In an attempt to trigger CryptoGuard in a test setting I wrote several test scripts encrypting 50k+ files on disk in suspicious file paths. None of them seem to have triggered Cryptoguard, which makes me wonder if it's triggered solely on known IOC's. My first thought was that the number of I/O operations would have been enough to trigger an alarm, but it didn't. Is there something to be said about the detection that could help me trigger an alarm?
So, I took a bunch of files (copied the "Program Files (x86)" dir) and ran this against it. https://gist.github.com/arnydo/a0c41325e579b7dae3c8abd1a6b13980
wonder if it's triggered solely on known IOC'salmost correct, eliminate the known. File encryption is legitimate. Your test scripts likely lack villainousness, simply encrypting 50k+ files on disk in suspicious file paths (BTW: which paths do you call suspicious ?) doesn't make them ransomware (or you a ransomware writer). Testing CryptoGuard or equivalent products is like testing whether your car's airbags would trigger (except that you don't have to replace CryptoGuard after it has triggered)..
May I direct your attention to the following threads