FileCatalyst operates in three distinct modes. Identifying which mode is in use is the first step in detection:
This paper outlines the technical methods for detecting both legitimate and malicious activities associated with Fortra FileCatalyst, an accelerated file transfer solution. It covers signature-based detection for vulnerabilities, protocol identification, and behavioral monitoring for data exfiltration.
On the wire: TCP segments with payload size 24 or 32 bytes, repeating with millisecond precision. Normal background noise doesn’t do that.
In some high‑performance setups, FileCatalyst runs without TCP at all — no handshake, no keep‑alive, pure UDP data + UDP control. Most security tools assume a TCP control channel and will miss this entirely.
Why standard file transfer monitoring fails, and the three telltale signs of FileCatalyst in flight