Real-Time System Integrity Monitoring

System Integrity Monitoring allows tracking changes in the operating system in real time. You can track changes that may indicate security breaches on the computer. The component allows blocking these changes or merely logging change events.

For System Integrity Monitoring to work, you must add at least one rule. A System Integrity Monitoring rule is a set of criteria that define the access of users to files and the registry. System Integrity Monitoring detects changes in the files and the registry within the specified monitoring scope. The monitoring scope is one of the criteria of a System Integrity Monitoring rule.

Real-Time System Integrity Monitoring modes

To make sure that System Integrity Monitoring rules do not block any actions with resources that are critical for the functioning of the operating system or other services, we recommend enabling Test mode and analyzing how the component affects the system. With Test mode on, Kaspersky Endpoint Security does not block user activity that is forbidden by the rules, instead generating Warning Warning event icon. events.

The Real-Time System Integrity Monitoring component has two modes:

Enabling Real-Time System Integrity Monitoring

How to enable Real-Time System Integrity Monitoring in the Administration Console (MMC)

How to enable Real-Time System Integrity Monitoring in the Web Console

How to enable Real-Time System Integrity Monitoring in the interface of the application

Real-Time System Integrity Monitoring rule settings

Parameter

Description

Rule name

Name of the Real-Time System Integrity Monitoring rule

Operations with files and registry

  • Allow. System Integrity Monitoring allows actions with files and registry keys from the monitoring scope.
  • Block. System Integrity Monitoring behavior depends on the selected mode. If you selected the System protection mode, System Integrity Monitoring blocks actions with files and registry keys from the monitoring scope, generates a corresponding event, and changes the status of the device in the Kaspersky Security Center console. If you selected the Test mode, System Integrity Monitoring allows actions with files and registry keys from the monitoring scope.

Event severity level

Kaspersky Endpoint Security logs file modification events whenever a file or registry key in the monitoring scope is modified. The following event severity levels are available: Informational Informational event icon., Warning Warning event icon., Critical Critical event icon..

Monitoring scope

  • File. List of files and folders monitored by the component. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.

    Use masks:

    • The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
    • Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
    • The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
  • Registry. List of registry keys and values monitored by the component. Kaspersky Endpoint Security supports the * and ? characters when entering a mask.

Exclusions

  • File. List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask. For example, C:\Folder\Application\*.log. Exclusion entries have a higher priority than monitoring scope entries.

    Use masks:

    • The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
    • Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
    • The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
  • Registry. List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports the * and ? characters when entering a mask. Exclusion entries have a higher priority than monitoring scope entries.

Trusted users and / or user groups

A trusted user is a user that is allowed to perform actions with files and registry keys in the monitoring scope. If Kaspersky Endpoint Security detects an action performed by a trusted user, System Integrity Monitoring generates an Informational Informational event icon. event.

You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user accounts.

File operation markers / Monitored operations

Markers characterizing the action with files or registry keys that the application will monitor.

Hashing

Calculating a file hash on modification. Kaspersky Endpoint Security adds information about the hash of the file when an event is generated.

Page top