Hello everyone,
I’m thinking now for a couple of hours if it’s possible to create check that let me know if something weird is going on on our fileservers. Especially crypto malware that encrypt our whole filesystem should be able to see, or am I wrong? A check like: If in the last two minutes HDD usage = 100% then warn 
Is there a way where I could create that check in CheckMK?
Thanks for any hints!
Cheers
Gamie
Most likely you need to create your own custom check for this.
On the fileserver whenever this is a *nix based system you might would like to check iostat output, specially the %util column (last one), on my test system nothing is going on here.
iostat -dx
Linux 3.10.0-1062.4.3.el7.x86_64 (arrakis) 12/19/2019 _x86_64_ (4 CPU)
Device: rrqm/s wrqm/s r/s w/s rkB/s wkB/s avgrq-sz avgqu-sz await r_await w_await svctm %util
vda 0.00 0.00 0.01 0.06 0.38 0.67 27.09 0.00 4.19 2.95 4.46 0.43 0.00
scd0 0.00 0.00 0.00 0.00 0.00 0.00 114.22 0.00 0.89 0.89 0.00 0.67 0.00
dm-0 0.00 0.00 0.01 0.06 0.37 0.64 27.10 0.00 4.81 2.98 5.22 0.50 0.00
dm-1 0.00 0.00 0.00 0.00 0.00 0.00 50.96 0.00 1.06 1.06 0.00 0.95 0.00Okay, thanks for the idea, then I have to find a way how to monitor the IO status on the Windows System 
You might would like to check typeperf at windows [ typeperf -q to get a full list ]
Example: typeperf “Logischer Datenträger(*)\Mittlere Bytes/Übertragung”
"12/19/2019 14:38:57.069","0.000000","7021.714286","0.000000","7021.714286"
"12/19/2019 14:38:58.081","0.000000","0.000000","0.000000","0.000000"
"12/19/2019 14:38:59.090","0.000000","28672.000000","0.000000","28672.000000"
"12/19/2019 14:39:00.094","0.000000","87040.000000","0.000000","87040.000000"
"12/19/2019 14:39:01.103","0.000000","23210.666667","0.000000","23210.666667"
"12/19/2019 14:39:02.113","0.000000","0.000000","0.000000","0.000000"
"12/19/2019 14:39:03.123","0.000000","10053.818182","0.000000","10053.818182"Hi,
why not using thresholds on Disk IO Summary or for single Disk IO checks? It’s build in and just needs to be configured. Also CPU IO Wait could be an indicator.
HTH,
Alex
Hi there,
monitoring hdd usage is not the best way to protect against ransoftware. there are a couple of possibilities available like monitoring for specific behaviour or file type extensions. In windows theres a build-in option called FSRM with that you can do realtime monitoring and blocking of smb connections:
kind regards,
Constantin
Isnt FSRM being disbanded by Microsoft now, im pretty sure 2012 R2 server is the last version to contain it?
Just use the built in Levels For Disk IO rule if you specifically want to monitor activity. I use it ensuring bottlenecks are spotted across certain hosts that are critical.
Cheers,
We have that running on 2016 and I think it still works also on 2019 - at least the docs.microsoft says it exists Übersicht über Datei Server Ressourcen-Manager (Übersicht) | Microsoft Docs 
Hallo,
as a hint that something is happening ok but if a trojaner is active every second counts.
You should use a tool / a config designed for this case.
Ralf
That`s cool, i have not attempted adding the role to 2016 but good to know