KSC Open API
Kaspersky Security Center API description
File integrity monitor action enum

File integrity monitor detected action:

  • 0x00000100: Create; the file or directory is created for the first time. (Similar to WIN32::USN_REASON_FILE_CREATE)
  • 0x00000200: Delete; the file or directory is deleted. (Similar to WIN32::USN_REASON_FILE_DELETE)
  • 0x00000002: Extend; The file or directory is extended (added to). (Similar to WIN32::USN_REASON_DATA_EXTEND)
  • 0x00000001: Overwrite; The data in the file or directory is overwritten. (Similar to WIN32::USN_REASON_DATA_OVERWRITE) For object type firewall means "change rules".
  • 0x00000004: Truncation; The file or directory is truncated. (Similar to WIN32::USN_REASON_DATA_TRUNCATION)
  • 0x00002000: Rename; The file or directory is renamed.
  • 0x00008000: Basic Information Change; A user has either changed one or more file or directory attributes (for example, the read-only, hidden, system, archive, or sparse attribute), or one or more time stamps. (Similar to WIN32::USN_REASON_BASIC_INFO_CHANGE)
  • 0x00000400: Extended Attribute Change; The user made a change to the extended attributes of a file or directory. These NTFS file system attributes are not accessible to Windows-based applications. (Similar to WIN32::USN_REASON_EA_CHANGE)
  • 0x00000800: Security Change; A change is made in the access rights to a file or directory. (Similar to WIN32::USN_REASON_SECURITY_CHANGE)
  • 0x00020000: Compression Change; The compression state of the file or directory is changed from or to compressed. (Similar to WIN32::USN_REASON_COMPRESSION_CHANGE)
  • 0x00040000: Encryption Change; The file or directory is encrypted or decrypted. (Similar to WIN32::USN_REASON_ENCRYPTION_CHANGE)
  • 0x00010000: Hard Link Change; An NTFS file system hard link is added to or removed from the file or directory. An NTFS file system hard link, similar to a POSIX hard link, is one of several directory entries that see the same file or directory. (Similar to WIN32::USN_REASON_HARD_LINK_CHANGE)
  • 0x00004000: Indexable Change; For Windows platforms, a user changes the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute. That is, the user changes the file or directory from one where content can be indexed to one where content cannot be indexed, or vice versa. Content indexing permits rapid searching of data by building a database of selected content. (Similar to WIN32::USN_REASON_INDEXABLE_CHANGE)
  • 0x00800000: Integrity Change; A user changed the state of the FILE_ATTRIBUTE_INTEGRITY_STREAM attribute for the given stream. On the ReFS file system, integrity streams maintain a checksum of all data for that stream, so that the contents of the file can be validated during read or write operations. (Similar to WIN32::USN_REASON_INTEGRITY_CHANGE)
  • 0x00000020: Named Data Extend; The one or more named data streams for a file are extended (added to). (Similar to WIN32::USN_REASON_NAMED_DATA_EXTEND)
  • 0x00000010: Named Data Overwrite; The data in one or more named data streams for a file is overwritten. (Similar to WIN32::USN_REASON_NAMED_DATA_OVERWRITE)
  • 0x00000040: Named Data Truncation; The one or more named data streams for a file is truncated. (Similar to WIN32::USN_REASON_NAMED_DATA_TRUNCATION)
  • 0x00080000: Object ID Change; The object ID of a file or directory is changed. (Similar to WIN32::USN_REASON_OBJECT_ID_CHANGE)
  • 0x00100000: Reparse Point Change; The reparse point that is contained in a file or directory is changed, or a reparse point is added to or deleted from a file or directory. (Similar to WIN32::USN_REASON_REPARSE_POINT_CHANGE)
  • 0x00200000: Stream Change; A named stream is added to or removed from a file, or a named stream is renamed. (Similar to WIN32::USN_REASON_STREAM_CHANGE)
  • 0x01000000: Connect; Object (e.g., external device) connected to the host
  • 0x02000000: Disconnect; Object (e.g., external device) disconnected from the host
  • 0x04000000: Enable; Object (e.g., firewall) enabled (turned on)
  • 0x08000000: Disable; Object (e.g., firewall) disabled (turned off)