Creating and editing an Integrity Monitoring rule

You can create an integrity monitoring rule by creating a monitoring scope and/or a list of exclusions from the monitoring scope for files and folders, registry keys and values. After creating or importing an integrity monitoring rule, you can change the rule settings if necessary.

To create or edit an integrity monitoring rule through Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the Light Agent for Windows policy properties window, select the Integrity Monitoring section in the list on the left.
  6. Click the Settings button located on the right of the Monitor files and the registry check box in one of the following sections:
    • In the Integrity Monitoring scope section if you want to configure a Real-Time Integrity Monitoring rule.
    • In the Integrity Check scope section if you want to configure a rule for the integrity check task and baseline update task.

    The Integrity Monitoring rules window opens.

  7. Do one of the following:
    • If you want to create an integrity monitoring rule, click the Add button located above the list of rules.
    • If you want to edit an integrity monitoring rule, select it in the list and click the Edit button.

    The Integrity monitoring rule window opens.

  8. Enter the rule name and select the importance level for events generated by Integrity Monitoring when it applies this rule. By default, an Informational event is generated.
  9. Configure the integrity monitoring scope of files and folders on the Files tab.

    To add a file or folder whose modifications will be monitored by Kaspersky Security:

    1. Click the Add button located above the Monitoring scope field on the Files tab.

      The File or folder window opens.

    2. Enter the absolute path to the folder or mask of the path to the folder whose modifications need to be monitored.

      When entering a path mask, you can use the following characters in any part of the path:

      • The * character can represent any characters except \ / : ? ” < > | *. In addition:
        • If the * character is used to designate the name of an entire component of a path (for example, to designate a folder name: /*/), it can represent one or more characters.
        • If the * character is used to designate part of the name of a path component (for example, to designate part of a folder name: /abc*/), it can represent zero or more characters.
      • The ? character can replace any single character.

      You can use environment variables when entering a folder path. You must type the % character before and after the name of the environment variable.

    3. If you need to monitor changes to files in a specified folder, enter a file name or file mask in the File name or file mask field.

      When entering a mask, you can use the following characters:

      • * represents zero or more characters. It can represent any characters except \ / : ? ” < > | *.
      • ? represents any one character.

      If you want to monitor changes made to the specified files in nested folders as well, select the Include files in subfolders check box.

    4. Click OK in the File or folder window.

    The path to the file or folder is displayed in the list of paths in the Monitoring scope field.

    Kaspersky Security monitors changes made to files and folders only on those drives that are connected when Real-Time Integrity Monitoring starts running, which means when a policy is applied or when Real-Time Integrity Monitoring is enabled. If a drive is powered off when Real-Time Integrity Monitoring starts running, modifications made to files and folders on that drive are not monitored even if those files and folders have been added to the monitoring scope.

    You can perform keyword searches in the list, and remove files and folders from the list by using the Delete button.

  10. If necessary, you can similarly configure the list of paths to files and/or folders that are excluded from the monitoring scope. Kaspersky Security does not monitor changes to files and folders that are added to the list of paths in the Exclusions field.

    To configure the list of exclusions, use the Add and Delete buttons located above the Exclusions field on the Files tab.

  11. Configure the integrity monitoring scope of registry keys and values on the Registry tab.

    To add a registry key or key parameter whose modifications will be monitored by Kaspersky Security:

    1. Click the Add button located above the Monitoring scope field on the Registry tab.

      The Registry key window opens.

    2. Enter the name of the registry key whose modifications must be monitored.

      HKEY_CURRENT_USER key is not supported. You can specify a path to a registry key through HKEY_USER as follows: HKEY_USERS\<user profile ID>\<key>.

    3. If you want Kaspersky Security to also monitor nested keys, select the Including nested keys check box.
    4. If you need to monitor changes to a parameter of the specified key, enter the name or mask of the parameter in the Name or mask of the key parameter field.

      When entering a mask, you can use the wildcards * (any sequence of characters) and ? (any single character).

    5. In the Registry key window, click OK.

    The name of the key and key parameter (if it was specified) is displayed in the list of keys and registry values in the Monitoring scope field.

    You can perform a keyword search in the list, and remove keys from the list using the Delete button.

  12. If necessary, you can similarly configure the list of keys and registry values that are excluded from the monitoring scope. Kaspersky Security does not monitor changes to keys and registry values that are added to the list in the Exclusions field.

    To configure the list of exclusions, use the Add and Delete buttons located above the Exclusions field on the Registry tab.

  13. In the Integrity Monitoring rule window, click OK.

    The rule is displayed in the list of rules in the Integrity Monitoring rules window.

  14. In the Integrity Monitoring rules window, click OK.
  15. Click the Apply button.

To create or edit an integrity monitoring rule in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, in the Endpoint control section, select the Integrity Monitoring section.

    In the right part of the window, the Integrity Monitoring component settings are displayed.

  3. Do one of the following:
    • Click the Settings button located on the right of the Monitor files and the registry check box in the upper part of the Integrity Monitoring settings section if you want to configure a Real-Time Integrity Monitoring rule.
    • Click the Settings button located on the right of the Monitor files and the registry check box in the lower part of the Integrity Monitoring settings section if you want to configure a rule for the integrity check task and baseline update task.

    The Integrity Monitoring rules window opens.

  4. Complete steps 7-14 of the previous instructions.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  5. To save changes, click the Save button.
Page top