in relation to https://wiki.univention.de/index.php/Cool_Solution_-_Ransomware_protection_with_Fail2Ban
theare a filtered with VFS audit the commands pwrite write rename
reaname is clear : renaming of a file or directory
pwrite I find in my logs but only for system files like *.tmp files
write is never logged (since one year)
When a crypto trojan is active, it will rename and encrypt the file.
Encrypting the file needs to open the file and save it.
I have simulated it (change file content) and have found in the audit logs this:
The important keywords are |open|ok|w| : my interpretation: open for read and write
|ftruncate| : my interpretation: changing the file size of a file (in reference to the file descriptor)
Can somebody confirm it, that udate a file content will produce this audit?