While the OAFIM task is running, each object change is determined through real-time interception of file operations in real-time mode. When an object changes, Kaspersky Endpoint Security sends an event to the Kaspersky Security Center administration server. A file checksum is not calculated during the task run. The OAFIM task does not monitor changes in files (attributes and content) with hard links, that are not located in a monitoring scope.
Kaspersky Endpoint Security monitors file operations on specific files or in scopes specified in the parameters of the task.
Monitoring scopes
Monitoring scopes for System Integrity Monitoring tasks must always be specified. The administrator can change scanning and monitoring scopes in real-time mode. If no monitoring scope is specified, task settings cannot be saved in the configuration file. When a monitoring scope or exclusion scope is added, the application does not check whether the specified directory exists.
You can specify several monitoring scopes.
Monitoring exclusion scopes
You can create exclusions for the monitoring scope. Exclusions are specified for individual scopes, and work only for the indicated monitoring scope. You can specify several exclusion scopes.
Exclusions have a higher priority than the monitoring scope and are not monitored by a task, even if a specific directory or file is in the monitoring scope. If the settings for one of the rules specify a monitoring scope that is at a lower level than a directory specified in exclusions, the monitoring scope is not considered when the task is run.
To specify exclusions, you can use the same command line shell masks that are used to specify monitoring scopes.
Monitored parameters
Changes to the following parameters are monitored during the System Integrity Monitoring task run:
The technical limitations of the Linux operating system prevent the System Integrity Monitoring component from detecting which administrator or process has made a change to a file.
Page top