System Integrity Monitoring allows tracking changes in the operating system in real time. You can track changes that may indicate security breaches on the computer. The component allows blocking these changes or merely logging change events.
For System Integrity Monitoring to work, you must add at least one rule. A System Integrity Monitoring rule is a set of criteria that define the access of users to files and the registry. System Integrity Monitoring detects changes in the files and the registry within the specified monitoring scope. The monitoring scope is one of the criteria of a System Integrity Monitoring rule.
Real-Time System Integrity Monitoring modes
To make sure that System Integrity Monitoring rules do not block any actions with resources that are critical for the functioning of the operating system or other services, we recommend enabling Test mode and analyzing how the component affects the system. With Test mode on, Kaspersky Endpoint Security does not block user activity that is forbidden by the rules, instead generating Warning events.
The Real-Time System Integrity Monitoring component has two modes:
Protect the system against changes by rules
In this mode, System Integrity Monitoring tracks changes in the system and performs an action in accordance with the rules: Allow or Block. System Integrity Monitoring also generates a corresponding event and changes the status of the device in the Kaspersky Security Center console.
Test mode: do not block, log only
In this mode, System Integrity Monitoring allows actions with files and registry keys from the monitoring scope. If the action with files or the registry is prohibited, the application generates an event: The prohibited operation was allowed in test mode. To analyze how rules affect the system, you can look at reports.
Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → System Integrity Monitoring.
Select the System Integrity Monitoring check box.
Under Operating mode, select a mode for Real-Time System Integrity Monitoring:
Block operations according to the rules. In this mode, System Integrity Monitoring blocks actions with files and registry keys from the monitoring scope, and generates a corresponding event.
Statistics only. In this mode, System Integrity Monitoring allows actions with files and registry keys from the monitoring scope, and generates a corresponding event.
In the Real-Time System Integrity Monitoring block, select the Real-Time System Integrity Monitoring check box.
Configure external device monitoring:
Select the Monitor devices check box.
In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational , Warning , Critical .
System Integrity Monitoring records the current connection of external devices. The application begins to monitor connection and disconnection of external devices after the component is enabled in the application settings. Subsequently, when an external device is connected or disconnected, the application generates a corresponding event.
Configure file and registry monitoring:
Select the Monitor files and the registry check box.
Click Settings.
This opens the list of System Integrity Monitoring rules.
You can export the list of System Integrity Monitoring rules to an XML file. Then you can modify the file to, for example, add a large number of records of the same type. You can use the export/import function to back up the list of System Integrity Monitoring rules or to migrate the list to a different server.
Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → System Integrity Monitoring.
To export or import Real-Time System Integrity Monitoring rules:
In the Real-Time System Integrity Monitoring block, click the Settings button.
To export a list of Real-Time System Integrity Monitoring rules:
Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
Click the Export link.
In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
To import a list of Real-Time System Integrity Monitoring rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
To export or import System Integrity Check rules:
In the System Integrity Check block, select Custom settings.
Click Settings.
To export the list of System Integrity Check rules:
Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
Click the Export link.
In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
To import a list of System Integrity Check rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
In the main window of the Web Console, select Devices → Policies & profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Security Controls → System Integrity Monitoring.
To export or import Real-Time System Integrity Monitoring rules:
In the Real-Time System Integrity Monitoring block, click the Configure button.
To export a list of Real-Time System Integrity Monitoring rules:
Select the rules that you want to export.
Click Export.
Confirm that you want to export only the selected rules, or export the entire list.
Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
To import a list of Real-Time System Integrity Monitoring rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
To export or import System Integrity Check rules:
In the System Integrity Check block, select Custom settings.
Click Configure.
To export the list of System Integrity Check rules:
Select the rules that you want to export.
Click Export.
Confirm that you want to export only the selected rules, or export the entire list.
Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
To import a list of System Integrity Check rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.
Configure the Real-Time System Integrity Monitoring rule (see the table below).
In the main window of the Web Console, select Devices → Policies & profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Security Controls → System Integrity Monitoring.
Turn on the System Integrity Monitoring toggle.
Under Operating mode, select a mode for Real-Time System Integrity Monitoring:
Protect the system against changes by rules. In this mode, System Integrity Monitoring blocks actions with files and registry keys from the monitoring scope, and generates a corresponding event.
Test mode: do not block, log only. In this mode, System Integrity Monitoring allows actions with files and registry keys from the monitoring scope, and generates a corresponding event.
In the Real-Time System Integrity Monitoring block, select the Use Real-Time System Integrity Monitoring settings check box.
Configure external device monitoring:
Select the Monitor devices check box.
In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational , Warning , Critical .
System Integrity Monitoring records the current connection of external devices. The application begins to monitor connection and disconnection of external devices after the component is enabled in the application settings. Subsequently, when an external device is connected or disconnected, the application generates a corresponding event.
Configure file and registry monitoring:
Select the Monitor files and the registry check box.
Click Configure.
This opens the list of System Integrity Monitoring rules.
You can export the list of System Integrity Monitoring rules to an XML file. Then you can modify the file to, for example, add a large number of records of the same type. You can use the export/import function to back up the list of System Integrity Monitoring rules or to migrate the list to a different server.
Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → System Integrity Monitoring.
To export or import Real-Time System Integrity Monitoring rules:
In the Real-Time System Integrity Monitoring block, click the Settings button.
To export a list of Real-Time System Integrity Monitoring rules:
Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
Click the Export link.
In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
To import a list of Real-Time System Integrity Monitoring rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
To export or import System Integrity Check rules:
In the System Integrity Check block, select Custom settings.
Click Settings.
To export the list of System Integrity Check rules:
Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
Click the Export link.
In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
To import a list of System Integrity Check rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
In the main window of the Web Console, select Devices → Policies & profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Security Controls → System Integrity Monitoring.
To export or import Real-Time System Integrity Monitoring rules:
In the Real-Time System Integrity Monitoring block, click the Configure button.
To export a list of Real-Time System Integrity Monitoring rules:
Select the rules that you want to export.
Click Export.
Confirm that you want to export only the selected rules, or export the entire list.
Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
To import a list of Real-Time System Integrity Monitoring rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
To export or import System Integrity Check rules:
In the System Integrity Check block, select Custom settings.
Click Configure.
To export the list of System Integrity Check rules:
Select the rules that you want to export.
Click Export.
Confirm that you want to export only the selected rules, or export the entire list.
Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
To import a list of System Integrity Check rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.
Configure the Real-Time System Integrity Monitoring rule (see the table below).
In the application settings window, select Security Controls → System Integrity Monitoring.
Turn on the System Integrity Monitoring toggle switch.
Under Operating mode, select a mode for Real-Time System Integrity Monitoring:
Protect the system against changes by rules. In this mode, System Integrity Monitoring blocks actions with files and registry keys from the monitoring scope, and generates a corresponding event.
Test mode: do not block, log only. In this mode, System Integrity Monitoring allows actions with files and registry keys from the monitoring scope, and generates a corresponding event.
In the Real-Time System Integrity Monitoring block, select the Real-Time System Integrity Monitoring check box.
Configure external device monitoring:
Select the Monitor devices check box.
In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational , Warning , Critical .
System Integrity Monitoring records the current connection of external devices. The application begins to monitor connection and disconnection of external devices after the component is enabled in the application settings. Subsequently, when an external device is connected or disconnected, the application generates a corresponding event.
Configure file and registry monitoring:
Select the Monitor files and the registry check box.
Click Set up.
This opens the list of System Integrity Monitoring rules.
You can export the list of System Integrity Monitoring rules to an XML file. Then you can modify the file to, for example, add a large number of records of the same type. You can use the export/import function to back up the list of System Integrity Monitoring rules or to migrate the list to a different server.
Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Security Controls → System Integrity Monitoring.
To export or import Real-Time System Integrity Monitoring rules:
In the Real-Time System Integrity Monitoring block, click the Settings button.
To export a list of Real-Time System Integrity Monitoring rules:
Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
Click the Export link.
In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
To import a list of Real-Time System Integrity Monitoring rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
To export or import System Integrity Check rules:
In the System Integrity Check block, select Custom settings.
Click Settings.
To export the list of System Integrity Check rules:
Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
Click the Export link.
In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
To import a list of System Integrity Check rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
In the main window of the Web Console, select Devices → Policies & profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Security Controls → System Integrity Monitoring.
To export or import Real-Time System Integrity Monitoring rules:
In the Real-Time System Integrity Monitoring block, click the Configure button.
To export a list of Real-Time System Integrity Monitoring rules:
Select the rules that you want to export.
Click Export.
Confirm that you want to export only the selected rules, or export the entire list.
Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
To import a list of Real-Time System Integrity Monitoring rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
To export or import System Integrity Check rules:
In the System Integrity Check block, select Custom settings.
Click Configure.
To export the list of System Integrity Check rules:
Select the rules that you want to export.
Click Export.
Confirm that you want to export only the selected rules, or export the entire list.
Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
To import a list of System Integrity Check rules:
Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
Save your changes.
Configure the Real-Time System Integrity Monitoring rule (see the table below).
Save your changes.
Real-Time System Integrity Monitoring rule settings
Parameter
Description
Rule name
Name of the Real-Time System Integrity Monitoring rule
Operations with files and registry
Allow. System Integrity Monitoring allows actions with files and registry keys from the monitoring scope.
Block. System Integrity Monitoring behavior depends on the selected mode. If you selected the System protection mode, System Integrity Monitoring blocks actions with files and registry keys from the monitoring scope, generates a corresponding event, and changes the status of the device in the Kaspersky Security Center console. If you selected the Test mode, System Integrity Monitoring allows actions with files and registry keys from the monitoring scope.
Event severity level
Kaspersky Endpoint Security logs file modification events whenever a file or registry key in the monitoring scope is modified. The following event severity levels are available: Informational , Warning , Critical .
Monitoring scope
File. List of files and folders monitored by the component. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
Use masks:
The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
Registry. List of registry keys and values monitored by the component. Kaspersky Endpoint Security supports the * and ? characters when entering a mask.
Exclusions
File. List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask. For example, C:\Folder\Application\*.log. Exclusion entries have a higher priority than monitoring scope entries.
Use masks:
The * (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders.
Two consecutive * characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder, except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask.
The ? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
Registry. List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports the * and ? characters when entering a mask. Exclusion entries have a higher priority than monitoring scope entries.
Trusted users and / or user groups
A trusted user is a user that is allowed to perform actions with files and registry keys in the monitoring scope. If Kaspersky Endpoint Security detects an action performed by a trusted user, System Integrity Monitoring generates an Informational event.
You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user accounts.
File operation markers / Monitored operations
Markers characterizing the action with files or registry keys that the application will monitor.
Hashing
Calculating a file hash on modification. Kaspersky Endpoint Security adds information about the hash of the file when an event is generated.