Real-Time System Integrity Monitoring
System Integrity Monitoring allows tracking changes in the operating system in real time. You can track changes that may indicate security breaches on the computer. The component allows blocking these changes or merely logging change events.
For System Integrity Monitoring to work, you must add at least one rule. A System Integrity Monitoring rule is a set of criteria that define the access of users to files and the registry. System Integrity Monitoring detects changes in the files and the registry within the specified monitoring scope. The monitoring scope is one of the criteria of a System Integrity Monitoring rule.
Real-Time System Integrity Monitoring modes
To make sure that System Integrity Monitoring rules do not block any actions with resources that are critical for the functioning of the operating system or other services, we recommend enabling Test mode and analyzing how the component affects the system. With Test mode on, Kaspersky Endpoint Security does not block user activity that is forbidden by the rules, instead generating Warning events.
The Real-Time System Integrity Monitoring component has two modes:
- Protect the system against changes by rules
In this mode, System Integrity Monitoring tracks changes in the system and performs an action in accordance with the rules: Allow or Block. System Integrity Monitoring also generates a corresponding event and changes the status of the device in the Kaspersky Security Center console.
- Test mode: do not block, log only
In this mode, System Integrity Monitoring allows actions with files and registry keys from the monitoring scope. If the action with files or the registry is prohibited, the application generates an event: The prohibited operation was allowed in test mode. To analyze how rules affect the system, you can look at reports.
Enabling Real-Time System Integrity Monitoring
How to enable Real-Time System Integrity Monitoring in the Administration Console (MMC)
How to enable Real-Time System Integrity Monitoring in the Web Console
How to enable Real-Time System Integrity Monitoring in the interface of the application
Real-Time System Integrity Monitoring rule settings
Parameter | Description |
---|---|
Rule name | Name of the Real-Time System Integrity Monitoring rule |
Operations with files and registry |
|
Event severity level | Kaspersky Endpoint Security logs file modification events whenever a file or registry key in the monitoring scope is modified. The following event severity levels are available: Informational |
Monitoring scope |
|
Exclusions |
|
Trusted users and / or user groups | A trusted user is a user that is allowed to perform actions with files and registry keys in the monitoring scope. If Kaspersky Endpoint Security detects an action performed by a trusted user, System Integrity Monitoring generates an Informational You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually. Kaspersky recommends using local user accounts only in special cases when it is not possible to use domain user accounts. |
File operation markers / Monitored operations | Markers characterizing the action with files or registry keys that the application will monitor. |
Hashing | Calculating a file hash on modification. Kaspersky Endpoint Security adds information about the hash of the file when an event is generated. |