Application components integrity check

Kaspersky Endpoint Security contains many various binary modules in the form of dynamic linked libraries, executable files, configuration files, and interface files. Intruders can replace one or more application executable modules or files with other files containing malicious code. To prevent the replacement of modules and files, Kaspersky Endpoint Security can check integrity of the application components. The application checks modules and files for unauthorized changes or corruption. If an application module or file has an incorrect checksum, it is considered to be corrupted.

An integrity check is run for the following application components if installed on the device:

application package
Graphical user interface package
Kaspersky Security Center Network Agent package
Kaspersky Endpoint Security management web plug-in
Kaspersky Endpoint Security MMC management plug-in

The integrity of the application components is checked using an integrity check utility. The utility checks integrity of the files in the special lists called manifest files. Each application component has its own manifest file that contains a list of application files whose integrity is important for correct operation of this application component. The name of the manifest file is the same for each component, but the content of the manifest files differs. The manifest files are digitally signed and their integrity is checked as well.

To run the integrity check utility on Linux devices, an account with root privileges is required. An administrator account is required to run the integrity check utility on Windows devices.

The integrity check utility is installed with the application and located at the following paths:

To check the application package, graphical user interface package, and the Network Agent: /opt/kaspersky/kesl/bin/integrity_checker.
To check the Kaspersky Endpoint Security MMC management plug-in:
- %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center\Plugins\kesl_<version number>.plg\integrity_checker.exe – for 32-bit operating systems
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Plugins\kesl_<version number>.plg\integrity_checker.exe – for 64-bit operating systems
To check the Kaspersky Endpoint Security management web plug-in:
- %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\integrity_checker.exe – on devices with Windows operating systems
- /var/opt/kaspersky/ksc-web-console/integrity_checker – on devices with Linux operating systems

The manifest files are located at the following paths:

To check the integrity of the application package: /opt/kaspersky/kesl/bin/integrity_check.xml.
To check the integrity of the graphical user interface package: /opt/kaspersky/kesl/bin/gui_integrity_check.xml.
To check Network Agent:
- /opt/kaspersky/klnagent/bin/kl_file_integrity_manifest.xml – for 32-bit operating systems
- /opt/kaspersky/klnagent64/bin/kl_file_integrity_manifest.xml – for 64-bit operating systems
To check the Kaspersky Endpoint Security MMC management plug-in
- %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center\Plugins\kesl_<plugin version>.plg\integrity_check.xml – for 32-bit operating systems
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Plugins\kesl_<plugin version>.plg\integrity_check.xml – for 64-bit operating systems
To check the Kaspersky Endpoint Security administration web plug-in:
- %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\server\plugins\kesl_<version number>\integrity_check.xml – on devices with Windows operating systems
- /var/opt/kaspersky/ksc-web-console/server/plugins/kesl_<version number>\integrity_check.xml – on devices with Linux operating systems

To check the integrity of a solution component, you need to run the tool from the folder of that component's tool.

To run the integrity check utility, run one of the following commands:

To check the integrity of the application package and graphical user interface package:
integrity_checker [<path to manifest file>] --signature-type kds-with-filename
To check the integrity of the Kaspersky Endpoint Security MMC management plug-in:
integrity_checker.exe [<path to manifest file>]
To check the integrity of the Kaspersky Endpoint Security management web plug-in and Network Agent on devices with Linux operating systems:
integrity_checker [<path to manifest file>]
To check the integrity of Kaspersky Endpoint Security management web plug-ins on Windows devices:
integrity_checker.exe [<path to manifest file>]

The default path is for a manifest file located in the same directory as the integrity checker utility.

You can run the utility with the following optional settings:

--crl <directory> – path to the directory containing the Certificate Revocation List.
--version – display the version of the utility.
--verbose – display detailed information about performed actions and their results. If you do not specify this setting, only errors, objects that did not pass the check, and scan statistics summary will be displayed.
--trace <file name>, where <file name> is the name of the file where events that happen during scans will be logged at the DEBUG level of detail.
--signature-type kds-with-filename – the type of the signature to be checked (this setting is required for checking the application package, graphical user interface package, and Network Agent).
--single-file <file> – scan only one file in the manifest; ignore the other objects in the manifest.

You can view description of all available integrity check utility settings in the help on the utility options by running the integrity_checker --help command.

The result of checking the manifest files is displayed as follows:

SUCCEEDED — integrity of the files has been confirmed (return code 0).
FAILED – integrity of the files has not been confirmed (return code is not 0).

If a violation of the integrity of the application or Network Agent is detected when the application starts, Kaspersky Endpoint Security generates the corresponding event in the event log and in Kaspersky Security Center.

Page top