While the ODFIM task is running, each object change is determined by comparing the current state of the monitored object to its original state, which was previously established as a baseline, based on the following criteria: file hash, file modification time, and file size.
The baseline is created during the first run of the ODFIM task on the device. You can create several ODFIM tasks. For each ODFIM task, a separate baseline is created. The task is performed only if the baseline corresponds to the monitoring scope. If the baseline does not match the monitoring scope, Kaspersky Endpoint Security creates a system integrity violation event. The baseline contains paths to monitored objects and their metadata. The baseline may also contain personal data.
The baseline is rebuilt after an ODFIM task has finished. You can rebuild a baseline for the task using the RebuildBaseline setting. Also, a baseline is rebuilt when the settings of a task change, for example, if a new monitoring scope is added. The baseline will be rebuilt during the next task run. You can delete a baseline by deleting the corresponding ODFIM task.
The ODFIM task creates a baseline storage on the device that has the System Integrity Monitoring component installed. By default, the storage for baselines is located in /var/opt/kaspersky/kesl/private/fim.db. Root privileges are required to access a database that contains baselines.
Page top