up specific directories as honeypots, for example, directories containing data of particular concern. GuardMode will add to such directory files with known extensions and checksums that, if modified, indicate a high likelihood of malicious activity. Note that the directory used as a honeypot can still be utilized as a fully functional directory. Only the decoy files created in the honeypot location by the GuardMode Agent will be specially monitored.

Adding a New Honeypot

To add a new honeypot, use the GuardMode API (see for more information). If your GuardMode Agent is registered as a DPX security node, you can go to the Node’s Security tab in DPX and add the honeypot deployment path. The decoy files will be transferred to the indicated location seconds later.

The format of the path depends on your OS.

For Windows:

C:\path\to\honeypot

For Linux:

/path/to/honeypot

Attention! The directory you want to add as a honeypot location must be an existing directory on your machine.

Tip. When creating honeypot directories, using prefixes like 'AA' or 'ZZ' can be beneficial as some ransomware scan file systems alphabetically or in reverse order.

Adding Custom Decoy Files

By default, GuardMode Agent uses predefined decoy files and puts them in the honeypot location. To use custom decoy files, add them to the /opt/catalogic/guard-mode/agent/Files directory and restart the agent, using the following command:

systemctl restart Catalogic.GuardMode.Agent

The honeypot will be updated with the files located in the /Files directory.

Tip. If your GuardMode Agent is registered as a DPX security node, you can go to the Node’s Security tab and re-add the honeypot deployment path. The honeypot will be updated with the files from the /Files directory.

REST API Documentation