Configuring monitoring rules

To add a monitoring scope:

1. In the Application Console tree, expand the System Inspection node.
2. Select the File Integrity Monitor child node.
3. Click the File operations monitoring rules link in the results pane of the File Integrity Monitor node.

   The File operations monitoring window opens.

4. Add a monitoring scope in one of the following ways:
   • If you want to select folders through the standard Microsoft Windows dialog:
     1. On the left side of the window, click the Browse button.

        The standard Microsoft Windows Browse for folder window appears.

     2. In the Browse for folder window, select the folder for which you want to monitor operations, and click the OK button.
     3. Click the Add button to have Kaspersky Embedded Systems Security start monitoring file operations in the indicated monitoring scope.
   • If you want to specify a monitoring scope manually, add a path using a supported mask:
     • <*.ext> — all files with the extension <ext>, regardless of their location
     • <*\name.ext> — all files with name <name> and extension <ext>, regardless of their location
     • <\dir\*> — all files in folder <\dir>
     • <\dir\*\name.ext> — all files with the name <name> and extension <ext> in folder <\dir> and all of its child folders

   When specifying a monitoring scope manually, be sure that the path is in the following format: <volume letter>:\<mask>. If the volume letter is missing, Kaspersky Embedded Systems Security will not add the specified monitoring scope.

   On the right side of the window, the Rule description tab displays the trusted users and file operation markers selected for this monitoring scope.

5. In the list of added monitoring scopes, select the scope settings that you want to configure.
6. Select the Trusted users tab.
7. Click the Add button.

   The standard Microsoft Windows Select Users or Groups window appears.

8. Select the users or groups of users that Kaspersky Embedded Systems Security will consider trusted for the selected monitoring scope.
9. Click OK.

   By default, Kaspersky Embedded Systems Security treats all users not on the trusted user list as untrusted, and generates Critical events for them. For trusted users, statistics are compiled.

10. Select the Set file operations markers tab.
11. If required, perform the following actions to select several markers:
    1. Select the Detect file operations based on the following markers option.
    2. In the list of available file operations select the check boxes next to the operations you want to monitor.

    By default, Kaspersky Embedded Systems Security detects all file operation markers, i.e. the Detect file operations based on all recognizable markers option is selected.

12. If you want to block all file operations for the selected area, select the Detect and block the selected file operations check box.
13. If you want Kaspersky Embedded Systems Security to calculate a file checksum after an operation is performed, do the following:
    1. In the Checksum calculation section, select the Calculate checksum for a file final version, after the file was changed, if possible. The checksum will be available for viewing in the task log check box.
       

       If the check box is selected, Kaspersky Embedded Systems Security calculates the checksum of the modified file, if a file operation with at least one selected marker was detected.

       If the file operation is detected by several markers, Kaspersky Embedded Systems Security calculates only the checksum of the final file after all modifications.

       If the check box is cleared, Kaspersky Embedded Systems Security does not calculate the checksum of modified files.

       No checksum calculation is performed in the following cases:

       • If the file has become unavailable (for example, due to a change of access permissions).
       • If the file operation was detected in a file that was subsequently removed.

       The check box is cleared by default.

    2. In the Calculate the checksum using the algorithm drop down list select one of the options:
       • MD5 hash.
       • SHA256 hash.
14. Add excluded monitoring scopes as applicable:
    1. Select the Set exclusions tab.
    2. Select the Consider excluded monitoring scope check box.
       

       The check box disables use of exclusions for folders where file operations do not need to be monitored.

       If the check box is selected, Kaspersky Embedded Systems Security skips the monitoring scopes specified in the exclusions list when the File Integrity Monitor task is run.

       If the check box is cleared, Kaspersky Embedded Systems Security logs events for all specified monitoring scopes.

       By default, the check box is cleared and the exclusion list is empty.

    3. Click the Browse button.

       The standard Microsoft Windows Browse for folder window appears.

    4. In the Browse for folder window, specify the folder that you want to exclude from the monitoring scope.
    5. Click OK.
    6. Click the Add button.

       The specified folder is added to the list of excluded scopes.

       You can also add excluded monitoring scopes manually using the same masks that are used to specify monitoring scopes.

15. Click the Save button to apply the new rule configuration.

The specified rule settings are immediately applied to the defined monitoring scope of the File Integrity Monitor task.

Page top