On-Demand System Integrity Check
On-Demand System Integrity Check is a task that you can run manually or on a schedule. When running the System Integrity Check task, the application compares the current state of the objects included in the monitoring scope with their baseline state. In contrast to Real-Time System Integrity Monitoring, the System Integrity Check task helps limit the number of events and lets you generate an overall report of changes in the operating system.
For System Integrity Monitoring to work, you must add at least one rule. A System Integrity Monitoring rule is a set of criteria that define the access of users to files and the registry. System Integrity Monitoring detects changes in the files and the registry within the specified monitoring scope. The monitoring scope is one of the criteria of a System Integrity Monitoring rule. You can configure rules to be shared by Real-Time System Integrity Monitoring and the System Integrity Check task or create separate rules for the task. To create a baseline, Kaspersky Endpoint Security applies the monitoring scope from the System Integrity Check task to the Baseline update task.
Creating and updating a baseline
The System Integrity Check task needs a baseline to work. A baseline is a recorded state of objects in the system, which the application uses as reference when comparing to the current state. If the current state of the system is different from the state of the system as recorded in the baseline, Kaspersky Endpoint Security generates the corresponding event. You can create or update a baseline using the Baseline update task.
You can update the baseline in the following modes:
- Full update.
The application updates all objects in the monitoring scope.
- Incremental update.
The application detects and updates only modified or new objects.
How to create or update a baseline in the Administration Console (MMC)
How to create or update a baseline in the Web Console
Configuring the monitoring scope for the System Integrity Check task
By default, the monitoring scope of the System Integrity Check task is the same as the monitoring scope of Real-Time System Integrity Monitoring. You can configure a different monitoring scope for the task.
How to configure a different monitoring scope for the System Integrity Check task in the Web Console
Settings of a System Integrity Check task rule
Parameter | Description |
---|---|
Rule name | Name of the System Integrity Check task rule. |
Event severity level | Kaspersky Endpoint Security logs file modification events whenever a file or registry key in the monitoring scope is modified. The following event severity levels are available: Informational , Warning , Critical . |
Monitoring scope |
|
Exclusions |
|
Running the System Integrity Check task
The System Integrity Check task allows checking files or registry keys for changes and also checking the connection of external devices. To check files for changes, you can run the System Integrity Check task in the following modes:
- Quick Scan.
When checking files for changes, the applications checks only file attributes. The application does not check the content of files.
- Full Scan.
When checking files for changes, the applications checks all file attributes and the content of files.
The mode the task runs in does not affect the checking of the registry or external devices.
How to run the System Integrity Check task in the Administration Console (MMC)
How to run a System Integrity Check task in the Web Console
For the System Integrity Check task to finish successfully, the monitoring scope of the System Integrity Check task must completely match the baseline. If the monitoring scope is different, the task finishes with an error. To synchronize monitoring scopes, run the Baseline update task with a new monitoring scope.