Real-Time System Integrity Monitoring

System Integrity Monitoring allows tracking changes in the operating system in real time. You can track changes that may indicate security breaches on the computer. The component allows blocking these changes or merely logging change events.

For System Integrity Monitoring to work, you must add at least one rule. A System Integrity Monitoring rule is a set of criteria that define the access of users to files and the registry. System Integrity Monitoring detects changes in the files and the registry within the specified monitoring scope. The monitoring scope is one of the criteria of a System Integrity Monitoring rule.

How to enable and configure Real-Time System Integrity Monitoring in the Kaspersky Security Center Administration Console

In the Kaspersky Security Center Administration Console tree, select the Policies folder.
Select the necessary policy and double-click to open the policy properties.
In the policy properties window, select System Inspection.
In the System Integrity Monitoring section, click Settings.
Select the System Integrity Monitoring check box.
Configure the File Integrity Monitor:
1. Select the Monitor files check box on the Files tab.
2. Under Operating mode for blocking rules, select a File Integrity Monitor mode:
  - Block. In this mode, the application performs actions on files in accordance with File Integrity Monitor rules and generates corresponding events in the System Integrity Monitoring log.
  - Inform. In this mode, the application only generates events about triggered File Integrity Monitor rules in the System Integrity Monitoring log.
3. Add File Integrity Monitor rules manually using the Add button or by importing them from an XML file. File Integrity Monitor rule settings are described in the following table.
4. In the list of File Integrity Monitor rules, manage check boxes to leave the rules that you need enabled.
Configure the Registry Access Monitor:
1. Select the Monitor the registry check box on the Registry tab.
2. Under Operating mode for blocking rules, select a mode for Registry Access Monitor:
  - Block. In this mode, the application blocks actions with the registry in accordance with Registry Access Monitor rules and generates corresponding events in the System Integrity Monitoring log.
  - Inform. In this mode, the application only generates events about triggered Registry Access Monitor rules in the System Integrity Monitoring log.
3. Add Registry Access Monitor rules manually using the Add button or by importing them from an XML file. Registry Access Monitor rule settings are described in the following table.
4. In the list of Registry Access Monitor rules, manage check boxes to leave the rules that you need enabled.
Configure external device monitoring:
1. Select the Monitor devices check box on the Devices tab.
2. In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational, Warning, Critical.
  After applying the external device monitoring settings, the application remembers the current external device connections. Subsequently, when an external device is connected or disconnected, the application generates a corresponding event in the System Integrity Monitor log.
Save your changes.

How to enable and configure Real-Time System Integrity Monitoring in the Kaspersky Security Center Web Console

In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Industrial CyberSecurity for Nodes policy.
The policy properties window opens.
Select the Application settings tab.
Go to System Inspection → System Integrity Monitoring and click the Configure button.
Select the System Integrity Monitoring check box.
Configure the File Integrity Monitor:
1. Select the Monitor files check box on the Files tab.
2. Under Operating mode for blocking rules, select a File Integrity Monitor mode:
  - Block. In this mode, the application performs actions on files in accordance with File Integrity Monitor rules and generates corresponding events in the System Integrity Monitoring log.
  - Inform. In this mode, the application only generates events about triggered File Integrity Monitor rules in the System Integrity Monitoring log.
3. Add File Integrity Monitor rules manually using the Add button or by importing them from an XML file. File Integrity Monitor rule settings are described in the following table.
4. In the list of File Integrity Monitor rules, manage check boxes in the Status column to leave the rules that you need enabled.
Configure the Registry Access Monitor:
1. Select the Monitor the registry check box on the Registry tab.
2. Under Operating mode for blocking rules, select a mode for Registry Access Monitor:
  - Block. In this mode, the application blocks actions with the registry in accordance with Registry Access Monitor rules and generates corresponding events in the System Integrity Monitoring log.
  - Inform. In this mode, the application only generates events about triggered Registry Access Monitor rules in the System Integrity Monitoring log.
3. Add Registry Access Monitor rules manually using the Add button or by importing them from an XML file. Registry Access Monitor rule settings are described in the following table.
4. In the list of Registry Access Monitor rules, manage check boxes in the Status column to leave the rules that you need enabled.
Configure external device monitoring:
1. Select the Monitor devices check box on the Devices tab.
2. In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational, Warning, Critical.
  System Integrity Monitoring records the current connection of external devices. The application begins to monitor connection and disconnection of external devices after the component is enabled in the application settings. Subsequently, when an external device is connected or disconnected, the application generates a corresponding event.
Save your changes.

How to enable and configure Real-Time System Integrity Monitoring in the Application Console

In the Kaspersky Industrial CyberSecurity for Nodes Console tree, select System Inspection → System Integrity Monitoring.
In the results pane of the System Integrity Monitoring node, click Properties.
The Properties: System Integrity Monitoring window opens.
Select the System Integrity Monitoring check box.
Configure the File Integrity Monitor:
1. Select the Monitor files check box on the Files tab.
2. Under Operating mode for blocking rules, select a File Integrity Monitor mode:
  - Block. In this mode, the application performs actions on files in accordance with File Integrity Monitor rules and generates corresponding events in the System Integrity Monitoring log.
  - Inform. In this mode, the application only generates events about triggered File Integrity Monitor rules in the System Integrity Monitoring log.
3. Add File Integrity Monitor rules manually using the Add button or by importing them from an XML file. File Integrity Monitor rule settings are described in the following table.
4. In the list of File Integrity Monitor rules, manage check boxes to leave the rules that you need enabled.
Configure the Registry Access Monitor:
1. Select the Monitor the registry check box on the Registry tab.
2. Under Operating mode for blocking rules, select a mode for Registry Access Monitor:
  - Block. In this mode, the application blocks actions with the registry in accordance with Registry Access Monitor rules and generates corresponding events in the System Integrity Monitoring log.
  - Inform. In this mode, the application only generates events about triggered Registry Access Monitor rules in the System Integrity Monitoring log.
3. Add Registry Access Monitor rules manually using the Add button or by importing them from an XML file. Registry Access Monitor rule settings are described in the following table.
4. In the list of Registry Access Monitor rules, manage check boxes to leave the rules that you need enabled.
Configure external device monitoring:
1. Select the Monitor devices check box on the Devices tab.
2. In the Event severity level drop-down list, select the importance level of external device monitoring events: Informational, Warning, Critical.
  After applying the external device monitoring settings, the application remembers the current external device connections. Subsequently, when an external device is connected or disconnected, the application generates a corresponding event in the System Integrity Monitor log.
Save your changes.

System Integrity Monitoring rules settings

Parameter	Description
Monitor file operations for the scope	The scope to which you want to apply File Integrity Monitoring. This field is mandatory. Use masks: Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `` and `?` characters when entering a mask: The `` (asterisk) character, which takes the place of any set of characters, except the `\` and `/` characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask `C:\\.txt` will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders. Two consecutive `` characters take the place of any set of characters (including an empty set) in the file or folder name, including the `\` and `/` characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask `C:\Folder\\.txt` will include all paths to files with the TXT extension located in folders nested within the `Folder`, except the `Folder` itself. The mask must include at least one nesting level. The mask `C:\*\.txt` is not a valid mask. The `?` (question mark) character, which takes the place of any single character, except the \ and / characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask `C:\Folder\???.txt` will include paths to all files residing in the folder named `Folder` that have the TXT extension and a name consisting of three characters.
Monitored objects	Here you can specify the name or value of a registry key. Use masks: Kaspersky Industrial CyberSecurity for Nodes supports the `*` and `?` characters when entering a mask:
Operations with files	Detect. The application allows actions on files in the monitoring scope. Detect and block. What the application does depends on the selected File Integrity Monitor mode. If you selected the Block mode, System Integrity Monitoring blocks actions with files from the monitoring scope. If you selected the Inform mode, System Integrity Monitoring allows actions with files from the monitoring scope.
Trusted users and / or user groups	A trusted user is a user that is allowed to perform actions with files and registry keys in the monitoring scope. If Kaspersky Industrial CyberSecurity for Nodes detects an action performed by a trusted user, System Integrity Monitoring generates an Informational event. You can select users in Active Directory, in the list of accounts in Kaspersky Security Center, or by entering a local user name manually.
File operation markers / Actions	Markers characterizing the action with files or registry keys that the application will monitor.
Detect file operations based on all recognized markers / Detect registry operations based on all recognized markers	By default, Kaspersky Industrial CyberSecurity for Nodes detects all file / registry operation markers.
Detect file operations based on the following markers / Detect registry operations based on the following markers	In the list of available file / registry operations select the check boxes next to the operations you want to monitor.
Calculate a checksum after a file operation, if possible. The checksum will be indicated in the task log	If the check box is selected, Kaspersky Industrial CyberSecurity for Nodes calculates the checksum of the modified file, if a file operation with at least one selected marker was detected. If the file operation is detected by several markers, only the checksum of the final file after all modifications is calculated. If the check box is cleared, Kaspersky Industrial CyberSecurity for Nodes does not calculate the checksum of modified files. No checksum calculation is performed in the following cases: If the file has become unavailable (for example, due to a change of access permissions). If the file operation was detected in a file that was subsequently removed. By default, the check box is cleared.
Checksum computing algorithm	Select one of the checksum calculation algorithms from the drop-down list: MD5 hash SHA256 hash
Exclusions	On the Exclusions tab, you can add objects that you want to exclude from the monitoring scope: For a File Integrity Monitor rule, you can specify a list of folders. For a Registry Access Monitoring rule, you can specify registry keys or values. Use masks: Files List of files and folders monitored by the component. Kaspersky Industrial CyberSecurity for Nodes supports environment variables and the `` and `?` characters when entering a mask: The `` (asterisk) character, which takes the place of any set of characters, except the `\` and `/` characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask `C:\\.txt` will include all paths to files with the TXT extension located in folders on the C: drive, but not in subfolders. Two consecutive `` characters take the place of any set of characters (including an empty set) in the file or folder name, including the `\` and `/` characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask `C:\Folder\\.txt` will include all paths to files with the TXT extension located in folders nested within the `Folder`, except the `Folder` itself. The mask must include at least one nesting level. The mask `C:\*\.txt` is not a valid mask. The `?` (question mark) character, which takes the place of any single character, except the `\` and `/` characters (delimiters of the names of files and folders in paths to files and folders). For example, the mask `C:\Folder\???.txt` will include paths to all files residing in the folder named `Folder` that have the TXT extension and a name consisting of three characters. Registry Kaspersky Industrial CyberSecurity for Nodes supports the `*` and `?` characters when entering a mask: Exclusion entries have a higher priority than monitoring scope entries.
Event severity level	Kaspersky Industrial CyberSecurity for Nodes logs file modification events whenever a file or registry key in the monitoring scope is modified. The following event severity levels are available: Informational, Warning, Critical.

Page top