On-demand File Integrity Monitoring settings

This section describes the settings that you can specify for the on-demand File Integrity Monitoring task.

All available values and default values for each setting are described below.

RebuildBaseline

Enables or disables rebuilding a baseline after an ODFIM task has finished.

Available values:

Yes—Rebuild a baseline after an ODFIM task has finished.

No—Do not rebuild a baseline after an ODFIM task has finished.

Default value: No

CheckFileHash

Enables or disables a hash (SHA-256) check.

Available values:

Yes—Enable a hash check.

No—Disable a hash check.

Default value: No

TrackDirectoryChanges

Enables or disables monitoring of directories.

Available values:

Yes—Monitor directories.

No—Do not monitor directories.

Default value: No

TrackLastAccessTime

Enables or disables checking of the last time the file was accessed. In Linux operating systems this is the noatime parameter.

Available values:

Yes—Check the last time the file was accessed.

No—Do not check the last time the file was accessed.

Default value: No

UseExcludeMasks

Enables or disables exclusion from the monitoring scope of objects specified by the ExcludeMasks setting.

This setting works only with the ExcludeMasks setting specified.

Available values:

Yes—Exclude objects specified by the ExcludeMasks setting from the monitoring scope.

No— Do not exclude objects specified by the ExcludeMasks setting from the monitoring scope.

Default value: No

ExcludeMasks

Specifies a list of masks that define objects to be excluded from the monitoring scope.

Before specifying this setting, make sure that the UseExcludeMasks setting value is set to Yes.

Masks are specified in command shell format.

If you want to specify several masks, each mask must be specified on a new line with new index specified (ExcludeMasks.item_0000, ExcludeMasks.item_0001).

Default value: not defined

Section [ScanScope.item_#]

The [ScanScope.item_#] sections specify scopes to be monitored by the File Integrity Monitoring task. At least one monitoring scope must be specified for the task.

You can define several [ScanScope.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by item index, in ascending order.

Each [ScanScope.item_#] section contains the following settings:

AreaDesc

Specifies the name of the monitoring scope.

UseScanArea

Enables or disables monitoring of the specified scope.

Available values:

Yes—Monitor a specified scope.

No—Do not monitor a specified scope.

Default value: Yes

Path

Specifies the full path to the object or directories to be monitored.

Default value: /opt/kaspersky/kesl/

AreaMask.item_#

Specifies a command line shell mask that defines the objects to be monitored.

You can specify several AreaMask.item_# items in any order. Kaspersky Endpoint Security will process items by indexes, in ascending order.

Default value: * (all objects will be processed)

Section [ExcludedFromScanScope.item_#]

The [ExcludedFromScanScope.item_#] sections specify the objects to be excluded from all [ScanScope.item_#] sections.

All objects that match the rules of any [ExcludedFromScanScope.item_#] section will be excluded from monitoring. An [ExcludedFromScanScope.item_#] section format is similar to the format of a [ScanScope.item_#] section.

You can define several [ExcludedFromScanScope.item_#] sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by item index, in ascending order.

Each [ExcludedFromScanScope.item_#] section contains the following settings:

AreaDesc

Specifies the name of the scope to be excluded from monitoring.

UseScanArea

Specifies whether the specified scope will be excluded from monitoring.

Available values:

Yes—Exclude a specified scope from monitoring.

No—Do not exclude the specified scope from monitoring.

Default value: Yes

Path

Specifies the path to the objects or directories to be excluded from monitoring. You can use masks to specify the path.

You can use the * (asterisk) character to form a file or directory name mask. One * character takes the place of any set of characters (including an empty set) to the / character in the file or directory name. For example, /dir/*/file or /dir/*/*/file.

Two consecutive * characters take the place of any set of characters (including an empty set) in the file or directory name, including the / character. For example, /dir/**/file*/ or /dir/file**/.

The ** mask can be used only once in a directory name. For example, /dir/**/**/file is an incorrect mask.

AreaMask.item_#

Specifies a command line shell mask that defines the objects to be excluded from monitoring.

You can specify several AreaMask.item_# items in any order. Kaspersky Endpoint Security will process items by indexes, in ascending order.

Default value: * (all objects will be monitored)