On-Demand System Integrity Check
On-Demand System Integrity Check is a task that you can run manually or on a schedule. When running the Baseline System Integrity Monitor task, the application compares the current state of the objects included in the monitoring scope with their baseline state. A baseline is created when the task is first started.
For System Integrity Monitoring to work, you must add at least one rule. A System Integrity Monitoring rule is a set of criteria that define the access of users to files and the registry. System Integrity Monitoring detects changes in the files and the registry within the specified monitoring scope. The monitoring scope is one of the criteria of a System Integrity Monitoring rule.
Configuring the monitoring scope for the Baseline System Integrity Monitor task
By default, the monitoring scope of the Baseline System Integrity Monitor task is the same as the monitoring scope of System Integrity Monitoring. You can configure a different monitoring scope for the task.
System Integrity Monitoring does not support the import of HKEY_CURRENT_USER and HKEY_CURRENT_CONFIG keys for the System Integrity Check task. If the monitoring scope of the task contains these keys, the application generates the Monitoring scope includes incorrect objects event.
How to configure a different monitoring scope for the Baseline System Integrity Monitor task in the Kaspersky Security Center Administration Console
- In the Kaspersky Security Center Administration Console tree, select the Tasks folder.
- Select the necessary Baseline System Integrity Monitor task and double-click it to open the task properties.
- In the window that opens, select Settings.
- Configure file monitoring:
- Select the Monitor files check box on the Files tab.
- Select rules in the list by selecting check boxes.
- If necessary, add a new rule by clicking the Add button. Baseline System Integrity Monitor rule settings are described in the following table.
- You can also import rules from another source.
- Configure registry monitoring:
- Select the Monitor the registry check box on the Registry tab.
- Select rules in the list by selecting check boxes.
- If necessary, add a new rule by clicking the Add button. Baseline System Integrity Monitor rule settings are described in the following table.
- You can also import rules from another source.
- Configure external device monitoring:
- Select the Monitor devices check box on the Devices tab.
- In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational, Warning, Critical.
The Baseline System Integrity Monitor task records information about connected external devices at the time when the baseline is created. Subsequently, when an external device is connected, the application generates a corresponding event. When running the task, the application does not monitor the disconnection of external devices.
- Save your changes.
How to configure a different monitoring scope for the Baseline System Integrity Monitor task in the Kaspersky Security Center Web Console
- In the main window of the Web Console, select Assets (Devices) → Tasks.
- Select the necessary Baseline System Integrity Monitor task and double-click it to open the task properties.
- In the window that opens, select Application settings.
- Configure file monitoring:
- Select the Monitor files check box.
- Select rules in the list by selecting check boxes.
- If necessary, add a new rule by clicking the Add button. Baseline System Integrity Monitor rule settings are described in the following table.
- You can also import rules from another source.
- Configure registry monitoring:
- Select the Monitor the registry check box.
- Select rules in the list by selecting check boxes.
- If necessary, add a new rule by clicking the Add button. Baseline System Integrity Monitor rule settings are described in the following table.
- You can also import rules from another source.
- Configure external device monitoring:
- Select the Monitor devices check box.
- In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational, Warning, Critical.
The Baseline System Integrity Monitor task records information about connected external devices at the time when the baseline is created. Subsequently, when an external device is connected, the application generates a corresponding event. When running the task, the application does not monitor the disconnection of external devices.
- Save your changes.
How to configure a different monitoring scope for the Baseline System Integrity Monitor task in the Application Console
Properties of the Baseline System Integrity Monitor task are editable in the Kaspersky Embedded Systems Security Console if the task was created locally or if the Allow use of local tasks check box is selected in the Application settings → Run local system tasks section of policy properties.
- In the Kaspersky Embedded Systems Security Console tree, select System Inspection → Baseline System Integrity Monitor.
- In the results pane of the Baseline System Integrity Monitor node, click Properties.
The Properties: Baseline System Integrity Monitor window opens.
- Configure file monitoring:
- Select the Monitor files check box on the Files tab.
- Select rules in the list by selecting check boxes.
- If necessary, add a new rule by clicking the Add button. Baseline System Integrity Monitor rule settings are described in the following table.
- You can also import rules from another source.
- Configure registry monitoring:
- Select the Monitor the registry check box on the Registry tab.
- Select rules in the list by selecting check boxes.
- If necessary, add a new rule by clicking the Add button. Baseline System Integrity Monitor rule settings are described in the following table.
- You can also import rules from another source.
- Configure external device monitoring:
- Select the Monitor devices check box on the Devices tab.
- In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational, Warning, Critical.
The Baseline System Integrity Monitor task records information about connected external devices at the time when the baseline is created. Subsequently, when an external device is connected, the application generates a corresponding event. When running the task, the application does not monitor the disconnection of external devices.
- Save your changes.
Settings of a Baseline System Integrity Monitor task rule
Parameter
|
Description
|
Monitor file operations for the scope
|
The scope to which you want to apply File Integrity Monitoring. This field is mandatory.
Use masks:
Kaspersky Embedded Systems Security supports environment variables and the * and ? characters when entering a mask:
The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
|
Monitored objects
|
Here you can specify the name or value of a registry key.
Use masks:
Kaspersky Embedded Systems Security supports the * and ? characters when entering a mask:
|
Exclusions
|
On the Exclusions tab, you can add objects that you want to exclude from the monitoring scope:
- For a File Integrity Monitor rule, you can specify a list of folders.
- For a Registry Access Monitoring rule, you can specify registry keys or values.
Use masks:
Files
List of files and folders monitored by the component. Kaspersky Embedded Systems Security supports environment variables and the * and ? characters when entering a mask:
The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
Registry
Kaspersky Embedded Systems Security supports the * and ? characters when entering a mask: Exclusion entries have a higher priority than monitoring scope entries.
|
Event severity level
|
Kaspersky Embedded Systems Security logs file modification events whenever a file or registry key in the monitoring scope is modified. The following event severity levels are available: Informational, Warning, Critical.
|
Running the Baseline System Integrity Monitor task
The Baseline System Integrity Monitor task allows checking files or registry keys for changes and also checking the connection of external devices. To check files for changes, you can run the Baseline System Integrity Monitor task in the following modes:
- Full Scan. In this mode, the application checks all attributes and hashes of files.
- Quick Scan. In this mode, the application checks only attributes of files.
The mode the task runs in does not affect the checking of the registry or external devices.
How to run the Baseline System Integrity Monitor task in the Kaspersky Security Center Administration Console
- In the Kaspersky Security Center Administration Console tree, select the Tasks folder.
The list of tasks opens.
- Click New task.
The Task Wizard starts. Follow the instructions of the Wizard.
- Select Kaspersky Embedded Systems Security → Baseline System Integrity Monitor. Select a System Integrity Monitoring mode:
- Full Scan. In this mode, the application checks all attributes and hashes of files.
- Quick Scan. In this mode, the application checks only attributes of files.
- Select the computers on which the task will be performed. The following options are available:
- Select computers detected by the Administration Server in the network: unassigned devices. The specific devices can include devices in administration groups as well as unassigned devices.
- Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP addresses, and IP subnets of devices to which you want to assign the task.
- Specify the selection of devices for which you want to run the task.
- Assign the task to an administration group. In this case, the task is assigned to computers included in a previously created administration group.
- Select an account to run the task. By default, Kaspersky Embedded Systems Security starts the task with the rights of a local user account.
- Configure a schedule for the task, for example, manually or on a certain day of the week.
- Enter the task name.
- Complete the wizard operation. If necessary, select the Run the task after the wizard finishes check box. You can monitor the progress of the task in the task properties.
How to run the Baseline System Integrity Monitor task in the Kaspersky Security Center Web Console
- In the main window of the Web Console, select Assets (Devices) → Tasks.
The list of tasks opens.
- Click Add.
The Task Wizard starts.
- Configure the task settings:
- In the Application drop-down list, select Kaspersky Embedded Systems Security.
- In the Task type drop-down list, select Baseline System Integrity Monitor.
- In the Task name field, enter a brief description, for example, Weekly System Integrity Check.
- In the Devices to which the task will be assigned block, select the task scope.
- Select devices according to the selected task scope option. Go to the next step.
- Select the checksum calculation algorithm.
- Select an account to run the task. By default, Kaspersky Embedded Systems Security starts the task with the rights of a local user account.
- Complete the wizard operation.
A new task will be displayed in the list of tasks.
- Click the new task.
The task properties window opens.
- Select the Application settings tab.
- Select a System Integrity Check mode:
- Full Scan. In this mode, the application checks all attributes and hashes of files.
- Quick Scan. In this mode, the application checks only attributes of files.
- Save your changes.
- Select the check box next to the task.
- Click Start.