Enhance ransomware file modification detection logic

[kevross33]

No description provided.

[gemini-code-assist]

Code Review

This pull request refactors the RansomwareFileModifications signature to improve detection accuracy and reduce noise. Key changes include tracking file handles by PID, introducing helper methods for noise path filtering and rename handling, adding support for NtSetInformationFile (handling both renames and delete-on-close operations), and implementing a composite behavior threshold. The review feedback suggests several improvements: performing case-insensitive comparisons for file renames, relaxing the rename matching logic to support extension replacement, optimizing the regular expressions used for extension extraction, and ensuring robust type handling when checking FileInformationClass values.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.