Contents
Configuring the system integrity monitoring scope and the System Integrity Check scope
For correct operation of the System Integrity Monitoring component, you must configure the scope of the component, i.e. select the objects whose status must be tracked by the System Integrity Monitoring component. The scope is configured in the Light Agent for Windows policy or in the local interface of Light Agent for Windows.
You can configure the System Integrity Monitoring scope for real-time operation of the component and configure a separate System Integrity Check scope by schedule or on demand. This scope is also used for the baseline update task. If the scope of the System Integrity Check is not defined, the system integrity monitoring scope is applied for the System Integrity Check task and the baseline update task.
This section describes how to configure the Integrity Control component scope using the Administration Console and the Light Agent for Windows local interface. You can also configure the Integrity Control scope settings using the Web Console when creating or modifying the Light Agent for Windows policy settings (Application Settings → Endpoint control → System Integrity Monitoring).
To configure the scope of the System Integrity Monitoring component in the Administration Console:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the System Integrity Monitoring section in the list on the left.
- In the right part of the window, in the System Integrity Monitoring scope section, configure the System Integrity Monitoring real-time scope:
- Select the Monitor devices check box if you want System Integrity Monitoring to track when external devices are connected on the protected virtual machine in real time.
- In the drop-down list, select the importance level for events generated by the System Integrity Monitoring component when it detects the connection of an external device. By default, an Informational event is generated.
- Select the Monitor files and the registry check box if you want the System Integrity Monitoring component to track changes made to files and the registry on the protected virtual machine in real time.
- Click the Settings button.
- In the System Integrity Monitoring rules window that appears, create a list of rules that are applied when the Real-Time System Integrity Monitoring component is running.
You can perform the following actions when configuring System Integrity Monitoring rules:
- Add or edit rules.
- Import and export rules.
- Enable or disable rules.
- Delete rules.
- In the System Integrity Monitoring rules window, click OK.
- If you want to configure a separate scope for an integrity check by schedule or on demand, perform the following actions in the System Integrity Check scope section:
- Select the Define System Integrity Check scope check box.
The System Integrity Check scope settings group will appear under the check box.
- Configure the settings in the System Integrity Check scope section as described in step 6 of these instructions. These settings will be applied when the System Integrity Check task and baseline update task are performed.
- Select the Define System Integrity Check scope check box.
- Click the Apply button.
To configure the scope of the System Integrity Monitoring component in the local interface:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Endpoint control section, select the System Integrity Monitoring section.
In the right part of the window, the System Integrity Monitoring component settings are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- To configure the System Integrity Monitoring scope in real time, perform the following actions in the System Integrity Monitoring settings section:
- Select the Monitor devices check box located under the name of the System Integrity Monitoring settings section if you want System Integrity Monitoring to track when external devices are connected on the protected virtual machine in real time.
- In the drop-down list, select the importance level for events generated by the System Integrity Monitoring component when it detects the connection of an external device. By default, an Informational event is generated.
- Select the Monitor files and the registry check box located in the upper part of the System Integrity Monitoring settings section if you want the System Integrity Monitoring component to track changes made to files and the registry on the protected virtual machine in real time.
- Complete steps 6d-6f of the previous instructions.
- If you want to configure a separate scope for a system integrity check by schedule or on demand, perform the following actions in the System Integrity Monitoring settings section:
- Select the Define System Integrity Check scope check box.
A settings section appears under the check box.
- Configure the settings in the section as described in step 6 of the previous instructions. These settings will be applied when the System Integrity Check task and baseline update task are performed.
- Select the Define System Integrity Check scope check box.
- To save changes, click the Save button.
Creating and editing a System Integrity Monitoring rule
You can create a system integrity monitoring rule by creating a monitoring scope and/or a list of exclusions from the monitoring scope for files and folders, registry keys and values. After creating or importing a system integrity monitoring rule, you can change the rule settings if necessary.
To create or edit a System Integrity Monitoring rule through Kaspersky Security Center:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the System Integrity Monitoring section in the list on the left.
- In the right part of the window, click the Settings button located on the right of the Monitor files and the registry check box in one of the following sections:
- In the System Integrity Monitoring scope section if you want to configure a Real-Time System Integrity Monitoring rule.
- In the System Integrity Check scope section if you want to configure a rule for the System Integrity Check task and baseline update task.
- In the System Integrity Monitoring rules window that opens, perform one of the following actions:
- If you want to create a system integrity monitoring rule, click the Add button located above the list of rules.
- If you want to edit a system integrity monitoring rule, select it in the list and click the Edit button.
- In the System Integrity Monitoring rule window that opens, enter the rule name and select the importance level for the events generated by System Integrity Monitoring when it applies this rule. By default, an Informational event is generated.
- Configure the monitoring scope of files and folders on the Files tab.
To add a file or folder so that Kaspersky Security monitors changes in it:
- Click the Add button located above the Monitoring scope field on the Files tab.
- In the File or folder window that opens, enter the absolute path to the folder or mask of the path to the folder to be monitored.
When entering a path mask, you can use the following characters in any part of the path:
- The
*
character can represent any characters except\ / :
. In addition:- If the
*
character is used to designate the name of an entire component of a path (for example, to designate a folder name:/*/
), it can represent one or more characters. - If the
*
character is used to designate part of the name of a path component (for example, to designate part of a folder name:/abc*/
), it can represent zero or more characters.
- If the
- The
?
character can replace any single character.
You can use environment variables when entering a folder path. You must type the
%
character before and after the name of the environment variable. - The
- If you need to monitor changes to files in a specified folder, enter a file name or file mask in the File name or file mask field.
When entering a mask, you can use the following characters:
*
represents zero or more characters. It can represent any characters except\ / :
?
represents any single character
If you want to monitor changes made to the specified files in nested folders as well, select the Include files in subfolders check box.
- Click OK in the File or folder window.
The path to the file or folder is displayed in the list of paths in the Monitoring scope field.
Kaspersky Security monitors changes made to files and folders only on those drives that are connected when Real-Time System Integrity Monitoring starts running, which means when a policy is applied or when Real-Time System Integrity Monitoring is enabled. If a drive is powered off when Real-Time System Integrity Monitoring starts running, modifications made to files and folders on that drive are not monitored even if those files and folders have been added to the monitoring scope.
You can perform keyword searches in the list, and remove files and folders from the list by using the Delete button.
- If necessary, you can similarly configure the list of paths to files and/or folders that are excluded from the monitoring scope. Kaspersky Security does not monitor changes to files and folders that are added to the list of paths in the Exclusions field.
To configure the list of exclusions, use the Add and Delete buttons located above the Exclusions field on the Files tab.
- Configure the monitoring scope of registry keys and values on the Registry tab.
To add a registry key or key parameter so that Kaspersky Security monitors changes in it:
- Click the Add button located above the Monitoring scope field on the Registry tab.
The Registry key window opens.
- Enter the name of the registry key whose modifications must be monitored.
HKEY_CURRENT_USER key is not supported. You can specify a path to a registry key through HKEY_USER as follows: HKEY_USERS\<user profile ID>\<key>.
- If you want Kaspersky Security to also monitor nested keys, select the Including nested keys check box.
- If you need to monitor changes to a parameter of the specified key, enter the name or mask of the parameter in the Name or mask of the key parameter field.
When entering a mask, you can use the wildcards
*
(any sequence of characters) and?
(any single character). - In the Registry key window, click OK.
The name of the key and key parameter (if it was specified) is displayed in the list of keys and registry values in the Monitoring scope field.
You can perform a keyword search in the list, and remove keys from the list using the Delete button.
- Click the Add button located above the Monitoring scope field on the Registry tab.
- If necessary, you can similarly configure the list of keys and registry values that are excluded from the monitoring scope. Kaspersky Security does not monitor changes to keys and registry values that are added to the list in the Exclusions field.
To configure the list of exclusions, use the Add and Delete buttons located above the Exclusions field on the Registry tab.
- In the System Integrity Monitoring rule window, click OK.
The rule is displayed in the list of rules in the System Integrity Monitoring rules window.
- In the System Integrity Monitoring rules window, click OK.
- Click the Apply button.
To create or edit a System Integrity Monitoring rule in the local interface:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Endpoint control section, select the System Integrity Monitoring section.
In the right part of the window, the System Integrity Monitoring component settings are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- Do one of the following:
- Click the Settings button located on the right of the Monitor files and the registry check box in the upper part of the System Integrity Monitoring settings section if you want to configure a Real-Time System Integrity Monitoring rule.
- Click the Settings button located on the right of the Monitor files and the registry check box in the lower part of the System Integrity Monitoring settings section if you want to configure a rule for the System Integrity Check task and baseline update task.
The System Integrity Monitoring rules window opens.
- Complete steps 7–14 of the previous instructions.
- To save changes, click the Save button.
Importing and exporting System Integrity Monitoring rules
You can save the configured list of System Integrity Monitoring rules to a file and import a previously saved list of rules from a file. To import or export a list of rules, you can use a file in XML format.
When configuring the System Integrity Monitoring component settings through Kaspersky Security Center, you can import a list of System Integrity Monitoring rules from templates that are included in the Kaspersky Security application distribution kit. A template contains paths to files and folders, as well as registry keys and values that are used for the operation of a specific application. Rules imported from a template let you track changes associated with the operation of this application.
To import or export a list of System Integrity Monitoring rules in Kaspersky Security Center:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the System Integrity Monitoring section in the list on the left.
- In the right part of the window, click the Settings button located on the right of the Monitor files and the registry check box in one of the following sections:
- In the System Integrity Monitoring scope section if you want to configure a Real-Time System Integrity Monitoring rule.
- In the System Integrity Check scope section if you want to configure a rule for the System Integrity Check task and baseline update task.
- If you want to import a list of System Integrity Monitoring rules, in the System Integrity Monitoring rules window that opens, click the Import button and do one of the following:
- To import a rule from a template, select From template in the drop-down list. Then in the window that opens, select the template name and click OK.
The rule from the selected template will be added to the list of rules in the System Integrity Monitoring rules window.
- To import rules from a file, in the drop-down list select From file and specify the path to the XML file in the opened window.
Rules from the selected file will be added to the list of rules in the System Integrity Monitoring rules window.
- To import a rule from a template, select From template in the drop-down list. Then in the window that opens, select the template name and click OK.
- If you want to export the list of System Integrity Monitoring rules, click the Export button and specify the path to the file in which you want to save the list of rules.
- In the System Integrity Monitoring rules window, click OK.
- Click the Apply button.
To import or export a list of System Integrity Monitoring rules in the local interface:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Endpoint control section, select the System Integrity Monitoring section.
In the right part of the window, the System Integrity Monitoring component settings are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- Do one of the following:
- Click the Settings button located on the right of the Monitor files and the registry check box in the upper part of the System Integrity Monitoring settings section if you want to configure a Real-Time System Integrity Monitoring rule.
- Click the Settings button located on the right of the Monitor files and the registry check box in the lower part of the System Integrity Monitoring settings section if you want to configure a rule for the System Integrity Check task and baseline update task.
The System Integrity Monitoring rules window opens.
- Complete steps 7–9 of the previous instructions.
- To save changes, click the Save button.
Enabling and disabling a System Integrity Monitoring rule
All System Integrity Monitoring rules are added to the list of rules with the Enabled status. If a rule is enabled, System Integrity Monitoring applies the rule.
You can disable any system integrity monitoring rule. If a rule is disabled, System Integrity Monitoring temporarily stops applying the rule.
To enable or disable a system integrity monitoring rule in Kaspersky Security Center:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the System Integrity Monitoring section in the list on the left.
- In the right part of the window, click the Settings button located on the right of the Monitor files and the registry check box in one of the following sections:
- In the System Integrity Monitoring scope section if you want to configure a Real-Time System Integrity Monitoring rule.
- In the System Integrity Check scope section if you want to configure a rule for the System Integrity Check task and baseline update task.
- In the System Integrity Monitoring rules window that opens, in the list of system integrity monitoring rules select the required rule and perform one of the following actions in the Status column:
- Select the value On if you want to enable the rule.
- Select the value Off if you want to disable the rule.
- In the System Integrity Monitoring rules window, click OK.
- Click the Apply button.
To enable or disable a system integrity monitoring rule in the local interface:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Endpoint control section, select the System Integrity Monitoring section.
In the right part of the window, the System Integrity Monitoring component settings are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- Do one of the following:
- Click the Settings button located on the right of the Monitor files and the registry check box in the upper part of the System Integrity Monitoring settings section if you want to configure a Real-Time System Integrity Monitoring rule.
- Click the Settings button located on the right of the Monitor files and the registry check box in the lower part of the System Integrity Monitoring settings section if you want to configure a rule for the System Integrity Check task and baseline update task.
The System Integrity Monitoring rules window opens.
- Complete steps 7–8 of the previous instructions.
- To save changes, click the Save button.