Creating and editing a System Integrity Monitoring rule
You can create a system integrity monitoring rule by creating a monitoring scope and/or a list of exclusions from the monitoring scope for files and folders, registry keys and values. After creating or importing a system integrity monitoring rule, you can change the rule settings if necessary.
To create or edit a System Integrity Monitoring rule through Kaspersky Security Center:
Open Kaspersky Security Center Administration Console.
In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
In the workspace, select the Policies tab.
Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
In the policy properties window, select the System Integrity Monitoring section in the list on the left.
In the right part of the window, click the Settings button located on the right of the Monitor files and the registry check box in one of the following sections:
In the System Integrity Monitoring scope section if you want to configure a Real-Time System Integrity Monitoring rule.
In the System Integrity Check scope section if you want to configure a rule for the System Integrity Check task and baseline update task.
In the System Integrity Monitoring rules window that opens, perform one of the following actions:
If you want to create a system integrity monitoring rule, click the Add button located above the list of rules.
If you want to edit a system integrity monitoring rule, select it in the list and click the Edit button.
In the System Integrity Monitoring rule window that opens, enter the rule name and select the importance level for the events generated by System Integrity Monitoring when it applies this rule. By default, an Informational event is generated.
Configure the monitoring scope of files and folders on the Files tab.
To add a file or folder so that Kaspersky Security monitors changes in it:
Click the Add button located above the Monitoring scope field on the Files tab.
In the File or folder window that opens, enter the absolute path to the folder or mask of the path to the folder to be monitored.
When entering a path mask, you can use the following characters in any part of the path:
The * character can represent any characters except \ / : ? ” < > | *. In addition:
If the * character is used to designate the name of an entire component of a path (for example, to designate a folder name: /*/), it can represent one or more characters.
If the * character is used to designate part of the name of a path component (for example, to designate part of a folder name: /abc*/), it can represent zero or more characters.
The ? character can replace any single character.
You can use environment variables when entering a folder path. You must type the % character before and after the name of the environment variable.
If you need to monitor changes to files in a specified folder, enter a file name or file mask in the File name or file mask field.
When entering a mask, you can use the following characters:
* represents zero or more characters. It can represent any characters except \ / : ? ” < > | *
? represents any single character
If you want to monitor changes made to the specified files in nested folders as well, select the Include files in subfolders check box.
Click OK in the File or folder window.
The path to the file or folder is displayed in the list of paths in the Monitoring scope field.
Kaspersky Security monitors changes made to files and folders only on those drives that are connected when Real-Time System Integrity Monitoring starts running, which means when a policy is applied or when Real-Time System Integrity Monitoring is enabled. If a drive is powered off when Real-Time System Integrity Monitoring starts running, modifications made to files and folders on that drive are not monitored even if those files and folders have been added to the monitoring scope.
You can perform keyword searches in the list, and remove files and folders from the list by using the Delete button.
If necessary, you can similarly configure the list of paths to files and/or folders that are excluded from the monitoring scope. Kaspersky Security does not monitor changes to files and folders that are added to the list of paths in the Exclusions field.
To configure the list of exclusions, use the Add and Delete buttons located above the Exclusions field on the Files tab.
Configure the monitoring scope of registry keys and values on the Registry tab.
To add a registry key or key parameter so that Kaspersky Security monitors changes in it:
Click the Add button located above the Monitoring scope field on the Registry tab.
The Registry key window opens.
Enter the name of the registry key whose modifications must be monitored.
HKEY_CURRENT_USER key is not supported. You can specify a path to a registry key through HKEY_USER as follows: HKEY_USERS\<user profile ID>\<key>.
If you want Kaspersky Security to also monitor nested keys, select the Including nested keys check box.
If you need to monitor changes to a parameter of the specified key, enter the name or mask of the parameter in the Name or mask of the key parameter field.
When entering a mask, you can use the wildcards * (any sequence of characters) and ? (any single character).
In the Registry key window, click OK.
The name of the key and key parameter (if it was specified) is displayed in the list of keys and registry values in the Monitoring scope field.
You can perform a keyword search in the list, and remove keys from the list using the Delete button.
If necessary, you can similarly configure the list of keys and registry values that are excluded from the monitoring scope. Kaspersky Security does not monitor changes to keys and registry values that are added to the list in the Exclusions field.
To configure the list of exclusions, use the Add and Delete buttons located above the Exclusions field on the Registry tab.
In the System Integrity Monitoring rule window, click OK.
The rule is displayed in the list of rules in the System Integrity Monitoring rules window.
In the System Integrity Monitoring rules window, click OK.
Click the Apply button.
To create or edit a System Integrity Monitoring rule in the local interface:
In the left part of the window, in the Endpoint control section, select the System Integrity Monitoring section.
In the right part of the window, the System Integrity Monitoring component settings are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
Do one of the following:
Click the Settings button located on the right of the Monitor files and the registry check box in the upper part of the System Integrity Monitoring settings section if you want to configure a Real-Time System Integrity Monitoring rule.
Click the Settings button located on the right of the Monitor files and the registry check box in the lower part of the System Integrity Monitoring settings section if you want to configure a rule for the System Integrity Check task and baseline update task.
The System Integrity Monitoring rules window opens.