While the ODFIM task is running, each object change is determined by comparing the current state of the monitored objects with the original state, which was previously established as a baseline.
You can create several ODFIM tasks.
Baseline
The baseline is established during the first run of the ODFIM task on the computer. For each ODFIM task, a separate baseline is created. The task is performed only if the baseline corresponds to the monitoring scope. If the baseline does not match the monitoring scope, Kaspersky Endpoint Security generates an event about system integrity violation. The baseline contains paths to monitored objects and their metadata. The baseline may also contain personal data.
You can rebuild a baseline for a task using the corresponding parameter. The baseline is rebuilt after an ODFIM task has finished.
Also, a baseline is rebuilt when the parameters of a task change, for example, if a new monitoring scope is added. The baseline will be rebuilt during the next task run.
The ODFIM task creates storage for baselines on a computer that has the System Integrity Monitoring component installed. By default, the storage for baselines is located in /var/opt/kaspersky/kesl/private/fim.db. Root privileges are required to access a database that contains baselines.
You can delete a baseline only if you delete the corresponding ODFIM task.
Page top