On-Demand System Integrity Check

On-Demand System Integrity Check is a task that you can run manually or on a schedule. When running the System Integrity Check task, the application compares the current state of the objects included in the monitoring scope with their baseline state. In contrast to Real-Time System Integrity Monitoring, the System Integrity Check task helps limit the number of events and lets you generate an overall report of changes in the operating system.

For System Integrity Monitoring to work, you must add at least one rule. A System Integrity Monitoring rule is a set of criteria that define the access of users to files and the registry. System Integrity Monitoring detects changes in the files and the registry within the specified monitoring scope. The monitoring scope is one of the criteria of a System Integrity Monitoring rule. You can configure rules to be shared by Real-Time System Integrity Monitoring and the System Integrity Check task or create separate rules for the task. To create a baseline, Kaspersky Endpoint Security applies the monitoring scope from the System Integrity Check task to the Baseline update task.

Creating and updating a baseline

The System Integrity Check task needs a baseline to work. A baseline is a recorded state of objects in the system, which the application uses as reference when comparing to the current state. If the current state of the system is different from the state of the system as recorded in the baseline, Kaspersky Endpoint Security generates the corresponding event. You can create or update a baseline using the Baseline update task.

You can update the baseline in the following modes:

Full update.
The application updates all objects in the monitoring scope.
Incremental update.
The application detects and updates only modified or new objects.

How to create or update a baseline in the Administration Console (MMC)

How to create or update a baseline in the Web Console

Configuring the monitoring scope for the System Integrity Check task

By default, the monitoring scope of the System Integrity Check task is the same as the monitoring scope of Real-Time System Integrity Monitoring. You can configure a different monitoring scope for the task.

How to configure a different monitoring scope for the System Integrity Check task in the Administration Console (MMC)

Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → System Integrity Monitoring.
Select the System Integrity Monitoring check box.
Under System Integrity Check, select the task configuration mode: Custom settings.
Configure external device monitoring:
1. Select the Monitor devices check box.
2. In the Event importance level drop-down list, select the importance level of external device monitoring events: Informational , Warning , Critical .
System Integrity Monitoring records information about connected external devices at the time when the baseline is created. Subsequently, when an external device is connected, the application generates a corresponding event. When running the System Integrity Check task, the application does not monitor the disconnection of external devices.
Configure file and registry monitoring:
1. Select the Monitor files and the registry check box.
2. Click Settings.
  This opens the list of System Integrity Monitoring rules.
3. Click Add.
  You can also import rules from another source.
  You can export the list of System Integrity Monitoring rules to an XML file. Then you can modify the file to, for example, add a large number of records of the same type. You can use the export/import function to back up the list of System Integrity Monitoring rules or to migrate the list to a different server.
  
  How to export and import a list of System Integrity Monitoring rules in the Administration Console (MMC)
  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select Policies.
  3. Select the necessary policy and double-click to open the policy properties.
  4. In the policy window, select Security Controls → System Integrity Monitoring.
  5. To export or import Real-Time System Integrity Monitoring rules:
    In the Real-Time System Integrity Monitoring block, click the Settings button.
    To export a list of Real-Time System Integrity Monitoring rules:
    Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
    If you did not select any rule, Kaspersky Endpoint Security will export all rules.
    
    Click the Export link.
    In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to the XML file.
    
    To import a list of Real-Time System Integrity Monitoring rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  6. To export or import System Integrity Check rules:
    In the System Integrity Check block, select Custom settings.
    Click Settings.
    To export the list of System Integrity Check rules:
    Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
    If you did not select any rule, Kaspersky Endpoint Security will export all rules.
    
    Click the Export link.
    In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to the XML file.
    
    To import a list of System Integrity Check rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  7. Save your changes.
  How to export and import a list of System Integrity Check rules in the Web Console
  1. In the main window of the Web Console, select Devices → Policies & profiles.
  2. Click the name of the Kaspersky Endpoint Security policy.
    The policy properties window opens.
  3. Select the Application settings tab.
  4. Go to Security Controls → System Integrity Monitoring.
  5. To export or import Real-Time System Integrity Monitoring rules:
    In the Real-Time System Integrity Monitoring block, click the Configure button.
    To export a list of Real-Time System Integrity Monitoring rules:
    Select the rules that you want to export.
    Click Export.
    Confirm that you want to export only the selected rules, or export the entire list.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
    
    To import a list of Real-Time System Integrity Monitoring rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  6. To export or import System Integrity Check rules:
    In the System Integrity Check block, select Custom settings.
    Click Configure.
    To export the list of System Integrity Check rules:
    Select the rules that you want to export.
    Click Export.
    Confirm that you want to export only the selected rules, or export the entire list.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
    
    To import a list of System Integrity Check rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  7. Save your changes.
4. Configure the Real-Time System Integrity Monitoring rule (see the table below).
Save your changes.

How to configure a different monitoring scope for the System Integrity Check task in the Web Console

In the main window of the Web Console, select Devices → Policies & profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Security Controls → System Integrity Monitoring.
Turn on the System Integrity Monitoring toggle.
Under System Integrity Check, select the task configuration mode: Custom settings.
Configure external device monitoring:
1. Select the Monitor devices check box.
2. In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational , Warning , Critical .
System Integrity Monitoring records information about connected external devices at the time when the baseline is created. Subsequently, when an external device is connected, the application generates a corresponding event. When running the System Integrity Check task, the application does not monitor the disconnection of external devices.
Configure file and registry monitoring:
1. Select the Monitor files and the registry check box.
2. Click Configure.
  This opens the list of System Integrity Monitoring rules.
3. Click Add.
  You can also import rules from another source.
  You can export the list of System Integrity Monitoring rules to an XML file. Then you can modify the file to, for example, add a large number of records of the same type. You can use the export/import function to back up the list of System Integrity Monitoring rules or to migrate the list to a different server.
  
  How to export and import a list of System Integrity Monitoring rules in the Administration Console (MMC)
  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select Policies.
  3. Select the necessary policy and double-click to open the policy properties.
  4. In the policy window, select Security Controls → System Integrity Monitoring.
  5. To export or import Real-Time System Integrity Monitoring rules:
    In the Real-Time System Integrity Monitoring block, click the Settings button.
    To export a list of Real-Time System Integrity Monitoring rules:
    Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
    If you did not select any rule, Kaspersky Endpoint Security will export all rules.
    
    Click the Export link.
    In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to the XML file.
    
    To import a list of Real-Time System Integrity Monitoring rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  6. To export or import System Integrity Check rules:
    In the System Integrity Check block, select Custom settings.
    Click Settings.
    To export the list of System Integrity Check rules:
    Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
    If you did not select any rule, Kaspersky Endpoint Security will export all rules.
    
    Click the Export link.
    In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to the XML file.
    
    To import a list of System Integrity Check rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  7. Save your changes.
  How to export and import a list of System Integrity Check rules in the Web Console
  1. In the main window of the Web Console, select Devices → Policies & profiles.
  2. Click the name of the Kaspersky Endpoint Security policy.
    The policy properties window opens.
  3. Select the Application settings tab.
  4. Go to Security Controls → System Integrity Monitoring.
  5. To export or import Real-Time System Integrity Monitoring rules:
    In the Real-Time System Integrity Monitoring block, click the Configure button.
    To export a list of Real-Time System Integrity Monitoring rules:
    Select the rules that you want to export.
    Click Export.
    Confirm that you want to export only the selected rules, or export the entire list.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
    
    To import a list of Real-Time System Integrity Monitoring rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  6. To export or import System Integrity Check rules:
    In the System Integrity Check block, select Custom settings.
    Click Configure.
    To export the list of System Integrity Check rules:
    Select the rules that you want to export.
    Click Export.
    Confirm that you want to export only the selected rules, or export the entire list.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
    
    To import a list of System Integrity Check rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  7. Save your changes.
4. Configure the Real-Time System Integrity Monitoring rule (see the table below).
Save your changes.

How to configure a different monitoring scope for the System Integrity Check task in the application interface

In the main application window, click the button.
In the application settings window, select Security Controls → System Integrity Monitoring.
Turn on the System Integrity Monitoring toggle switch.
Under System Integrity Check, select the task configuration mode: Custom settings.
Configure external device monitoring:
1. Select the Monitor devices check box.
2. In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational , Warning , Critical .
System Integrity Monitoring records information about connected external devices at the time when the baseline is created. Subsequently, when an external device is connected, the application generates a corresponding event. When running the System Integrity Check task, the application does not monitor the disconnection of external devices.
Configure file and registry monitoring:
1. Select the Monitor files and the registry check box.
2. Click Set up.
  This opens the list of System Integrity Monitoring rules.
3. Click Add.
  You can also import rules from another source.
  You can export the list of System Integrity Monitoring rules to an XML file. Then you can modify the file to, for example, add a large number of records of the same type. You can use the export/import function to back up the list of System Integrity Monitoring rules or to migrate the list to a different server.
  
  How to export and import a list of System Integrity Monitoring rules in the Administration Console (MMC)
  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select Policies.
  3. Select the necessary policy and double-click to open the policy properties.
  4. In the policy window, select Security Controls → System Integrity Monitoring.
  5. To export or import Real-Time System Integrity Monitoring rules:
    In the Real-Time System Integrity Monitoring block, click the Settings button.
    To export a list of Real-Time System Integrity Monitoring rules:
    Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
    If you did not select any rule, Kaspersky Endpoint Security will export all rules.
    
    Click the Export link.
    In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to the XML file.
    
    To import a list of Real-Time System Integrity Monitoring rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  6. To export or import System Integrity Check rules:
    In the System Integrity Check block, select Custom settings.
    Click Settings.
    To export the list of System Integrity Check rules:
    Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
    If you did not select any rule, Kaspersky Endpoint Security will export all rules.
    
    Click the Export link.
    In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to the XML file.
    
    To import a list of System Integrity Check rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  7. Save your changes.
  How to export and import a list of System Integrity Check rules in the Web Console
  1. In the main window of the Web Console, select Devices → Policies & profiles.
  2. Click the name of the Kaspersky Endpoint Security policy.
    The policy properties window opens.
  3. Select the Application settings tab.
  4. Go to Security Controls → System Integrity Monitoring.
  5. To export or import Real-Time System Integrity Monitoring rules:
    In the Real-Time System Integrity Monitoring block, click the Configure button.
    To export a list of Real-Time System Integrity Monitoring rules:
    Select the rules that you want to export.
    Click Export.
    Confirm that you want to export only the selected rules, or export the entire list.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
    
    To import a list of Real-Time System Integrity Monitoring rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  6. To export or import System Integrity Check rules:
    In the System Integrity Check block, select Custom settings.
    Click Configure.
    To export the list of System Integrity Check rules:
    Select the rules that you want to export.
    Click Export.
    Confirm that you want to export only the selected rules, or export the entire list.
    Save the file.
    Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
    
    To import a list of System Integrity Check rules:
    Click the Import link.
    In the window that opens, select the XML file from which you want to import the list of rules.
    
    Open the file.
    If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
  7. Save your changes.
4. Configure the Real-Time System Integrity Monitoring rule (see the table below).
Save your changes.

Settings of a System Integrity Check task rule

Parameter	Description
Rule name	Name of the System Integrity Check task rule.
Event severity level	Kaspersky Endpoint Security logs file modification events whenever a file or registry key in the monitoring scope is modified. The following event severity levels are available: Informational , Warning , Critical .
Monitoring scope	File. List of files and folders monitored by the component. Kaspersky Endpoint Security supports environment variables and the `` and `?` characters when entering a mask. Registry. List of registry keys and values monitored by the component. Kaspersky Endpoint Security supports the `` and `?` characters when entering a mask.
Exclusions	File. List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports environment variables and the `` and `?` characters when entering a mask. For example, `C:\Folder\Application\.log`. Exclusion entries have a higher priority than monitoring scope entries. Registry. List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports the `*` and `?` characters when entering a mask. Exclusion entries have a higher priority than monitoring scope entries.

Running the System Integrity Check task

The System Integrity Check task allows checking files or registry keys for changes and also checking the connection of external devices. To check files for changes, you can run the System Integrity Check task in the following modes:

Quick Scan.
When checking files for changes, the applications checks only file attributes. The application does not check the content of files.
Full Scan.
When checking files for changes, the applications checks all file attributes and the content of files.

The mode the task runs in does not affect the checking of the registry or external devices.

How to run the System Integrity Check task in the Administration Console (MMC)

How to run a System Integrity Check task in the Web Console

For the System Integrity Check task to finish successfully, the monitoring scope of the System Integrity Check task must completely match the baseline. If the monitoring scope is different, the task finishes with an error. To synchronize monitoring scopes, run the Baseline update task with a new monitoring scope.

Page top