On-demand File Integrity Monitoring settings
January 20, 2022
ID 165474
This section describes the settings that you can specify for the on-demand File Integrity Monitoring task.
All available values and default values for each setting are described below.
RebuildBaseline
Enables or disables rebuilding a baseline after an ODFIM task has finished.
Available values:
Yes
—Rebuild a baseline after an ODFIM task has finished.
No
—Do not rebuild a baseline after an ODFIM task has finished.
Default value: No
CheckFileHash
Enables or disables a hash (SHA-256) check.
Available values:
Yes
—Enable a hash check.
No
—Disable a hash check.
Default value: No
TrackDirectoryChanges
Enables or disables monitoring of directories.
Available values:
Yes
—Monitor directories.
No
—Do not monitor directories.
Default value: No
TrackLastAccessTime
Enables or disables checking of the last time the file was accessed. In Linux operating systems this is the noatime
parameter.
Available values:
Yes
—Check the last time the file was accessed.
No
—Do not check the last time the file was accessed.
Default value: No
UseExcludeMasks
Enables or disables exclusion from the monitoring scope of objects specified by the ExcludeMasks
setting.
This setting works only with the ExcludeMasks
setting specified.
Available values:
Yes
—Exclude objects specified by the ExcludeMasks
setting from the monitoring scope.
No
— Do not exclude objects specified by the ExcludeMasks
setting from the monitoring scope.
Default value: No
ExcludeMasks
Specifies a list of masks that define objects to be excluded from the monitoring scope.
Before specifying this setting, make sure that the UseExcludeMasks
setting value is set to Yes
.
Masks are specified in command shell format.
If you want to specify several masks, each mask must be specified on a new line with new index specified (ExcludeMasks.item_0000
, ExcludeMasks.item_0001
).
Default value: not defined
Section [ScanScope.item_#]
The [ScanScope.item_#]
sections specify scopes to be monitored by the File Integrity Monitoring task. At least one monitoring scope must be specified for the task.
You can define several [ScanScope.item_#]
sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by item index, in ascending order.
Each [ScanScope.item_#]
section contains the following settings:
AreaDesc
Specifies the name of the monitoring scope.
UseScanArea
Enables or disables monitoring of the specified scope.
Available values:
Yes
—Monitor a specified scope.
No
—Do not monitor a specified scope.
Default value: Yes
Path
Specifies the full path to the object or directories to be monitored.
Default value: /opt/kaspersky/kesl/
AreaMask.item_#
Specifies a command line shell mask that defines the objects to be monitored.
You can specify several AreaMask.item_#
items in any order. Kaspersky Endpoint Security will process items by indexes, in ascending order.
Default value: *
(all objects will be processed)
Section [ExcludedFromScanScope.item_#]
The [ExcludedFromScanScope.item_#]
sections specify the objects to be excluded from all [ScanScope.item_#]
sections.
All objects that match the rules of any [ExcludedFromScanScope.item_#]
section will be excluded from monitoring. An [ExcludedFromScanScope.item_#]
section format is similar to the format of a [ScanScope.item_#]
section.
You can define several [ExcludedFromScanScope.item_#]
sections in a configuration file in any order. Kaspersky Endpoint Security will process scopes by item index, in ascending order.
Each [ExcludedFromScanScope.item_#]
section contains the following settings:
AreaDesc
Specifies the name of the scope to be excluded from monitoring.
UseScanArea
Specifies whether the specified scope will be excluded from monitoring.
Available values:
Yes
—Exclude a specified scope from monitoring.
No
—Do not exclude the specified scope from monitoring.
Default value: Yes
Path
Specifies the path to the objects or directories to be excluded from monitoring. You can use masks to specify the path.
AreaMask.item_#
Specifies a command line shell mask that defines the objects to be excluded from monitoring.
You can specify several AreaMask.item_#
items in any order. Kaspersky Endpoint Security will process items by indexes, in ascending order.
Default value: *
(all objects will be monitored)