Configuring monitoring rules
To add a monitoring scope:
- In the main window of the Web Console, select Devices → Policies & profiles.
- Click the policy name you want to configure.
- In the <Policy name> window that opens select the Application settings tab.
- Select the System Inspection section.
- Click Settings in the File Integrity Monitor subsection.
- In the appeared File Integrity Monitor window, open the File operations monitoring settings tab.
- In the USN log section, click the Add button.
The File operations monitoring rule window appears.
- In the Monitor file operations for the scope, specify a path using a supported mask:
- <*.ext> - all files with the extension <ext>, regardless of their location
- <*\name.ext> - all files with name <name> and extension <ext>, regardless of their location
- <\dir\*> - all files in folder <\dir>
- <\dir\*\name.ext> - all files with the name <name> and extension <ext> in folder <\dir> and all of its child folders
When specifying a monitoring scope manually, be sure that the path is in the following format: <volume letter>:\<mask>. If the volume letter is missing, Kaspersky Embedded Systems Security will not add the specified monitoring scope.
- On the Trusted users tab, do one of the following:
- Click the Add button and, in the window that opens, specify the user in the User name field using SID notation.
- Click the Add from Administration Server button and, in the window that appears on the screen, select the user from the list.
By default, Kaspersky Embedded Systems Security treats all users not on the trusted user list as untrusted, and generates Critical events for them. For trusted users, statistics are compiled.
- Click OK.
- Select the File operation markers tab.
- Perform the following actions to select several markers as applicable:
- Select the Detect file operations based on the following markers option.
- On the list of available file operations select the check boxes next to the operations you want to monitor.
By default Kaspersky Embedded Systems Security detects all file operation markers, the Detect file operations based on all recognizable markers option is selected.
- If you want to block all file operations for the selected area, select the Detect and block all file operations in the selected area check box.
- If you want Kaspersky Embedded Systems Security to calculate a file checksum after an operation is performed:
- Select the Calculate checksum for the file if possible. The checksum will be available for viewing in the task report check box.
- In the Checksum type drop down list, select one of the options:
- SHA256 hash
- MD5 hash
- If you do not want to monitor all file operations in the list of available file operations, select the check boxes next to the operations you want to monitor.
- Add excluded monitoring scopes as applicable:
- Select the Exclusions tab.
- Select the Exclude the following folders from control check box.
- Click the Add button.
The Select folder to add window opens.
- In the pane that opens on the right, specify the folder that you want to exclude from the monitoring scope.
- Click OK.
The specified folder is added to the list of excluded scopes.
- Click OK in the File operations monitoring rule window.
The specified rule settings are applied to the selected monitoring scope of the File Integrity Monitor task.
