System Integrity Monitoring

The Kaspersky Security functionality described in this section is available only if you are using the application under an enterprise license and the application is installed on a virtual machine with a Windows server operating system and an NTFS or FAT32 file system.

The System Integrity Monitoring component can track changes in a Windows operating system installed on the protected virtual machine. You can monitor the following objects:

• Files and registry. The System Integrity Monitoring component tracks changes made to the registry and files included in the monitoring scope.
• External drives. The System Integrity Monitoring component tracks the connection of the following types of external devices:
  • Disk drives for hard drives.
  • Disk drives for optical drives (CD/DVD/Blu-ray).
  • USB devices.
  • Cameras and scanners.
  • External network adapters.

The System Integrity Monitoring component can operate in real time, and can run a System Integrity Check by schedule or on demand.

When operating in real time, System Integrity Monitoring lets you track changes to monitored objects that you have included in the System Integrity Monitoring scope.

A system integrity check by schedule or on demand is performed by using the system integrity check task. A system integrity check is performed by comparing the current state of objects included in the system integrity check scope with the state of objects that were previously registered in the form of a system baseline.

You can run a System Integrity Check in one of the following modes:

• Full Scan. All attributes of files and their contents are analyzed when checking for modifications in files.
• Quick Scan. Only the attributes of files are analyzed when checking for modifications in files; file contents are not checked.

Registry modifications and connection of external devices are monitored in any mode according to the defined System Integrity Check scope.

A system state snapshot (baseline) is taken on a virtual machine as a result of running the baseline update task. When a baseline is created or updated, the state of objects included in the System Integrity Check scope is recorded.

You can update the baseline in one of the following modes:

• Full update – for all objects in the scan scope.
• Incremental update – only for modified or new objects from the scan scope.

The System Integrity Monitoring component settings are defined in the Light Agent for Windows policy or in the local interface of Light Agent for Windows. You can enable or disable the Real-Time System Integrity Monitoring component, and configure the following settings:

• Real-Time System Integrity Monitoring scope:
  • List of objects that must be monitored by the Real-Time System Integrity Monitoring component.
  • List of System Integrity Monitoring rules that govern how the component tracks changes in files and the registry. You can create rules and use predefined rules from templates that are part of the application distribution kit.
• System Integrity Check scope. By default, the System Integrity Check scope matches the system integrity monitoring scope. You can define a separate scope for a scheduled System Integrity Check and an on-demand System Integrity Check. This scope is also used for the baseline update task:
  • List of objects whose state needs to be checked. The state of these objects is recorded in the baseline.
  • List of System Integrity Monitoring rules that govern how the component checks for changes in files and the registry. The baseline records the state of files and folders, as well as registry keys defined in the rules. You can create rules and use predefined rules from templates that are part of the application distribution kit.

  If the System Integrity Check scope is not defined, the System Integrity Monitoring scope is used for the System Integrity Check task and the baseline update task.

• The importance level for events that are generated by the System Integrity Monitoring component when it detects system changes in real time, and as a result of the System Integrity Check task.

You can view information about the operating results of the System Integrity Monitoring component in Kaspersky Security Center and in the local interface of Light Agent for Windows.

Enabling and disabling Real-Time System Integrity Monitoring

You can enable or disable Real-Time System Integrity Monitoring. By default, the Real-Time System Integrity Monitoring component is disabled.

Enabling and disabling Real-Time System Integrity Monitoring does not affect the performance of a System Integrity Check task or baseline update task.

You can enable or disable Real-Time System Integrity Monitoring in the Light Agent for Windows policy properties using the Administration Console, in the Light Agent for Windows local interface, and using the Web Console when creating or editing the Light Agent for Windows policy settings (Application settings → Endpoint control → System Integrity Monitoring).

To enable or disable Real-Time System Integrity Monitoring in the Administration Console:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the System Integrity Monitoring section in the list on the left.
6. In the right part of the window, do one of the following:
   • Select the Real-Time System Integrity Monitoring check box if you want to enable the Real-Time System Integrity Monitoring component.
   • Clear the Real-Time System Integrity Monitoring check box if you want to disable the Real-Time System Integrity Monitoring component.
7. Click the Apply button.

In the local interface of Light Agent for Windows, you can enable or disable the real-time component in two ways:

• On the Protection and Control tab of the main application window.
• From the application settings window.

If the component settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

To enable or disable Real-Time System Integrity Monitoring, on the Protection and Control tab of the main application window:

1. On the protected virtual machine, open the main application window.
2. Select the Protection and Control tab.
3. Open the Endpoint control section.
4. Open the context menu of the System Integrity Monitoring item and perform one of the following actions:
   • Select Enable if you want to enable the Real-Time System Integrity Monitoring component.
   • Select Disable if you want to disable the Real-Time System Integrity Monitoring component.

To enable or disable Real-Time System Integrity Monitoring from the application settings window:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select the System Integrity Monitoring section.
3. Do one of the following:
   • Select the Real-Time System Integrity Monitoring check box if you want to enable the Real-Time System Integrity Monitoring component.
   • Clear the Real-Time System Integrity Monitoring check box if you want to disable the Real-Time System Integrity Monitoring component.
4. To save changes, click the Save button.

Configuring the system integrity monitoring scope and the System Integrity Check scope

For correct operation of the System Integrity Monitoring component, you must configure the scope of the component, i.e. select the objects whose status must be tracked by the System Integrity Monitoring component. The scope is configured in the Light Agent for Windows policy or in the local interface of Light Agent for Windows.

You can configure the System Integrity Monitoring scope for real-time operation of the component and configure a separate System Integrity Check scope by schedule or on demand. This scope is also used for the baseline update task. If the scope of the System Integrity Check is not defined, the system integrity monitoring scope is applied for the System Integrity Check task and the baseline update task.

This section describes how to configure the Integrity Control component scope using the Administration Console and the Light Agent for Windows local interface. You can also configure the Integrity Control scope settings using the Web Console when creating or modifying the Light Agent for Windows policy settings (Application Settings → Endpoint control → System Integrity Monitoring).

To configure the scope of the System Integrity Monitoring component in the Administration Console:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the System Integrity Monitoring section in the list on the left.
6. In the right part of the window, in the System Integrity Monitoring scope section, configure the System Integrity Monitoring real-time scope:
   1. Select the Monitor devices check box if you want System Integrity Monitoring to track when external devices are connected on the protected virtual machine in real time.
   2. In the drop-down list, select the importance level for events generated by the System Integrity Monitoring component when it detects the connection of an external device. By default, an Informational event is generated.
   3. Select the Monitor files and the registry check box if you want the System Integrity Monitoring component to track changes made to files and the registry on the protected virtual machine in real time.
   4. Click the Settings button.
   5. In the System Integrity Monitoring rules window that appears, create a list of rules that are applied when the Real-Time System Integrity Monitoring component is running.

      You can perform the following actions when configuring System Integrity Monitoring rules:

      • Add or edit rules.
      • Import and export rules.
      • Enable or disable rules.
      • Delete rules.
   6. In the System Integrity Monitoring rules window, click OK.
7. If you want to configure a separate scope for an integrity check by schedule or on demand, perform the following actions in the System Integrity Check scope section:
   1. Select the Define System Integrity Check scope check box.

      The System Integrity Check scope settings group will appear under the check box.

   2. Configure the settings in the System Integrity Check scope section as described in step 6 of these instructions. These settings will be applied when the System Integrity Check task and baseline update task are performed.
8. Click the Apply button.

To configure the scope of the System Integrity Monitoring component in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select the System Integrity Monitoring section.

   In the right part of the window, the System Integrity Monitoring component settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. To configure the System Integrity Monitoring scope in real time, perform the following actions in the System Integrity Monitoring settings section:
   1. Select the Monitor devices check box located under the name of the System Integrity Monitoring settings section if you want System Integrity Monitoring to track when external devices are connected on the protected virtual machine in real time.
   2. In the drop-down list, select the importance level for events generated by the System Integrity Monitoring component when it detects the connection of an external device. By default, an Informational event is generated.
   3. Select the Monitor files and the registry check box located in the upper part of the System Integrity Monitoring settings section if you want the System Integrity Monitoring component to track changes made to files and the registry on the protected virtual machine in real time.
   4. Complete steps 6d-6f of the previous instructions.
4. If you want to configure a separate scope for a system integrity check by schedule or on demand, perform the following actions in the System Integrity Monitoring settings section:
   1. Select the Define System Integrity Check scope check box.

      A settings section appears under the check box.

   2. Configure the settings in the section as described in step 6 of the previous instructions. These settings will be applied when the System Integrity Check task and baseline update task are performed.
5. To save changes, click the Save button.

Creating and editing a System Integrity Monitoring rule

You can create a system integrity monitoring rule by creating a monitoring scope and/or a list of exclusions from the monitoring scope for files and folders, registry keys and values. After creating or importing a system integrity monitoring rule, you can change the rule settings if necessary.

To create or edit a System Integrity Monitoring rule through Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the System Integrity Monitoring section in the list on the left.
6. In the right part of the window, click the Settings button located on the right of the Monitor files and the registry check box in one of the following sections:
   • In the System Integrity Monitoring scope section if you want to configure a Real-Time System Integrity Monitoring rule.
   • In the System Integrity Check scope section if you want to configure a rule for the System Integrity Check task and baseline update task.
7. In the System Integrity Monitoring rules window that opens, perform one of the following actions:
   • If you want to create a system integrity monitoring rule, click the Add button located above the list of rules.
   • If you want to edit a system integrity monitoring rule, select it in the list and click the Edit button.
8. In the System Integrity Monitoring rule window that opens, enter the rule name and select the importance level for the events generated by System Integrity Monitoring when it applies this rule. By default, an Informational event is generated.
9. Configure the monitoring scope of files and folders on the Files tab.

   To add a file or folder so that Kaspersky Security monitors changes in it:

   1. Click the Add button located above the Monitoring scope field on the Files tab.
   2. In the File or folder window that opens, enter the absolute path to the folder or mask of the path to the folder to be monitored.

      When entering a path mask, you can use the following characters in any part of the path:

      • The * character can represent any characters except \ / :. In addition:
        • If the * character is used to designate the name of an entire component of a path (for example, to designate a folder name: /*/), it can represent one or more characters.
        • If the * character is used to designate part of the name of a path component (for example, to designate part of a folder name: /abc*/), it can represent zero or more characters.
      • The ? character can replace any single character.

      You can use environment variables when entering a folder path. You must type the % character before and after the name of the environment variable.

   3. If you need to monitor changes to files in a specified folder, enter a file name or file mask in the File name or file mask field.

      When entering a mask, you can use the following characters:

      • * represents zero or more characters. It can represent any characters except \ / :
      • ? represents any single character

      If you want to monitor changes made to the specified files in nested folders as well, select the Include files in subfolders check box.

   4. Click OK in the File or folder window.

   The path to the file or folder is displayed in the list of paths in the Monitoring scope field.

   Kaspersky Security monitors changes made to files and folders only on those drives that are connected when Real-Time System Integrity Monitoring starts running, which means when a policy is applied or when Real-Time System Integrity Monitoring is enabled. If a drive is powered off when Real-Time System Integrity Monitoring starts running, modifications made to files and folders on that drive are not monitored even if those files and folders have been added to the monitoring scope.

   You can perform keyword searches in the list, and remove files and folders from the list by using the Delete button.

10. If necessary, you can similarly configure the list of paths to files and/or folders that are excluded from the monitoring scope. Kaspersky Security does not monitor changes to files and folders that are added to the list of paths in the Exclusions field.

    To configure the list of exclusions, use the Add and Delete buttons located above the Exclusions field on the Files tab.

11. Configure the monitoring scope of registry keys and values on the Registry tab.

    To add a registry key or key parameter so that Kaspersky Security monitors changes in it:

    1. Click the Add button located above the Monitoring scope field on the Registry tab.

       The Registry key window opens.

    2. Enter the name of the registry key whose modifications must be monitored.

       HKEY_CURRENT_USER key is not supported. You can specify a path to a registry key through HKEY_USER as follows: HKEY_USERS\<user profile ID>\<key>.

    3. If you want Kaspersky Security to also monitor nested keys, select the Including nested keys check box.
    4. If you need to monitor changes to a parameter of the specified key, enter the name or mask of the parameter in the Name or mask of the key parameter field.

       When entering a mask, you can use the wildcards * (any sequence of characters) and ? (any single character).

    5. In the Registry key window, click OK.

    The name of the key and key parameter (if it was specified) is displayed in the list of keys and registry values in the Monitoring scope field.

    You can perform a keyword search in the list, and remove keys from the list using the Delete button.

12. If necessary, you can similarly configure the list of keys and registry values that are excluded from the monitoring scope. Kaspersky Security does not monitor changes to keys and registry values that are added to the list in the Exclusions field.

    To configure the list of exclusions, use the Add and Delete buttons located above the Exclusions field on the Registry tab.

13. In the System Integrity Monitoring rule window, click OK.

    The rule is displayed in the list of rules in the System Integrity Monitoring rules window.

14. In the System Integrity Monitoring rules window, click OK.
15. Click the Apply button.

To create or edit a System Integrity Monitoring rule in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select the System Integrity Monitoring section.

   In the right part of the window, the System Integrity Monitoring component settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Do one of the following:
   • Click the Settings button located on the right of the Monitor files and the registry check box in the upper part of the System Integrity Monitoring settings section if you want to configure a Real-Time System Integrity Monitoring rule.
   • Click the Settings button located on the right of the Monitor files and the registry check box in the lower part of the System Integrity Monitoring settings section if you want to configure a rule for the System Integrity Check task and baseline update task.

   The System Integrity Monitoring rules window opens.

4. Complete steps 7–14 of the previous instructions.
5. To save changes, click the Save button.

Importing and exporting System Integrity Monitoring rules

You can save the configured list of System Integrity Monitoring rules to a file and import a previously saved list of rules from a file. To import or export a list of rules, you can use a file in XML format.

When configuring the System Integrity Monitoring component settings through Kaspersky Security Center, you can import a list of System Integrity Monitoring rules from templates that are included in the Kaspersky Security application distribution kit. A template contains paths to files and folders, as well as registry keys and values that are used for the operation of a specific application. Rules imported from a template let you track changes associated with the operation of this application.

To import or export a list of System Integrity Monitoring rules in Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the System Integrity Monitoring section in the list on the left.
6. In the right part of the window, click the Settings button located on the right of the Monitor files and the registry check box in one of the following sections:
   • In the System Integrity Monitoring scope section if you want to configure a Real-Time System Integrity Monitoring rule.
   • In the System Integrity Check scope section if you want to configure a rule for the System Integrity Check task and baseline update task.
7. If you want to import a list of System Integrity Monitoring rules, in the System Integrity Monitoring rules window that opens, click the Import button and do one of the following:
   • To import a rule from a template, select From template in the drop-down list. Then in the window that opens, select the template name and click OK.

     The rule from the selected template will be added to the list of rules in the System Integrity Monitoring rules window.

   • To import rules from a file, in the drop-down list select From file and specify the path to the XML file in the opened window.

     Rules from the selected file will be added to the list of rules in the System Integrity Monitoring rules window.

8. If you want to export the list of System Integrity Monitoring rules, click the Export button and specify the path to the file in which you want to save the list of rules.
9. In the System Integrity Monitoring rules window, click OK.
10. Click the Apply button.

To import or export a list of System Integrity Monitoring rules in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select the System Integrity Monitoring section.

   In the right part of the window, the System Integrity Monitoring component settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Do one of the following:
   • Click the Settings button located on the right of the Monitor files and the registry check box in the upper part of the System Integrity Monitoring settings section if you want to configure a Real-Time System Integrity Monitoring rule.
   • Click the Settings button located on the right of the Monitor files and the registry check box in the lower part of the System Integrity Monitoring settings section if you want to configure a rule for the System Integrity Check task and baseline update task.

   The System Integrity Monitoring rules window opens.

4. Complete steps 7–9 of the previous instructions.
5. To save changes, click the Save button.

Enabling and disabling a System Integrity Monitoring rule

All System Integrity Monitoring rules are added to the list of rules with the Enabled status. If a rule is enabled, System Integrity Monitoring applies the rule.

You can disable any system integrity monitoring rule. If a rule is disabled, System Integrity Monitoring temporarily stops applying the rule.

To enable or disable a system integrity monitoring rule in Kaspersky Security Center:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
3. In the workspace, select the Policies tab.
4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
5. In the policy properties window, select the System Integrity Monitoring section in the list on the left.
6. In the right part of the window, click the Settings button located on the right of the Monitor files and the registry check box in one of the following sections:
   • In the System Integrity Monitoring scope section if you want to configure a Real-Time System Integrity Monitoring rule.
   • In the System Integrity Check scope section if you want to configure a rule for the System Integrity Check task and baseline update task.
7. In the System Integrity Monitoring rules window that opens, in the list of system integrity monitoring rules select the required rule and perform one of the following actions in the Status column:
   • Select the value On if you want to enable the rule.
   • Select the value Off if you want to disable the rule.
8. In the System Integrity Monitoring rules window, click OK.
9. Click the Apply button.

To enable or disable a system integrity monitoring rule in the local interface:

1. On the protected virtual machine, open the application settings window.
2. In the left part of the window, in the Endpoint control section, select the System Integrity Monitoring section.

   In the right part of the window, the System Integrity Monitoring component settings are displayed.

   If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

3. Do one of the following:
   • Click the Settings button located on the right of the Monitor files and the registry check box in the upper part of the System Integrity Monitoring settings section if you want to configure a Real-Time System Integrity Monitoring rule.
   • Click the Settings button located on the right of the Monitor files and the registry check box in the lower part of the System Integrity Monitoring settings section if you want to configure a rule for the System Integrity Check task and baseline update task.

   The System Integrity Monitoring rules window opens.

4. Complete steps 7–8 of the previous instructions.
5. To save changes, click the Save button.

Creating and updating the baseline

You can create and then update the baseline of protected virtual machines by using the baseline update task.

You can create and configure the baseline update task for protected virtual machines that are included in the administration group, using Kaspersky Security Center Administration Console or using the Web Console. You can configure the baseline update task for one virtual machine in the local interface of Light Agent for Windows.

The task is run on the virtual machine and uses a special format to save information about the status of monitored objects that you included in the System Integrity Check scope. If you have not defined the System Integrity Check scope, the scope of objects is determined by the System Integrity Monitoring scope. The System Integrity Check scope and System Integrity Monitoring scope are configured in the policy that is applied on the virtual machine, or in the local interface of Light Agent for Windows.

To create or update the baseline on virtual machines using the Administration Console:

1. Open Kaspersky Security Center Administration Console.
2. Do one of the following:
   • To create a task for the virtual machines within the selected administration group, select the folder with the name of this administration group in the console tree, and in the workspace, select the Tasks tab.
   • To create a task for one or more virtual machines (tasks for a set of devices), select the Tasks folder in the console tree.
3. Click the New task button to start the New Task Wizard.
4. At the first step of the Wizard, select the type of task. To do so, in the Kaspersky Security for Virtualization 5.2 Light Agent for Windows list, select Baseline update.

   Proceed to the next step of the New Task Wizard.

5. If you started the New Task Wizard from the Tasks folder, specify the method of selecting the virtual machines for which you are creating the task. You can select virtual machines from the list of virtual machines discovered by the Administration Server, manually specify the addresses of virtual machines, import a list of virtual machines from a file, or specify a previously configured selection of devices (for details, please refer to the Kaspersky Security Center help). Depending on the specified method of selection of virtual machines, perform one of the following operations in the window that opens:
   • In the list of detected virtual machines, specify the virtual machines for which you want to create the task. To do so, select check boxes in the list on the left of the name of the relevant virtual machine.
   • Click the Add or Add IP range button and enter the addresses of virtual machines manually.
   • Click the Import button, and in the window that opens select a TXT file with the list of addresses of virtual machines.
   • Click Browse and in the window that opens specify the name of the selection containing the virtual machines for which you want to create the task.

   Proceed to the next step of the New Task Wizard.

6. In the Name field, enter the name of the baseline update task.

   Proceed to the next step of the New Task Wizard.

7. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete checkbox.

   When the task is run with the default settings, the application updates the baseline only for new or modified objects within the monitoring scope (incremental update).

   Finish the wizard.

   The created custom scan task appears in the list of tasks.

8. If you want to perform a full baseline update, change the task settings as follows:
   1. Double-click to open the properties window of the created task.
   2. Go to the Settings section and select the Full update option.
   3. Click OK.
9. Start the baseline update task.

When the task is run, a baseline will be created or a previously created baseline will be updated on each virtual machine that you specified in task settings.

To create or update the baseline on virtual machines using the Web Console:

1. Create a task of the Baseline update type following the instructions of the wizard. The task is created with the default settings.

   As a result of the task execution, the application updates the baseline only for the new or modified objects in the monitoring scope (incremental update).

2. To perform a full baseline update, at the last step of the wizard, select the Open task properties window after creation check box and close the wizard.
3. In the task properties window, on the Application settings tab, select the Full update option and click the Save button to save the changes.
4. Start the baseline update task.

To create or update the baseline on a virtual machine using the Light Agent for Windows local interface:

1. If necessary, configure the settings of the baseline update task. To do this, perform the following actions:
   1. On the protected virtual machine, open the application settings window.
   2. In the left part of the window, in the Scheduled tasks section, select Baseline update.

      The right part of the window displays the settings of the baseline update task.

      If the Baseline update section is absent, this means that the display and management of local tasks is denied by the policy for all protected virtual machines of the administration group. You can enable or disable the display and management of local tasks in the Light Agent for Windows policy (Advanced settings subsection in the Other settings) section.

   3. Select the baseline update mode:
      • Full update – for all objects in the monitoring scope.
      • Incremental update – only for modified or new objects from the monitoring scope.
   4. To save changes, click the Save button.
2. Start the baseline update task.

Checking system integrity by schedule or on demand

You can use the System Integrity Check task to check system integrity on protected virtual machines.

You can create and configure the System Integrity Check task for protected virtual machines that are included in the administration group, using Kaspersky Security Center Administration Console or using the Web Console. You can configure the System Integrity Check task for one virtual machine in the local interface of Light Agent for Windows.

For successful completion of the task, the baseline must fully match the System Integrity Check scope when the System Integrity Check task is started. If the composition of objects whose state was recorded in the baseline differs from the composition of objects that are within the System Integrity Check scope, the System Integrity Check task ends with an error.

To check the system integrity on the virtual machines using the Administration Console:

1. Open Kaspersky Security Center Administration Console.
2. Do one of the following:
   • To create a task for the virtual machines within the selected administration group, select the folder with the name of this administration group in the console tree, and in the workspace, select the Tasks tab.
   • To create a task for one or more virtual machines (tasks for a set of devices), select the Tasks folder in the console tree.
3. Click the New task button to start the New Task Wizard.
4. At the first step of the Wizard, select the type of task. To do so, in the Kaspersky Security for Virtualization 5.2 Light Agent for Windows list, select System Integrity Check.

   Proceed to the next step of the New Task Wizard.

5. If you started the New Task Wizard from the Tasks folder, specify the method of selecting the virtual machines for which you are creating the task. You can select virtual machines from the list of virtual machines discovered by the Administration Server, manually specify the addresses of virtual machines, import a list of virtual machines from a file, or specify a previously configured selection of devices (for details, please refer to the Kaspersky Security Center help). Depending on the specified method of selection of virtual machines, perform one of the following operations in the window that opens:
   • In the list of detected virtual machines, specify the virtual machines for which you want to create the task. To do so, select check boxes in the list on the left of the name of the relevant virtual machine.
   • Click the Add or Add IP range button and enter the addresses of virtual machines manually.
   • Click the Import button, and in the window that opens select a TXT file with the list of addresses of virtual machines.
   • Click Browse and in the window that opens specify the name of the selection containing the virtual machines for which you want to create the task.

   Proceed to the next step of the New Task Wizard.

6. In the Scheduled start drop-down list, select Manually.

   Proceed to the next step of the New Task Wizard.

7. In the Name field, enter the name of the System Integrity Check task.

   Proceed to the next step of the New Task Wizard.

8. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete checkbox.

   When the task is run with the default settings, the application performs a System Integrity Check in Full scan mode (all attributes of files and file contents are analyzed when checking for modifications in files).

   Finish the wizard.

   The created custom scan task appears in the list of tasks.

9. If you want the application to analyze only the attributes of files and not file contents when checking for modifications in files, change the task settings as follows:
   1. Double-click to open the properties window of the created task.
   2. Go to the Settings section and select the Quick Scan option.
   3. Click OK.
10. Start the System Integrity Check task.

System Integrity Check runs on each virtual machine that you specified in task settings. You can view its execution results in the Administration Console.

To check the system integrity on the virtual machines using the Web Console:

1. Create a task of the System Integrity Check type following the instructions of the wizard. The task is created with the default settings.

   As a result of the task execution, the application performs a System Integrity Check in Full scan mode (all file attributes and file contents are analyzed when checking for modifications of files).

2. If you want the application to analyze only the file attributes and to skip the contents of files when checking for modifications of files, at the last step of the wizard, select the Open task properties window after creation check box and close the wizard.
3. In the task properties window, on the Application settings tab, select the Quick Scan option and click the Save button to save the changes.
4. Start the System Integrity Check task.

System Integrity Check runs on each virtual machine that you specified in task settings. You can view its execution results in the Web Console.

To check the system integrity on a virtual machine in the Light Agent for Windows local interface:

1. If necessary, configure the settings of the System Integrity Check task. To do this, perform the following actions:
   1. On the protected virtual machine, open the application settings window.
   2. In the left part of the window, in the Scheduled tasks section, select the System Integrity Check section.

      The right part of the window displays the System Integrity Check task settings.

      If the System Integrity Check section is absent, this means that the display and management of local tasks is denied by the policy for all protected virtual machines of the administration group. You can enable or disable the display and management of local tasks in the Light Agent for Windows policy (Advanced settings subsection in the Other settings) section.

   3. Select the scan mode:
      • Full scan – all attributes of files and file contents are analyzed when checking for modifications in files. This option is selected by default.
      • Quick Scan – only the attributes of files are analyzed when checking for modifications in files; file contents are not checked.
   4. If necessary, change the task run mode. You are advised to use the Manually run mode. This mode is selected by default.
   5. To save changes, click the Save button.
2. Start the System Integrity Check task.

Viewing information about system integrity on a virtual machine

Information about the results of the System Integrity Monitoring component is displayed as follows:

• As Kaspersky Security Center events. The System Integrity Monitoring component sends an event to Kaspersky Security Center if it detects that an external device has been connected or if files or the registry have been modified on a protected virtual machine.

  All events of the System Integrity Monitoring component are displayed in the list of Kaspersky Security Center events both in the Administration Console and in the Web Console. You can configure event selections for viewing events from the System Integrity Monitoring component. For more information about configuring event selections, please refer to the Kaspersky Security Center help.

  Events that occurred when the last system integrity check task was run on the virtual machine are displayed in the properties of the application installed on the virtual machine.

• By changing the status of a virtual machine in Kaspersky Security Center. When events with an importance level of Critical or Important are received from the System Integrity Monitoring component, Kaspersky Security Center changes the client device status for the protected virtual machine to Critical or Warning.

  Receiving the device status from a managed application must be enabled in Kaspersky Security Center in the lists of conditions for assigning the Critical and Warning statuses. Conditions for assigning device statuses are configured in the properties window of an administration group.

  The client device status and all the reasons for changing the status are displayed in the list of devices included in the administration group. For details on client device statuses, please refer to the Kaspersky Security Center help.

  You can reset the status received from the System Integrity Monitoring component.

• In the results of a system integrity check task in Kaspersky Security Center.
• In the form of reports in Kaspersky Security Center. Kaspersky Security Center provides two types of reports:
  • Report on devices on which System Integrity Monitoring rules were triggered the maximum number of times.
  • Report on System Integrity Monitoring rules that were triggered most frequently on protected virtual machines.
• In the form of reports in the local interface of Light Agent. In the Reports and Storages window on the Reports tab, you can view the following reports:
  • Real-Time System Integrity Monitoring report.
  • System Integrity Check task report.
  • Baseline update task report.

Viewing events that occurred during the last run of the System Integrity Check

You can view the events that occurred during the last System Integrity Check via the Kaspersky Security properties installed on the protected virtual machine. You can view the list of events using Administration Console or Web Console (in the properties window of Kaspersky Security for Virtualization 5.2 Light Agent installed on the virtual machine, on the Application settings tab in the System Integrity Monitoring events section).

To use the Administration Console to view the list of events that occurred on the virtual machine during the last run of the System Integrity Check task:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the console tree, select the folder with the name of the administration group that includes the required virtual machine.
3. In the workspace, select the Devices tab.
4. Select a virtual machine from the list and double-click it to open the Settings: <Virtual machine name> window.
5. In the window that opens, in the list on the left, select the Applications section.
6. In the right part of the window, in the list of applications installed on the virtual machine, select Kaspersky Security for Virtualization 5.2 Light Agent and double-click it to open the Kaspersky Security for Virtualization 5.2 Light Agent Settings window.
7. In the window that opens, in the list on the left, select the System Integrity Monitoring events section.

   The table in the right part of the window shows the following information about each event:

   • Event generation date.
   • Event name.
   • Rule applied by the System Integrity Monitoring component.
   • Control object in which the modification is made. Depending on the type of control object, the following information is displayed in the column:
     • Path to the file, if the System Integrity Monitoring component detected a change to a file.
     • Registry key, if the System Integrity Monitoring component detected a change in the registry.
     • Device name, if the System Integrity Monitoring component detected the connection of an external device.
   • Type of modification to the monitored object detected by the System Integrity Monitoring component. Possible values:
     • Create.
     • Modify.
     • Delete.
     • Connect.

   In the list of events, you can perform the following actions:

   • Update the list of events.
   • Filter the list of events by column values or custom conditions.
   • Use the search function to find a specific event.
   • Change the order and arrangement of columns that are shown in the report.
   • Sort the list of events by each column.
   • Save a report to a TXT or CSV file.

Viewing a report on the virtual machines on which System Integrity Monitoring rules were triggered the maximum number of times

Report on the virtual machines on which System Integrity Monitoring rules were triggered maximum number of times in the Administration Console

To view the report on the virtual machines on which the System Integrity Monitoring rules were triggered maximum number of times in the Administration Console:

1. Open Kaspersky Security Center Administration Console.
2. In the workspace of the Administration Server <Server name> node, go to the Reports tab.
3. Click the New report template button to start the New Report Template Wizard.
4. Follow the wizard instructions.
5. In the Selecting the report template type window, in the Other section, select the Top 10 devices with the most frequently triggered File Operations Monitoring/System Integrity Monitoring rules type.
6. After creating a report template, select it in the list of templates on the Reports tab.

The report will be displayed in the workspace.

The Period field shows the reporting period covered by the report. By default, the report is generated for the last 30 days, which includes the report generation date.

The report consists of two tables:

• The summary table contains information on the protected virtual machines on which System Integrity Monitoring rules were triggered the maximum number of times.
• The detailed table contains information on each instance of a triggered rule.

You can customize display of the columns for each table. For details on how to add or remove columns in the report tables please refer to the Kaspersky Security Center help.

The summary table contains the following information:

• Device name – name of the protected virtual machine on which System Integrity Monitoring rules were triggered.
• Number of events – number of times System Integrity Monitoring rules were triggered on the protected virtual machine.
• Number of rules – number of System Integrity Monitoring rules that were triggered on the protected virtual machine.

  The row below displays the following summary information:

  • Number of devices – total number of protected virtual machines on which System Integrity Monitoring rules were triggered.
  • Number of events – total number of times System Integrity Monitoring rules were triggered on protected virtual machines.
  • Event receipt limit reached – information about whether the maximum number of events that Kaspersky Security Center can receive from System Integrity Monitoring components on client devices has been reached. The limit on the number of received events is configured in the Kaspersky Security Center registry and is 15,000 events per day by default. If the number of received events has exceeded the limit, Yes is displayed in the field.

The detailed table contains the following information:

• Virtual Server – the name of the virtual Administration Server (if available) that manages the protected virtual machine.
• Group name – the name of the group that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• IP address – IP address of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• Last visible – date and time when the protected virtual machine on which the System Integrity monitoring rule was triggered was last observed on the network by the Administration Server.
• Last connected to Network Agent – date and time when Network Agent was last synchronized with the Administration Server.
• Device name – name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• NetBIOS name – name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• Domain name – name of the domain that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• DNS name – DNS name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• Domain DNS name – DNS name of the domain that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• Importance – importance level of the System Integrity Monitoring event. Possible values: Informational message, Important message, Critical message.
• Event time - date and time when the event occurred.
• Name of the triggered rule – name of the System Integrity Monitoring rule that was triggered.
• Object path – path to the monitored object whose modification was detected by the System Integrity Monitoring component. Depending on the type of control object, the following information is displayed in the column:
  • Path to the file or folder, if the System Integrity Monitoring component detected a change to a file or folder.
  • Registry key, if the System Integrity Monitoring component detected a change in the registry.
  • External device, if the System Integrity Monitoring component detected the connection of an external device.
• Action – action taken on the monitored object. Possible values: Create, Modify, Delete, Connect.
• Object type – type of the monitored object whose modification was detected by the System Integrity Monitoring component. Possible values: File or folder, Registry key, External device.
• System Integrity Monitoring component was disabled – information about whether the System Integrity Monitoring component was disabled when the event occurred. For Kaspersky Security, this field always shows No.
• User – user account of the protected virtual machine on which the System Integrity Monitoring rule was triggered.

Report on the virtual machines on which System Integrity Monitoring rules were triggered maximum number of times in the Web Console

To create a template of a report on virtual machines on which the System Integrity Monitoring rules were triggered maximum number of times in the Web Console:

1. Start the Web Console.
2. In the Monitoring and Reports section, select Reports.
3. Click the Add button above the list of report templates.
4. In the window that opens, in the Report name field, specify the name of the created report template and in the Report type section in the Other subsection select the Top 10 devices with most frequently triggered File Operations Monitoring / System Integrity Monitoring rules type.
5. In the Scope window, specify the devices information on which is to be displayed in the report.
6. In the Report period window, specify the time interval data for which is to be displayed in the report.
7. In the Report created window, do one of the following:
   • Click the Save and run button to start generating the report.
   • Click the Save button to save the report template.

The created report template will be displayed in the workspace.

To view the report on the virtual machines on which the System Integrity Monitoring rules were triggered maximum number of times in the Web Console:

1. Start the Web Console.
2. In the Monitoring and Reports section, select Reports.

   A list of report templates opens.

3. Select the check box next to the name of the report template of the Top 10 devices with most frequently triggered File Operations Monitoring / System Integrity Monitoring rules type.
4. Click the View report button.

The report window opens.

The report has two tabs:

• The Summary tab contains information on the protected virtual machines on which System Integrity Monitoring rules were triggered maximum number of times:
  • Name of the protected virtual machine on which System Integrity Monitoring rules were triggered.
  • Number of times System Integrity Monitoring rules were triggered on the protected virtual machine.
  • Number of System Integrity Monitoring rules that were triggered on the protected virtual machine.
• The Details tab contains information about each rule triggering event.

You can customize the displayed columns in tables on the report tabs. For details on how to add or remove columns in the report tables please refer to the Kaspersky Security Center help.

Viewing a report on the most frequently triggered System Integrity Monitoring rules

Report on the most frequently triggered System Integrity Monitoring rules in the Administration Console

To view the report on the most frequently triggered System Integrity Monitoring rules in the Administration Console:

1. Open Kaspersky Security Center Administration Console.
2. In the workspace of the Administration Server <Server name> node, go to the Reports tab.
3. Click the New report template button to start the New Report Template Wizard.
4. Follow the wizard instructions.
5. In the Selecting the report template type window, in the Other section, select the Top 10 File Operations Monitoring/System Integrity Monitoring rules triggered on the devices type.
6. After creating a report template, select it in the list of templates on the Reports tab.

The report will be displayed in the workspace.

The Period field shows the reporting period covered by the report. By default, the report is generated for the last 30 days, which includes the report generation date.

The report consists of two tables:

• The summary table contains information about the System Integrity Monitoring rules that were most frequently triggered on devices during the reporting period.
• The detailed table contains information on each instance of a triggered rule.

You can customize display of the columns for each table. For details on how to add or remove columns in the report tables please refer to the Kaspersky Security Center help.

The summary table contains the following information:

• Name of the triggered rule – name of the System Integrity Monitoring rule that was triggered.
• Number of events – number of times the System Integrity Monitoring rule was triggered on protected virtual machines.
• Number of devices – number of protected virtual machines on which the System Integrity Monitoring rule was triggered.

  The row below displays the following summary information:

  • Number of devices – total number of protected virtual machines on which System Integrity Monitoring rules were triggered.
  • Number of events – total number of times System Integrity Monitoring rules were triggered on protected virtual machines.
  • Event receipt limit reached – information about whether the maximum number of events that Kaspersky Security Center can receive from System Integrity Monitoring components on client devices has been reached. The limit on the number of received events is configured in the Kaspersky Security Center registry and is 15,000 events per day by default. If the number of received events has exceeded the limit, Yes is displayed in the field.

The detailed table contains the following information:

• Virtual Server – the name of the virtual Administration Server (if available) that manages the protected virtual machine.
• Group name – the name of the group that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• IP address – IP address of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• Last visible – date and time when the protected virtual machine on which the System Integrity monitoring rule was triggered was last observed on the network by the Administration Server.
• Last connected to Network Agent – date and time when Network Agent was last synchronized with the Administration Server.
• Device name – name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• NetBIOS name – name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• Domain name – name of the domain that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• DNS name – DNS name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• Domain DNS name – DNS name of the domain that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
• Importance – importance level of the System Integrity Monitoring event. Possible values: Informational message, Important message, Critical message.
• Event time - date and time when the event occurred.
• Name of the triggered rule – name of the System Integrity Monitoring rule that was triggered.
• Object path – path to the monitored object whose modification was detected by the System Integrity Monitoring component. Depending on the type of control object, the following information is displayed in the column:
  • Path to the file or folder, if the System Integrity Monitoring component detected a change to a file or folder.
  • Registry key, if the System Integrity Monitoring component detected a change in the registry.
  • External device, if the System Integrity Monitoring component detected the connection of an external device.
• Action – action taken on the monitored object. Possible values: Create, Modify, Delete, Connect.
• Object type – type of the monitored object whose modification was detected by the System Integrity Monitoring component. Possible values: File or folder, Registry key, External device.
• System Integrity Monitoring component was disabled – information about whether the System Integrity Monitoring component was disabled when the event occurred. For Kaspersky Security, this field always shows No.
• User – user account of the protected virtual machine on which the System Integrity Monitoring rule was triggered.

Report on the most frequently triggered System Integrity Monitoring rules in the Web Console

To create a template of a report on the most frequently triggered System Integrity Monitoring rules in the Web Console:

1. Start the Web Console.
2. In the Monitoring and Reports section, select Reports.
3. Click the Add button above the list of report templates.
4. In the window that opens, in the Report name field, specify the name of the created report template and in the Report type section in the Other subsection select the Top 10 File Operations Monitoring / System Integrity Monitoring rules most frequently triggered on devices type.
5. In the Scope window, specify the devices information on which is to be displayed in the report.
6. In the Report period window, specify the time interval data for which is to be displayed in the report.
7. In the Report created window, do one of the following:
   • Click the Save and run button to start generating the report.
   • Click the Save button to save the report template.

The created report template will be displayed in the workspace.

To view the report on the most frequently triggered System Integrity Monitoring rules in the Web Console:

1. Start the Web Console.
2. In the Monitoring and Reports section, select Reports.

   A list of report templates opens.

3. Select the check box next to the name of the report template of the Top 10 File Operations Monitoring / System Integrity Monitoring rules most frequently triggered on devices type.
4. Click the View report button.

The report window opens.

The report has two tabs:

• The Summary tab contains information about the System Integrity Monitoring rules that most frequently triggered on the devices during the reporting period:
  • Name of the System Integrity Monitoring triggered rule.
  • Number of times System Integrity Monitoring rules were triggered on the protected virtual machines.
  • Number of protected virtual machines on which the System Integrity Monitoring rule was triggered.
• The Details tab contains information about each rule triggering event.

You can customize the displayed columns in tables on the report tabs. For details on how to add or remove columns in the report tables please refer to the Kaspersky Security Center help.

System integrity status reset

If System Integrity Monitoring events were the reason for changing the virtual machine status to Critical or Warning, the status is referred to as the system integrity status.

You can reset the system integrity status in Kaspersky Security Center, i.e. cancel the Critical and Warning statuses for virtual machines.

You can reset the system integrity status for one virtual machine or create a group task to reset the system integrity status for several protected virtual machines in the administration group.

System integrity status reset for one virtual machine

You can reset the system integrity status for a virtual machine in the properties of the Kaspersky Security application installed on the virtual machine. You can reset the system integrity status using the Administration Console or Web Console (in the properties window of Kaspersky Security for Virtualization 5.2 Light Agent installed on the virtual machine, on the Application settings tab in the Virtual machine integrity status section).

To reset the system integrity status for one virtual machine using the Administration Console:

1. Open Kaspersky Security Center Administration Console.
2. In the Managed devices folder in the console tree, select the folder with the name of the administration group that includes the required virtual machine.
3. In the workspace, select the Devices tab.
4. Select a virtual machine from the list and double-click it to open the Settings: <Virtual machine name> window.
5. In the window that opens, in the list on the left, select the Applications section.
6. In the right part of the window, in the list of applications installed on the virtual machine, select Kaspersky Security for Virtualization 5.2 Light Agent and double-click it to open the Kaspersky Security for Virtualization 5.2 Light Agent Settings window.
7. In the window that opens, in the list on the left, select the Virtual machine system integrity status section.
8. In the right part of the window, click the Reset status button.

If System Integrity Monitoring events were the reason for changing the virtual machine status to Critical or Warning, the OK status is assigned to the virtual machine.

If the status was also changed due to other events or based on Kaspersky Security Center status assignment rules, the status for the virtual machine is not changed.

Creating a system integrity status reset task

You can create a task to reset the system integrity status using the Administration Console. The task is started manually. A system integrity status reset is performed on each virtual machine that you specified in task settings.

You can also create and run a system integrity status reset task on virtual machines using the Web Console.

To create a system integrity status reset task on virtual machines using the Administration Console:

1. Open Kaspersky Security Center Administration Console.
2. Do one of the following:
   • To create a task for the virtual machines within the selected administration group, select the folder with the name of this administration group in the console tree, and in the workspace, select the Tasks tab.
   • To create a task for one or more virtual machines (tasks for a set of devices), select the Tasks folder in the console tree.
3. Click the New task button to start the New Task Wizard.
4. At the first step of the Wizard, select the type of task. To do so, in the Kaspersky Security for Virtualization 5.2 Light Agent for Windows list, select System integrity status reset.

   Proceed to the next step of the New Task Wizard.

5. If you started the New Task Wizard from the Tasks folder, specify the method of selecting the virtual machines for which you are creating the task. You can select virtual machines from the list of virtual machines discovered by the Administration Server, manually specify the addresses of virtual machines, import a list of virtual machines from a file, or specify a previously configured selection of devices (for details, please refer to the Kaspersky Security Center help). Depending on the specified method of selection of virtual machines, perform one of the following operations in the window that opens:
   • In the list of detected virtual machines, specify the virtual machines for which you want to create the task. To do so, select check boxes in the list on the left of the name of the relevant virtual machine.
   • Click the Add or Add IP range button and enter the addresses of virtual machines manually.
   • Click the Import button, and in the window that opens select a TXT file with the list of addresses of virtual machines.
   • Click Browse and in the window that opens specify the name of the selection containing the virtual machines for which you want to create the task.

   Proceed to the next step of the New Task Wizard.

6. In the Name field, enter the name of the system integrity status reset task.

   Proceed to the next step of the New Task Wizard.

7. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete checkbox.

   Finish the wizard.

The created custom scan task appears in the list of tasks.