A common issue with FileCatalyst detection is that it fails to traverse NAT (Network Address Translation) boundaries correctly.
: A high-severity unrestricted file upload flaw discovered in mid-2025 affecting versions 5.1.6 through 5.2.0. 3. Best Practices for Secure Detection & Monitoring
You must look at protocol behavior, not port numbers. filecatalyst detection
: FileCatalyst Direct can be configured to automatically detect the most efficient transfer mode based on current network conditions, such as latency and packet loss.
Detecting FileCatalyst is critical for three primary reasons: A common issue with FileCatalyst detection is that
This rule looks for the string "FileCatalyst" in the TCP stream heading to a destination port 21. While FileCatalyst may not broadcast its name in clear text in all modes, looking for specific SITE commands used by the software (often used for file verification) can trigger an alert.
Note: Because the payload is often compressed or encrypted (AES-128/256), DPI may only be effective during the initial handshake phase before the encryption keys are negotiated. Best Practices for Secure Detection & Monitoring You
Your NDR platform alerts on a workstation sending 800 Mbps to an unknown cloud IP on UDP/443. Standard inspection shows “QUIC” — but the packet size distribution doesn’t match QUIC. You pull a PCAP and see the 24‑byte control probe. It’s FileCatalyst Direct tunneling over port 443.
FileCatalyst operates in three distinct modes. Identifying which mode is in use is the first step in detection:
On the wire: TCP segments with payload size 24 or 32 bytes, repeating with millisecond precision. Normal background noise doesn’t do that.