When the System Integrity Check task is running, a change in each object is found by comparing the current state of the monitored object with its original state. The following comparison criteria can be used:
The initial state of monitored objects is recorded as a baseline. The baseline contains paths to monitored objects and their metadata.
A baseline may also contain personal data.
A system baseline is created when a System Integrity Check task runs on the device for the first time. If you have created multiple System Integrity Check tasks, a separate baseline is created for each. The task is only executed if the baseline contains information about objects that belong to the monitoring scope defined for the task. If the baseline does not match the monitoring scope, Kaspersky Endpoint Security generates a system integrity violation event.
A baseline is rebuilt when task settings change, for example, if a new monitoring scope is added.
The application creates a baseline storage on the protected device. By default, the storage for baselines is located in /var/opt/kaspersky/kesl/private/fim.db. Root privileges are required to access a database that contains baselines.
You can delete a baseline by deleting the appropriate System Integrity Check task.
You can run a system integrity check on demand and configure the scan settings: