Application components integrity check

Kaspersky Endpoint Security contains many various binary modules in the form of dynamic linked libraries, executable files, configuration files, and interface files. Intruders can replace one or more application executable modules or files with other files containing malicious code. To prevent the replacement of modules and files, Kaspersky Endpoint Security can check integrity of the application components. The application checks modules and files for unauthorized changes or corruption. If an application module or file has an incorrect checksum, it is considered to be corrupted.

An integrity check is run for the following application components if installed on the device:

• application package
• Graphical user interface package
• Kaspersky Security Center Network Agent package
• Kaspersky Endpoint Security administration plug-in

The application checks integrity of the files in the special lists called manifest files. Each application component has its own manifest file that contains a list of application files whose integrity is important for correct operation of this application component. The name of the manifest file is the same for each component, but the content of the manifest files differs. The manifest files are digitally signed and their integrity is checked as well.

The integrity of the application components is checked using the integrity_checker utility.

The integrity check utility must be run under the account with root privileges.

To check integrity, you can use either the utility installed with the application or the utility distributed on a certified CD.

It is recommended to run the integrity check utility from a certified CD to ensure integrity of the utility. When running the utility from the CD, specify the full path to the manifest file.

The integrity check utility installed with the application is located at the following paths:

• To check the application package, graphical user interface package, and the Network Agent: /opt/kaspersky/kesl/bin/integrity_checker.
• To check Kaspersky Endpoint Security administration plug-in – the directory where the executable modules (DLL) of the administration plug-in are located:
  • C:\Program Files\Kaspersky Lab\Kaspersky Security Center\Plugins\<plug-in version>.linux.plg\integrity_checker.exe – for 32-bit operating systems.
  • C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center\Plugins\<plug-in version>.linux.plg\integrity_checker.exe – for 64-bit operating systems.

The manifest files are located at the following paths:

• /opt/kaspersky/kesl/bin/integrity_check.xml – to check integrity of the application package.
• /opt/kaspersky/kesl/bin/gui_integrity_check.xml – to check integrity of the graphical user interface package.
• /opt/kaspersky/klnagent/bin/kl_file_integrity_manifest.xml – to check the Network Agent in 32-bit operating systems.
• /opt/kaspersky/klnagent64/bin/kl_file_integrity_manifest.xml – to check the Network Agent in 64-bit operating systems.

To check integrity of the application components, run the following command:

• To check the application package and graphical user interface package:

  integrity_checker [<path to manifest file>] --signature-type kds-with-filename

• for checking the Kaspersky Endpoint Security administration plug-in and Network Agent:

  integrity_checker [<path to manifest file>]

The default path is for a manifest file located in the same directory as the integrity checker utility.

You can run the utility with the following optional settings:

• --crl <directory> – path to the directory containing the Certificate Revocation List.
• --version – display the version of the utility.
• --verbose – display detailed information about performed actions and their results. If you do not specify this setting, only errors, objects that did not pass the check, and scan statistics summary will be displayed.
• --trace <file name>, where <file name> is the name of the file where events that happen during scans will be logged at the DEBUG level of detail.
• --signature-type kds-with-filename – the type of the signature to be checked (this setting is required for checking the application package, graphical user interface package, and Network Agent).
• --single-file <file> – scan only one file in the manifest; ignore the other objects in the manifest.

You can view description of all available integrity check utility settings in the help on the utility options by running the integrity_checker --help command.

The result of checking the manifest files is displayed as follows:

• SUCCEEDED — integrity of the files has been confirmed (return code 0).
• FAILED – integrity of the files has not been confirmed (return code is not 0).

If a violation of the integrity of the application or Network Agent is detected when the application starts, Kaspersky Endpoint Security generates an IntegrityCheckFailed event in the event log and in Kaspersky Security Center.

Page top