On-Demand System Integrity Check
On-Demand System Integrity Check is a task that you can run manually or on a schedule. When running the System Integrity Check task, the application compares the current state of the objects included in the monitoring scope with their baseline state. In contrast to Real-Time System Integrity Monitoring, the System Integrity Check task helps limit the number of events and lets you generate an overall report of changes in the operating system.
For System Integrity Monitoring to work, you must add at least one rule. A System Integrity Monitoring rule is a set of criteria that define the access of users to files and the registry. System Integrity Monitoring detects changes in the files and the registry within the specified monitoring scope. The monitoring scope is one of the criteria of a System Integrity Monitoring rule. You can configure rules to be shared by Real-Time System Integrity Monitoring and the System Integrity Check task or create separate rules for the task. To create a baseline, Kaspersky Endpoint Security applies the monitoring scope from the System Integrity Check task to the Baseline update task.
Creating and updating a baseline
The System Integrity Check task needs a baseline to work. A baseline is a recorded state of objects in the system, which the application uses as reference when comparing to the current state. If the current state of the system is different from the state of the system as recorded in the baseline, Kaspersky Endpoint Security generates the corresponding event. You can create or update a baseline using the Baseline update task.
You can update the baseline in the following modes:
How to create or update a baseline in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Tasks.
The list of tasks opens.
- Click New task.
The Task Wizard starts. Follow the instructions of the Wizard.
Step 1. Selecting task type
Select Kaspersky Endpoint Security for Windows (12.7) → Baseline update.
Step 2. Selecting the baseline update mode
Select a baseline update mode:
- Full update. The application updates all objects in the monitoring scope.
- Incremental update. The application detects and updates only modified or new objects.
Step 3. Selecting the devices to which the task will be assigned
Select the computers on which the task will be performed. The following options are available:
- Assign the task to an administration group. In this case, the task is assigned to computers included in a previously created administration group.
- Select computers detected by the Administration Server in the network: unassigned devices. The specific devices can include devices in administration groups as well as unassigned devices.
- Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP addresses, and IP subnets of devices to which you want to assign the task.
Step 4. Defining the task name
Enter the name of the task, for example Baseline 2024.
Step 5. Completing task creation
Exit the Wizard. If necessary, select the Run the task after the wizard finishes check box. You can monitor the progress of the task in the task properties.
How to create or update a baseline in the Web Console
- In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
- Click Add.
The Task Wizard starts.
- Configure the task settings:
- In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.7).
- In the Task type drop-down list, select Baseline update.
- In the Task name field, enter a brief description, for example, Baseline 2024.
- In the Select devices to which the task will be assigned block, select the task scope.
- Select devices according to the selected task scope option. Go to the next step.
- Select an account to run the task. By default, Kaspersky Endpoint Security starts the task with the rights of a local user account.
- Exit the Wizard.
A new task will be displayed in the list of tasks.
- Click the new task.
The task properties window opens.
- Select the Application settings tab.
- Select a baseline update mode:
- Full update. The application updates all objects in the monitoring scope.
- Incremental update. The application detects and updates only modified or new objects.
- Save your changes.
- Select the check box next to the task.
- Click Start.
Configuring the monitoring scope for the System Integrity Check task
By default, the monitoring scope of the System Integrity Check task is the same as the monitoring scope of Real-Time System Integrity Monitoring. You can configure a different monitoring scope for the task.
How to configure a different monitoring scope for the System Integrity Check task in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select Security Controls → System Integrity Monitoring.
- Select the System Integrity Monitoring check box.
- Under System Integrity Check, select the task configuration mode: Custom settings.
- Configure external device monitoring:
- Select the Monitor devices check box.
- In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational , Warning , Critical .
System Integrity Monitoring records information about connected external devices at the time when the baseline is created. Subsequently, when an external device is connected, the application generates a corresponding event. When running the System Integrity Check task, the application does not monitor the disconnection of external devices.
- Configure file and registry monitoring:
- Select the Monitor files and the registry check box.
- Click Settings.
This opens the list of System Integrity Monitoring rules.
- Click Add.
You can also import rules from another source.
You can export the list of System Integrity Monitoring rules to an XML file. Then you can modify the file to, for example, add a large number of records of the same type. You can use the export/import function to back up the list of System Integrity Monitoring rules or to migrate the list to a different server.
How to export and import a list of System Integrity Monitoring rules in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select Security Controls → System Integrity Monitoring.
- To export or import Real-Time System Integrity Monitoring rules:
- In the Real-Time System Integrity Monitoring block, click the Settings button.
- To export a list of Real-Time System Integrity Monitoring rules:
- Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
- Click the Export link.
- In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
- To import a list of Real-Time System Integrity Monitoring rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- To export or import System Integrity Check rules:
- In the System Integrity Check block, select Custom settings.
- Click Settings.
- To export the list of System Integrity Check rules:
- Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
- Click the Export link.
- In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
- To import a list of System Integrity Check rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- Save your changes.
How to export and import a list of System Integrity Check rules in the Web Console
- In the main window of the Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Security Controls → System Integrity Monitoring.
- To export or import Real-Time System Integrity Monitoring rules:
- In the Real-Time System Integrity Monitoring block, click the Configure button.
- To export a list of Real-Time System Integrity Monitoring rules:
- Select the rules that you want to export.
- Click Export.
- Confirm that you want to export only the selected rules, or export the entire list.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
- To import a list of Real-Time System Integrity Monitoring rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- To export or import System Integrity Check rules:
- In the System Integrity Check block, select Custom settings.
- Click Configure.
- To export the list of System Integrity Check rules:
- Select the rules that you want to export.
- Click Export.
- Confirm that you want to export only the selected rules, or export the entire list.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
- To import a list of System Integrity Check rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- Save your changes.
- Configure the Real-Time System Integrity Monitoring rule (see the table below).
- Save your changes.
How to configure a different monitoring scope for the System Integrity Check task in the Web Console
- In the main window of the Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Security Controls → System Integrity Monitoring.
- Turn on the System Integrity Monitoring toggle.
- Under System Integrity Check, select the task configuration mode: Custom settings.
- Configure external device monitoring:
- Select the Monitor devices check box.
- In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational , Warning , Critical .
System Integrity Monitoring records information about connected external devices at the time when the baseline is created. Subsequently, when an external device is connected, the application generates a corresponding event. When running the System Integrity Check task, the application does not monitor the disconnection of external devices.
- Configure file and registry monitoring:
- Select the Monitor files and the registry check box.
- Click Configure.
This opens the list of System Integrity Monitoring rules.
- Click Add.
You can also import rules from another source.
You can export the list of System Integrity Monitoring rules to an XML file. Then you can modify the file to, for example, add a large number of records of the same type. You can use the export/import function to back up the list of System Integrity Monitoring rules or to migrate the list to a different server.
How to export and import a list of System Integrity Monitoring rules in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select Security Controls → System Integrity Monitoring.
- To export or import Real-Time System Integrity Monitoring rules:
- In the Real-Time System Integrity Monitoring block, click the Settings button.
- To export a list of Real-Time System Integrity Monitoring rules:
- Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
- Click the Export link.
- In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
- To import a list of Real-Time System Integrity Monitoring rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- To export or import System Integrity Check rules:
- In the System Integrity Check block, select Custom settings.
- Click Settings.
- To export the list of System Integrity Check rules:
- Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
- Click the Export link.
- In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
- To import a list of System Integrity Check rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- Save your changes.
How to export and import a list of System Integrity Check rules in the Web Console
- In the main window of the Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Security Controls → System Integrity Monitoring.
- To export or import Real-Time System Integrity Monitoring rules:
- In the Real-Time System Integrity Monitoring block, click the Configure button.
- To export a list of Real-Time System Integrity Monitoring rules:
- Select the rules that you want to export.
- Click Export.
- Confirm that you want to export only the selected rules, or export the entire list.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
- To import a list of Real-Time System Integrity Monitoring rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- To export or import System Integrity Check rules:
- In the System Integrity Check block, select Custom settings.
- Click Configure.
- To export the list of System Integrity Check rules:
- Select the rules that you want to export.
- Click Export.
- Confirm that you want to export only the selected rules, or export the entire list.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
- To import a list of System Integrity Check rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- Save your changes.
- Configure the Real-Time System Integrity Monitoring rule (see the table below).
- Save your changes.
How to configure a different monitoring scope for the System Integrity Check task in the application interface
- In the main application window, click the button.
- In the application settings window, select Security Controls → System Integrity Monitoring.
- Turn on the System Integrity Monitoring toggle switch.
- Under System Integrity Check, select the task configuration mode: Custom settings.
- Configure external device monitoring:
- Select the Monitor devices check box.
- In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational , Warning , Critical .
System Integrity Monitoring records information about connected external devices at the time when the baseline is created. Subsequently, when an external device is connected, the application generates a corresponding event. When running the System Integrity Check task, the application does not monitor the disconnection of external devices.
- Configure file and registry monitoring:
- Select the Monitor files and the registry check box.
- Click Set up.
This opens the list of System Integrity Monitoring rules.
- Click Add.
You can also import rules from another source.
You can export the list of System Integrity Monitoring rules to an XML file. Then you can modify the file to, for example, add a large number of records of the same type. You can use the export/import function to back up the list of System Integrity Monitoring rules or to migrate the list to a different server.
How to export and import a list of System Integrity Monitoring rules in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Policies.
- Select the necessary policy and double-click to open the policy properties.
- In the policy window, select Security Controls → System Integrity Monitoring.
- To export or import Real-Time System Integrity Monitoring rules:
- In the Real-Time System Integrity Monitoring block, click the Settings button.
- To export a list of Real-Time System Integrity Monitoring rules:
- Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
- Click the Export link.
- In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
- To import a list of Real-Time System Integrity Monitoring rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- To export or import System Integrity Check rules:
- In the System Integrity Check block, select Custom settings.
- Click Settings.
- To export the list of System Integrity Check rules:
- Select the rules that you want to export. To select multiple ports, use the CTRL or SHIFT keys.
If you did not select any rule, Kaspersky Endpoint Security will export all rules.
- Click the Export link.
- In the window that opens, specify the name of the XML file to which you want to export the list of rules, and select the folder in which you want to save this file.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to the XML file.
- To import a list of System Integrity Check rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- Save your changes.
How to export and import a list of System Integrity Check rules in the Web Console
- In the main window of the Web Console, select Devices → Policies & profiles.
- Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
- Select the Application settings tab.
- Go to Security Controls → System Integrity Monitoring.
- To export or import Real-Time System Integrity Monitoring rules:
- In the Real-Time System Integrity Monitoring block, click the Configure button.
- To export a list of Real-Time System Integrity Monitoring rules:
- Select the rules that you want to export.
- Click Export.
- Confirm that you want to export only the selected rules, or export the entire list.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
- To import a list of Real-Time System Integrity Monitoring rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- To export or import System Integrity Check rules:
- In the System Integrity Check block, select Custom settings.
- Click Configure.
- To export the list of System Integrity Check rules:
- Select the rules that you want to export.
- Click Export.
- Confirm that you want to export only the selected rules, or export the entire list.
- Save the file.
Kaspersky Endpoint Security exports the list of rules to an XML file in the default downloads folder.
- To import a list of System Integrity Check rules:
- Click the Import link.
In the window that opens, select the XML file from which you want to import the list of rules.
- Open the file.
If the computer already has a list of rules, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.
- Save your changes.
- Configure the Real-Time System Integrity Monitoring rule (see the table below).
- Save your changes.
Settings of a System Integrity Check task rule
Parameter
|
Description
|
Rule name
|
Name of the System Integrity Check task rule.
|
Event severity level
|
Kaspersky Endpoint Security logs file modification events whenever a file or registry key in the monitoring scope is modified. The following event severity levels are available: Informational , Warning , Critical .
|
Monitoring scope
|
- File. List of files and folders monitored by the component. Kaspersky Endpoint Security supports environment variables and the
* and ? characters when entering a mask.Use masks:
- The
* (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders. - Two consecutive
* characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder , except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask. - The
? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
- Registry. List of registry keys and values monitored by the component. Kaspersky Endpoint Security supports the
* and ? characters when entering a mask.
|
Exclusions
|
- File. List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports environment variables and the
* and ? characters when entering a mask. For example, C:\Folder\Application\*.log . Exclusion entries have a higher priority than monitoring scope entries.Use masks:
- The
* (asterisk) character, which takes the place of any set of characters, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\*\*.txt will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders. - Two consecutive
* characters take the place of any set of characters (including an empty set) in the file or folder name, including the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\**\*.txt will include all paths to files with the TXT extension located in folders nested within the Folder , except the Folder itself. The mask must include at least one nesting level. The mask C:\**\*.txt is not a valid mask. - The
? (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask C:\Folder\???.txt will include paths to all files residing in the folder named Folder that have the TXT extension and a name consisting of three characters.
- Registry. List of exclusions from the monitoring scope. Kaspersky Endpoint Security supports the
* and ? characters when entering a mask. Exclusion entries have a higher priority than monitoring scope entries.
|
Running the System Integrity Check task
The System Integrity Check task allows checking files or registry keys for changes and also checking the connection of external devices. To check files for changes, you can run the System Integrity Check task in the following modes:
- Quick Scan.
When checking files for changes, the applications checks only file attributes. The application does not check the content of files.
- Full Scan.
When checking files for changes, the applications checks all file attributes and the content of files.
The mode the task runs in does not affect the checking of the registry or external devices.
How to run the System Integrity Check task in the Administration Console (MMC)
- Open the Kaspersky Security Center Administration Console.
- In the console tree, select Tasks.
The list of tasks opens.
- Click New task.
The Task Wizard starts. Follow the instructions of the Wizard.
Step 1. Selecting task type
Select Kaspersky Endpoint Security for Windows (12.7) → System Integrity Check.
Step 2. Selecting the System Integrity Check mode
Select a System Integrity Check mode:
- Quick Scan. The application checks only file attributes. The application does not check the content of files.
- Full Scan. The application checks all attributes of files as well as their content.
Step 3. Selecting the devices to which the task will be assigned
Select the computers on which the task will be performed. The following options are available:
- Assign the task to an administration group. In this case, the task is assigned to computers included in a previously created administration group.
- Select computers detected by the Administration Server in the network: unassigned devices. The specific devices can include devices in administration groups as well as unassigned devices.
- Specify device addresses manually, or import addresses from a list. You can specify NetBIOS names, IP addresses, and IP subnets of devices to which you want to assign the task.
Step 4. Defining the task name
Enter a name for the task, for example, Weekly System Integrity Check.
Step 5. Completing task creation
Exit the Wizard. If necessary, select the Run the task after the wizard finishes check box. You can monitor the progress of the task in the task properties.
How to run a System Integrity Check task in the Web Console
- In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
- Click Add.
The Task Wizard starts.
- Configure the task settings:
- In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.7).
- In the Task type drop-down list, select System Integrity Check.
- In the Task name field, enter a brief description, for example, Weekly System Integrity Check.
- In the Select devices to which the task will be assigned block, select the task scope.
- Select devices according to the selected task scope option. Go to the next step.
- Select an account to run the task. By default, Kaspersky Endpoint Security starts the task with the rights of a local user account.
- Exit the Wizard.
A new task will be displayed in the list of tasks.
- Click the new task.
The task properties window opens.
- Select the Application settings tab.
- Select a System Integrity Check mode:
- Quick Scan. The application checks only file attributes. The application does not check the content of files.
- Full Scan. The application checks all attributes of files as well as their content.
- Save your changes.
- Select the check box next to the task.
- Click Start.
For the System Integrity Check task to finish successfully, the monitoring scope of the System Integrity Check task must completely match the baseline. If the monitoring scope is different, the task finishes with an error. To synchronize monitoring scopes, run the Baseline update task with a new monitoring scope.
Page top