System Integrity Monitoring
January 10, 2024
ID 132947
The Kaspersky Security functionality described in this section is available only if you are using the application under an enterprise license and the application is installed on a virtual machine with a Windows server operating system and an NTFS or FAT32 file system.
The System Integrity Monitoring component can track changes in a Windows operating system installed on the protected virtual machine. You can monitor the following objects:
- Files and registry. The System Integrity Monitoring component tracks changes made to the registry and files included in the monitoring scope.
- External drives. The System Integrity Monitoring component tracks the connection of the following types of external devices:
- Disk drives for hard drives.
- Disk drives for optical drives (CD/DVD/Blu-ray).
- USB devices.
- Cameras and scanners.
- External network adapters.
The System Integrity Monitoring component can operate in real time, and can run a System Integrity Check by schedule or on demand.
When operating in real time, System Integrity Monitoring lets you track changes to monitored objects that you have included in the System Integrity Monitoring scope.
A system integrity check by schedule or on demand is performed by using the system integrity check task. A system integrity check is performed by comparing the current state of objects included in the system integrity check scope with the state of objects that were previously registered in the form of a system baseline.
You can run a System Integrity Check in one of the following modes:
- Full Scan. All attributes of files and their contents are analyzed when checking for modifications in files.
- Quick Scan. Only the attributes of files are analyzed when checking for modifications in files; file contents are not checked.
Registry modifications and connection of external devices are monitored in any mode according to the defined System Integrity Check scope.
A system state snapshot (baseline) is taken on a virtual machine as a result of running the baseline update task. When a baseline is created or updated, the state of objects included in the System Integrity Check scope is recorded.
You can update the baseline in one of the following modes:
- Full update – for all objects in the scan scope.
- Incremental update – only for modified or new objects from the scan scope.
The System Integrity Monitoring component settings are defined in the Light Agent for Windows policy or in the local interface of Light Agent for Windows. You can enable or disable the Real-Time System Integrity Monitoring component, and configure the following settings:
- Real-Time System Integrity Monitoring scope:
- List of objects that must be monitored by the Real-Time System Integrity Monitoring component.
- List of System Integrity Monitoring rules that govern how the component tracks changes in files and the registry. You can create rules and use predefined rules from templates that are part of the application distribution kit.
- System Integrity Check scope. By default, the System Integrity Check scope matches the system integrity monitoring scope. You can define a separate scope for a scheduled System Integrity Check and an on-demand System Integrity Check. This scope is also used for the baseline update task:
- List of objects whose state needs to be checked. The state of these objects is recorded in the baseline.
- List of System Integrity Monitoring rules that govern how the component checks for changes in files and the registry. The baseline records the state of files and folders, as well as registry keys defined in the rules. You can create rules and use predefined rules from templates that are part of the application distribution kit.
If the System Integrity Check scope is not defined, the System Integrity Monitoring scope is used for the System Integrity Check task and the baseline update task.
- The importance level for events that are generated by the System Integrity Monitoring component when it detects system changes in real time, and as a result of the System Integrity Check task.
You can view information about the operating results of the System Integrity Monitoring component in Kaspersky Security Center and in the local interface of Light Agent for Windows.
