Write Operations Threshold

Note. YARA analysis can be used alongside write operations threshold monitoring to provide comprehensive file analysis. For details, see Configuring YARA.

Catalogic GuardMode Agent is able to detect malware such as ransomware by counting write operations in the system. When the Agent detects an unusual number of write operations within a specific period, it sends a warning to the Catalogic DPX Master Server.

The Agent counts the write operations per second and creates a record (by default, every 7 seconds). Each record gains “risk points”, either High, Medium, Low, or none, depending on the number of write operations:

One-second assessment result
Record
Risk points

9 or more write operations per second

High risk

25

Between 4 and 8 write operations per second

Medium risk

15

Between 1 and 3 write operations per second

Low risk

5

No write operation per second

No risk

0

Then, it evaluates the past 12 records (after that the oldest record will be replaced with a new one) and when the total risk points exceed 100, you will receive an alert.

Tip. The number of threshold checks, their length, and threshold risk level can be modified in the Security tab of your Node

Risk point calculation example

This example assumes you start the Agent at 0:00:00 AM and use default values for the number of threshold checks, their length, and threshold level:

Time
Risk Points/Record
Cumulative Risk Points
Alert Triggered?

0:00:07

5

5

No

0:00:14

25

30

No

0:00:21

25

55

No

0:00:28

25

80

No

0:00:35

25

105

Yes

In this scenario, the alert is triggered at 0:00:35 when the cumulative risk points exceed the threshold of 100 risk points due to the occurrence of four high-risk and one low-risk event.

Last updated