Integrity Monitoring

The Kaspersky Security functionality described in this section is available only if you are using the application under an enterprise license and the application is installed on a virtual machine with a Windows server operating system and an NTFS or FAT32 file system.

The Integrity Monitoring component can track changes in a Windows operating system installed on the protected virtual machine. You can monitor the following objects:

• Files and registry. The Integrity Monitoring component tracks changes made to the registry and files included in the monitoring scope.
• External drives. The Integrity Monitoring component tracks the connection of the following types of external devices:
  • Disk drives for hard drives.
  • Disk drives for optical drives (CD/DVD/Blu-ray).
  • USB devices.
  • Cameras and scanners.
  • External network adapters.

The Integrity Monitoring component can operate in real time, and can run an integrity check by schedule or on demand.

When operating in real time, Integrity Monitoring lets you track changes to monitored objects that you have included in the Integrity Monitoring scope.

An integrity check by schedule or on demand is performed by using the integrity check task. An integrity check is performed by comparing the current state of objects included in the integrity check scope with the state of objects that were previously registered in the form of a system snapshot baseline.

You can run an integrity check in one of the following modes:

• Full Scan All attributes of files and their contents are analyzed when checking for modifications in files.
• Quick Scan. Only the attributes of files are analyzed when checking for modifications in files; file contents are not checked.

Registry modifications and connection of external devices are monitored in any mode according to the defined integrity check scope.

A system state snapshot (baseline) is taken on a virtual machine as a result of running the baseline update task. When a baseline is created or updated, the state of objects included in the integrity check scope is recorded.

You can update the baseline in one of the following modes:

• Full update – for all objects in the scan scope.
• Incremental update – only for modified or new objects from the scan scope.

Integrity Monitoring component settings are defined in the Light Agent for Windows policy or in the local interface of Light Agent for Windows. You can enable or disable the Real-Time Integrity Monitoring component, and configure the following settings:

• Real-Time Integrity Monitoring scope:
  • List of objects that must be monitored by the Real-Time Integrity Monitoring component.
  • List of Integrity Monitoring rules that govern how the component tracks changes in files and the registry. You can create rules and use predefined rules from templates that are part of the application distribution kit.
• Integrity Check scope. By default, the integrity check scope matches the integrity monitoring scope. You can define a separate scope for a scheduled integrity check and an on-demand integrity check. This scope is also used for the baseline update task:
  • List of objects whose state needs to be checked. The state of these objects is recorded in the baseline.
  • List of Integrity Monitoring rules that govern how the component checks for changes in files and the registry. The baseline records the state of files and folders, as well as registry keys defined in the rules. You can create rules and use predefined rules from templates that are part of the application distribution kit.

  If the integrity check scope is not defined, the integrity monitoring scope is used for the integrity check task and the baseline update task.

• The importance level for events that are generated by the Integrity Monitoring component when it detects system changes in real time, and as a result of the integrity check task.

You can view information about the operating results of the Integrity Monitoring component in Kaspersky Security Center and in the local interface of Light Agent for Windows.

In this Help section Enabling and disabling Real-Time Integrity Monitoring Configuring the integrity monitoring scope and the integrity check scope Creating and updating the baseline Checking system integrity by schedule or on demand Viewing information about system integrity on a virtual machine System integrity status reset

Page top