Creating and configuring a file operations monitoring rule

To create and configure a file operations monitoring rule using the Administration Plug-in:

Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
Select the administration group for which you want to configure application settings.
Perform one of the following actions in the details pane of the selected administration group:
- To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
- To configure the settings of a task or application for an individual protected device, select the Devices tab and go to local task settings or application settings.
Do one of the following:
- If you are creating a file operations monitoring rule in a policy, in the System inspection section in the File Integrity Monitor block, click the Settings button.
  The File Integrity Monitor window opens on the File operations monitoring settings tab.
- If you are creating a file operations monitor rule for a local task, in the Properties: File Integrity Monitor window, go to the Settings section.
In the Monitoring scope block, click the Add button.
The File operations monitoring rule window appears.
Add a file operations monitoring scope in one of the following ways:
- If you want to select a folder or drive through the standard Microsoft Windows dialog:
  1. Click the Browse button.
    The standard Microsoft Windows Browse for folder window appears.
  2. Select the folder whose file operations you want to monitor.
  3. Click the OK button.
- If you want to specify a monitoring scope manually, add a path using a supported mask:
  - <*.ext> — all files with the extension <ext>, regardless of their location
  - <*\name.ext> — all files with name <name> and extension <ext>, regardless of their location
  - <\dir\*> — all files in folder <\dir>
  - <\dir\*\name.ext> — all files with the name <name> and extension <ext> in folder <\dir> and all of its child folders
When specifying a monitoring scope manually, be sure that the path is in the following format: <volume letter>:\<mask>. If the volume letter is missing, Kaspersky Embedded Systems Security for Windows will not add the specified monitoring scope.
If necessary, specify trusted users:
1. On the Trusted users tab, in the context menu of the Add button, select the method for adding trusted users.
  The User or user group selection window opens.
2. Select the users or groups of users for whom file operations are allowed in the selected monitoring scope.
3. Click the OK button.
By default, Kaspersky Embedded Systems Security for Windows treats all users not on the trusted user list as untrusted, and generates Critical events for them. For trusted users, statistics are compiled.
On the File operation markers tab, if necessary, specify the file operation markers that you want to monitor:
1. Select the Detect file operations based on the following markers option.
2. In the list of available file operations select the check boxes next to the operations you want to monitor.
By default, Kaspersky Embedded Systems Security for Windows detects all file operation markers. The Detect file operations based on all recognizable markers option is selected.
If you want the application to block all file operations for the selected scope, select the Detect and block all file operations in the selected area check box.
If you want the application to calculate the checksum of a file after it has been modified:
1. Select the Calculate checksum for the file if possible. The checksum will be available for viewing in the task report check box.
  If the check box is selected, Kaspersky Embedded Systems Security for Windows calculates the checksum of the modified file, if a file operation with at least one selected marker was detected.
  
  If the file operation is detected by several markers, Kaspersky Embedded Systems Security for Windows calculates only the checksum of the final file after all modifications.
  
  If the check box is cleared, Kaspersky Embedded Systems Security for Windows does not calculate the checksum of modified files.
  
  No checksum calculation is performed in the following cases:
  - If the file has become unavailable (for example, due to a change of access permissions).
  - If the file operation was detected in a file that was subsequently removed.
  By default, the check box is cleared.
2. In the Checksum type drop down list, select one of the options:
  - MD5 hash
  - SHA256 hash.
If necessary, add folders or drives to be excluded from the selected file operations monitoring scope:
1. On the Exclusions tab, select the Exclude the following folders from control check box.
  The check box disables use of exclusions for folders where file operations do not need to be monitored.
  
  If the check box is selected, Kaspersky Embedded Systems Security for Windows skips the monitoring scopes specified in the exclusions list when the File Integrity Monitor task is run.
  
  If the check box is cleared, Kaspersky Embedded Systems Security for Windows logs events for all specified monitoring scopes.
  
  By default, the check box is cleared and the exclusion list is empty.
2. Click the Add button.
  The Exclusion from the controlled scope window opens.
3. Click the Browse button.
  The standard Microsoft Windows Browse for folder window appears.
4. Select a folder or drive.
5. Click the OK button.
The specified folder or drive will be displayed in the list of exclusions on the Exclusions tab.

You can also add file operations monitoring scope exclusions manually using the same masks that are used to specify file operations monitoring scopes.
Click the File operations monitoring rule button in the OK window.

The configured file operations monitoring rule is displayed in the File Integrity Monitor window / Properties: File Integrity Monitor in the Monitoring scope block.