Configuring receipt of messages from File Integrity Monitor

Managed applications such as Kaspersky Security for Windows Server or Kaspersky Security for Virtualization Light Agent send messages from File Integrity Monitor to Kaspersky Security Center. Kaspersky Security Center also allows you to monitor any changes to critically important components of systems (such as web servers and ATMs) and promptly respond to breaches of the integrity of such systems. For these purposes, you can receive messages from the File Integrity Monitor component. The File Integrity Monitor component lets you monitor not only the file system of a device, but also its registry hives, firewall status, and the status of connected hardware.

You must configure Kaspersky Security Center to receive messages from the File Integrity Monitor component without using Kaspersky Security for Windows Server or Kaspersky Security for Virtualization Light Agent.

To configure receipt of messages from File Integrity Monitor:

1. Open the system registry of the device on which Administration Server is installed (for example, locally, using the regedit command in the Start → Run menu).
2. Go to the following hive:
   • For 32-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags

   • For 64-bit systems:

     HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1093\1.0.0.0\ServerFlags

3. Create keys:
   • Create the key KLSRV_EVP_FIM_PERIOD_SEC to specify the time period for counting the number of processed events. Specify the following settings:
     1. Specify KLSRV_EVP_FIM_PERIOD_SEC as the key name.
     2. Specify DWORD as the key type.
     3. Specify a range of values for the time interval from 43 200 to 172 800 seconds. By default, the time interval is 86 400 seconds.
   • Create the key KLSRV_EVP_FIM_LIMIT to limit the number of received events for the specified time interval. Specify the following settings:
     1. Specify KLSRV_EVP_FIM_LIMIT as the key name.
     2. Specify DWORD as the key type.
     3. Specify a range of values for received events from 2 000 to 50 000. The default number of events is 20 000.
   • Create the key KLSRV_EVP_FIM_PERIOD_ACCURACY_SEC to count events with accuracy up to a specific time interval. Specify the following settings:
     1. Specify KLSRV_EVP_FIM_PERIOD_ACCURACY_SEC as the key name.
     2. Specify DWORD as the key type.
     3. Specify a range of values from 120 to 600 seconds. The default time interval is 300 seconds.
   • Create the key KLSRV_EVP_FIM_OVERFLOW_LATENCY_SEC so that, after the specified amount of time, the application can check whether the number of events processed over the time interval is turning out to be less than the specified limit. This check is performed upon reaching the limit for receiving events. If this condition is met, the application resumes saving events to the database. Specify the following settings:
     1. Specify KLSRV_EVP_FIM_OVERFLOW_LATENCY_SEC as the key name.
     2. Specify DWORD as the key type.
     3. Specify a range of values from 600 to 3 600 seconds. The default time interval is 1 800 seconds.

   If the keys are not created, the default values are used.

4. Restart the Administration Server service.

The limits on receiving events from the File Integrity Monitor component will be configured. You can view the results of the File Integrity Monitor component in the reports named Top 10 rules of File Integrity Monitor / System Integrity Monitoring that were triggered on devices most frequently and Top 10 devices with File Integrity Monitor / System Integrity Monitoring rules most frequently triggered.