Kaspersky Security for Virtualization 5.2 Light Agent

Viewing information about system integrity on a virtual machine

Information about the results of the System Integrity Monitoring component is displayed as follows:

  • As Kaspersky Security Center events. The System Integrity Monitoring component sends an event to Kaspersky Security Center if it detects that an external device has been connected or if files or the registry have been modified on a protected virtual machine.

    All events of the System Integrity Monitoring component are displayed in the list of Kaspersky Security Center events both in the Administration Console and in the Web Console. You can configure event selections for viewing events from the System Integrity Monitoring component. For more information about configuring event selections, please refer to the Kaspersky Security Center help.

    Events that occurred when the last system integrity check task was run on the virtual machine are displayed in the properties of the application installed on the virtual machine.

  • By changing the status of a virtual machine in Kaspersky Security Center. When events with an importance level of Critical or Important are received from the System Integrity Monitoring component, Kaspersky Security Center changes the client device status for the protected virtual machine to Critical or Warning.

    Receiving the device status from a managed application must be enabled in Kaspersky Security Center in the lists of conditions for assigning the Critical and Warning statuses. Conditions for assigning device statuses are configured in the properties window of an administration group.

    The client device status and all the reasons for changing the status are displayed in the list of devices included in the administration group. For details on client device statuses, please refer to the Kaspersky Security Center help.

    You can reset the status received from the System Integrity Monitoring component.

  • In the results of a system integrity check task in Kaspersky Security Center.
  • In the form of reports in Kaspersky Security Center. Kaspersky Security Center provides two types of reports:
  • In the form of reports in the local interface of Light Agent. In the Reports and Storages window on the Reports tab, you can view the following reports:
    • Real-Time System Integrity Monitoring report.
    • System Integrity Check task report.
    • Baseline update task report.

In this section:

Viewing events that occurred during the last run of the System Integrity Check

Viewing a report on the virtual machines on which System Integrity Monitoring rules were triggered the maximum number of times

Viewing a report on the most frequently triggered System Integrity Monitoring rules

Page top
[Topic 67379]

Viewing events that occurred during the last run of the System Integrity Check

You can view the events that occurred during the last System Integrity Check via the Kaspersky Security properties installed on the protected virtual machine. You can view the list of events using Administration Console or Web Console (in the properties window of Kaspersky Security for Virtualization 5.2 Light Agent installed on the virtual machine, on the Application settings tab in the System Integrity Monitoring events section).

To use the Administration Console to view the list of events that occurred on the virtual machine during the last run of the System Integrity Check task:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder in the console tree, select the folder with the name of the administration group that includes the required virtual machine.
  3. In the workspace, select the Devices tab.
  4. Select a virtual machine from the list and double-click it to open the Settings: <Virtual machine name> window.
  5. In the window that opens, in the list on the left, select the Applications section.
  6. In the right part of the window, in the list of applications installed on the virtual machine, select Kaspersky Security for Virtualization 5.2 Light Agent and double-click it to open the Kaspersky Security for Virtualization 5.2 Light Agent Settings window.
  7. In the window that opens, in the list on the left, select the System Integrity Monitoring events section.

    The table in the right part of the window shows the following information about each event:

    • Event generation date.
    • Event name.
    • Rule applied by the System Integrity Monitoring component.
    • Control object in which the modification is made. Depending on the type of control object, the following information is displayed in the column:
      • Path to the file, if the System Integrity Monitoring component detected a change to a file.
      • Registry key, if the System Integrity Monitoring component detected a change in the registry.
      • Device name, if the System Integrity Monitoring component detected the connection of an external device.
    • Type of modification to the monitored object detected by the System Integrity Monitoring component. Possible values:
      • Create.
      • Modify.
      • Delete.
      • Connect.

    In the list of events, you can perform the following actions:

    • Update the list of events.
    • Filter the list of events by column values or custom conditions.
    • Use the search function to find a specific event.
    • Change the order and arrangement of columns that are shown in the report.
    • Sort the list of events by each column.
    • Save a report to a TXT or CSV file.
Page top
[Topic 64733]

Viewing a report on the virtual machines on which System Integrity Monitoring rules were triggered the maximum number of times

Report on the virtual machines on which System Integrity Monitoring rules were triggered maximum number of times in the Administration Console

To view the report on the virtual machines on which the System Integrity Monitoring rules were triggered maximum number of times in the Administration Console:

  1. Open Kaspersky Security Center Administration Console.
  2. In the workspace of the Administration Server <Server name> node, go to the Reports tab.
  3. Click the New report template button to start the New Report Template Wizard.
  4. Follow the wizard instructions.
  5. In the Selecting the report template type window, in the Other section, select the Top 10 devices with the most frequently triggered File Operations Monitoring/System Integrity Monitoring rules type.
  6. After creating a report template, select it in the list of templates on the Reports tab.

The report will be displayed in the workspace.

The Period field shows the reporting period covered by the report. By default, the report is generated for the last 30 days, which includes the report generation date.

The report consists of two tables:

  • The summary table contains information on the protected virtual machines on which System Integrity Monitoring rules were triggered the maximum number of times.
  • The detailed table contains information on each instance of a triggered rule.

You can customize display of the columns for each table. For details on how to add or remove columns in the report tables please refer to the Kaspersky Security Center help.

The summary table contains the following information:

  • Device name – name of the protected virtual machine on which System Integrity Monitoring rules were triggered.
  • Number of events – number of times System Integrity Monitoring rules were triggered on the protected virtual machine.
  • Number of rules – number of System Integrity Monitoring rules that were triggered on the protected virtual machine.

    The row below displays the following summary information:

    • Number of devices – total number of protected virtual machines on which System Integrity Monitoring rules were triggered.
    • Number of events – total number of times System Integrity Monitoring rules were triggered on protected virtual machines.
    • Event receipt limit reached – information about whether the maximum number of events that Kaspersky Security Center can receive from System Integrity Monitoring components on client devices has been reached. The limit on the number of received events is configured in the Kaspersky Security Center registry and is 15,000 events per day by default. If the number of received events has exceeded the limit, Yes is displayed in the field.

The detailed table contains the following information:

  • Virtual Server – the name of the virtual Administration Server (if available) that manages the protected virtual machine.
  • Group name – the name of the group that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • IP address – IP address of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • Last visible – date and time when the protected virtual machine on which the System Integrity monitoring rule was triggered was last observed on the network by the Administration Server.
  • Last connected to Network Agent – date and time when Network Agent was last synchronized with the Administration Server.
  • Device name – name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • NetBIOS name – name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • Domain name – name of the domain that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • DNS name – DNS name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • Domain DNS name – DNS name of the domain that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • Importance – importance level of the System Integrity Monitoring event. Possible values: Informational message, Important message, Critical message.
  • Event time - date and time when the event occurred.
  • Name of the triggered rule – name of the System Integrity Monitoring rule that was triggered.
  • Object path – path to the monitored object whose modification was detected by the System Integrity Monitoring component. Depending on the type of control object, the following information is displayed in the column:
    • Path to the file or folder, if the System Integrity Monitoring component detected a change to a file or folder.
    • Registry key, if the System Integrity Monitoring component detected a change in the registry.
    • External device, if the System Integrity Monitoring component detected the connection of an external device.
  • Action – action taken on the monitored object. Possible values: Create, Modify, Delete, Connect.
  • Object type – type of the monitored object whose modification was detected by the System Integrity Monitoring component. Possible values: File or folder, Registry key, External device.
  • System Integrity Monitoring component was disabled – information about whether the System Integrity Monitoring component was disabled when the event occurred. For Kaspersky Security, this field always shows No.
  • User – user account of the protected virtual machine on which the System Integrity Monitoring rule was triggered.

Report on the virtual machines on which System Integrity Monitoring rules were triggered maximum number of times in the Web Console

To create a template of a report on virtual machines on which the System Integrity Monitoring rules were triggered maximum number of times in the Web Console:

  1. Start the Web Console.
  2. In the Monitoring and Reports section, select Reports.
  3. Click the Add button above the list of report templates.
  4. In the window that opens, in the Report name field, specify the name of the created report template and in the Report type section in the Other subsection select the Top 10 devices with most frequently triggered File Operations Monitoring / System Integrity Monitoring rules type.
  5. In the Scope window, specify the devices information on which is to be displayed in the report.
  6. In the Report period window, specify the time interval data for which is to be displayed in the report.
  7. In the Report created window, do one of the following:
    • Click the Save and run button to start generating the report.
    • Click the Save button to save the report template.

The created report template will be displayed in the workspace.

To view the report on the virtual machines on which the System Integrity Monitoring rules were triggered maximum number of times in the Web Console:

  1. Start the Web Console.
  2. In the Monitoring and Reports section, select Reports.

    A list of report templates opens.

  3. Select the check box next to the name of the report template of the Top 10 devices with most frequently triggered File Operations Monitoring / System Integrity Monitoring rules type.
  4. Click the View report button.

The report window opens.

The report has two tabs:

  • The Summary tab contains information on the protected virtual machines on which System Integrity Monitoring rules were triggered maximum number of times:
    • Name of the protected virtual machine on which System Integrity Monitoring rules were triggered.
    • Number of times System Integrity Monitoring rules were triggered on the protected virtual machine.
    • Number of System Integrity Monitoring rules that were triggered on the protected virtual machine.
  • The Details tab contains information about each rule triggering event.

You can customize the displayed columns in tables on the report tabs. For details on how to add or remove columns in the report tables please refer to the Kaspersky Security Center help.

Page top
[Topic 160051]

Viewing a report on the most frequently triggered System Integrity Monitoring rules

Report on the most frequently triggered System Integrity Monitoring rules in the Administration Console

To view the report on the most frequently triggered System Integrity Monitoring rules in the Administration Console:

  1. Open Kaspersky Security Center Administration Console.
  2. In the workspace of the Administration Server <Server name> node, go to the Reports tab.
  3. Click the New report template button to start the New Report Template Wizard.
  4. Follow the wizard instructions.
  5. In the Selecting the report template type window, in the Other section, select the Top 10 File Operations Monitoring/System Integrity Monitoring rules triggered on the devices type.
  6. After creating a report template, select it in the list of templates on the Reports tab.

The report will be displayed in the workspace.

The Period field shows the reporting period covered by the report. By default, the report is generated for the last 30 days, which includes the report generation date.

The report consists of two tables:

  • The summary table contains information about the System Integrity Monitoring rules that were most frequently triggered on devices during the reporting period.
  • The detailed table contains information on each instance of a triggered rule.

You can customize display of the columns for each table. For details on how to add or remove columns in the report tables please refer to the Kaspersky Security Center help.

The summary table contains the following information:

  • Name of the triggered rule – name of the System Integrity Monitoring rule that was triggered.
  • Number of events – number of times the System Integrity Monitoring rule was triggered on protected virtual machines.
  • Number of devices – number of protected virtual machines on which the System Integrity Monitoring rule was triggered.

    The row below displays the following summary information:

    • Number of devices – total number of protected virtual machines on which System Integrity Monitoring rules were triggered.
    • Number of events – total number of times System Integrity Monitoring rules were triggered on protected virtual machines.
    • Event receipt limit reached – information about whether the maximum number of events that Kaspersky Security Center can receive from System Integrity Monitoring components on client devices has been reached. The limit on the number of received events is configured in the Kaspersky Security Center registry and is 15,000 events per day by default. If the number of received events has exceeded the limit, Yes is displayed in the field.

The detailed table contains the following information:

  • Virtual Server – the name of the virtual Administration Server (if available) that manages the protected virtual machine.
  • Group name – the name of the group that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • IP address – IP address of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • Last visible – date and time when the protected virtual machine on which the System Integrity monitoring rule was triggered was last observed on the network by the Administration Server.
  • Last connected to Network Agent – date and time when Network Agent was last synchronized with the Administration Server.
  • Device name – name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • NetBIOS name – name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • Domain name – name of the domain that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • DNS name – DNS name of the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • Domain DNS name – DNS name of the domain that includes the protected virtual machine on which the System Integrity Monitoring rule was triggered.
  • Importance – importance level of the System Integrity Monitoring event. Possible values: Informational message, Important message, Critical message.
  • Event time - date and time when the event occurred.
  • Name of the triggered rule – name of the System Integrity Monitoring rule that was triggered.
  • Object path – path to the monitored object whose modification was detected by the System Integrity Monitoring component. Depending on the type of control object, the following information is displayed in the column:
    • Path to the file or folder, if the System Integrity Monitoring component detected a change to a file or folder.
    • Registry key, if the System Integrity Monitoring component detected a change in the registry.
    • External device, if the System Integrity Monitoring component detected the connection of an external device.
  • Action – action taken on the monitored object. Possible values: Create, Modify, Delete, Connect.
  • Object type – type of the monitored object whose modification was detected by the System Integrity Monitoring component. Possible values: File or folder, Registry key, External device.
  • System Integrity Monitoring component was disabled – information about whether the System Integrity Monitoring component was disabled when the event occurred. For Kaspersky Security, this field always shows No.
  • User – user account of the protected virtual machine on which the System Integrity Monitoring rule was triggered.

Report on the most frequently triggered System Integrity Monitoring rules in the Web Console

To create a template of a report on the most frequently triggered System Integrity Monitoring rules in the Web Console:

  1. Start the Web Console.
  2. In the Monitoring and Reports section, select Reports.
  3. Click the Add button above the list of report templates.
  4. In the window that opens, in the Report name field, specify the name of the created report template and in the Report type section in the Other subsection select the Top 10 File Operations Monitoring / System Integrity Monitoring rules most frequently triggered on devices type.
  5. In the Scope window, specify the devices information on which is to be displayed in the report.
  6. In the Report period window, specify the time interval data for which is to be displayed in the report.
  7. In the Report created window, do one of the following:
    • Click the Save and run button to start generating the report.
    • Click the Save button to save the report template.

The created report template will be displayed in the workspace.

To view the report on the most frequently triggered System Integrity Monitoring rules in the Web Console:

  1. Start the Web Console.
  2. In the Monitoring and Reports section, select Reports.

    A list of report templates opens.

  3. Select the check box next to the name of the report template of the Top 10 File Operations Monitoring / System Integrity Monitoring rules most frequently triggered on devices type.
  4. Click the View report button.

The report window opens.

The report has two tabs:

  • The Summary tab contains information about the System Integrity Monitoring rules that most frequently triggered on the devices during the reporting period:
    • Name of the System Integrity Monitoring triggered rule.
    • Number of times System Integrity Monitoring rules were triggered on the protected virtual machines.
    • Number of protected virtual machines on which the System Integrity Monitoring rule was triggered.
  • The Details tab contains information about each rule triggering event.

You can customize the displayed columns in tables on the report tabs. For details on how to add or remove columns in the report tables please refer to the Kaspersky Security Center help.

Page top
[Topic 160078]