On-Demand System Integrity Check

On-Demand System Integrity Check is a task that you can run manually or on a schedule. When running the System Integrity Check task, the application compares the current state of the objects included in the monitoring scope with their baseline state. In contrast to Real-Time System Integrity Monitoring, the System Integrity Check task helps limit the number of events and lets you generate an overall report of changes in the operating system.

For System Integrity Monitoring to work, you must add at least one rule. A System Integrity Monitoring rule is a set of criteria that define the access of users to files and the registry. System Integrity Monitoring detects changes in the files and the registry within the specified monitoring scope. The monitoring scope is one of the criteria of a System Integrity Monitoring rule. You can configure rules to be shared by Real-Time System Integrity Monitoring and the System Integrity Check task or create separate rules for the task. To create a baseline, Kaspersky Endpoint Security applies the monitoring scope from the System Integrity Check task to the Baseline update task.

Creating and updating a baseline

The System Integrity Check task needs a baseline to work. A baseline is a recorded state of objects in the system, which the application uses as reference when comparing to the current state. If the current state of the system is different from the state of the system as recorded in the baseline, Kaspersky Endpoint Security generates the corresponding event. You can create or update a baseline using the Baseline update task.

You can update the baseline in the following modes:

How to create or update a baseline in the Administration Console (MMC)

How to create or update a baseline in the Web Console

Configuring the monitoring scope for the System Integrity Check task

By default, the monitoring scope of the System Integrity Check task is the same as the monitoring scope of Real-Time System Integrity Monitoring. You can configure a different monitoring scope for the task.

How to configure a different monitoring scope for the System Integrity Check task in the Administration Console (MMC)

How to configure a different monitoring scope for the System Integrity Check task in the Web Console

How to configure a different monitoring scope for the System Integrity Check task in the application interface

Settings of a System Integrity Check task rule

Parameter

Description

Rule name

Name of the System Integrity Check task rule.

Event severity level

Kaspersky Endpoint Security logs file modification events whenever a file or registry key in the monitoring scope is modified. The following event severity levels are available: Informational Informational event icon., Warning Warning event icon., Critical Critical event icon..

Monitoring scope

  • File. List of files and folders monitored by the component. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.

    Use masks:

    • The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
    • Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
    • The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
  • Registry. List of registry keys and values monitored by the component. Kaspersky Endpoint Security supports the * and ? characters when entering a mask.

Exclusions

  • File. List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask. For example, C:\Folder\Application\*.log. Exclusion entries have a higher priority than monitoring scope entries.

    Use masks:

    • The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
    • Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
    • The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
  • Registry. List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports the * and ? characters when entering a mask. Exclusion entries have a higher priority than monitoring scope entries.

Running the System Integrity Check task

The System Integrity Check task allows checking files or registry keys for changes and also checking the connection of external devices. To check files for changes, you can run the System Integrity Check task in the following modes:

The mode the task runs in does not affect the checking of the registry or external devices.

How to run the System Integrity Check task in the Administration Console (MMC)

How to run a System Integrity Check task in the Web Console

For the System Integrity Check task to finish successfully, the monitoring scope of the System Integrity Check task must completely match the baseline. If the monitoring scope is different, the task finishes with an error. To synchronize monitoring scopes, run the Baseline update task with a new monitoring scope.

Page top