Application components integrity check

Kaspersky Endpoint Security contains many various binary modules in the form of dynamic linked libraries, executable files, configuration files, and interface files. Intruders can replace one or more application executable modules or files with other files containing malicious code. To prevent the replacement of modules and files, Kaspersky Endpoint Security can check integrity of the application components. The application checks modules and files for unauthorized changes or corruption. If an application module or file has an incorrect checksum, it is considered to be corrupted.

Integrity check is performed for the following application components:

• Application package
• Graphical user interface package
• Kaspersky Security Center Network Agent package
• Kaspersky Endpoint Security administration plug-in

The application checks integrity of the files in the special lists called manifest files. Each application component has its own manifest file (integrity_check_manifest.xml) that contains a list of application files whose integrity is important for correct operation of this application component. The name of the manifest file is the same for each component, but the content of the manifest files differs. The manifest files are digitally signed and their integrity is checked as well.

The integrity check of the application components is performed using the integrity_check_tool utility.

The integrity check utility must be run under the account with root privileges.

To check integrity, you can use either the utility installed with the application or the utility distributed on a certified CD.

It is recommended to run the integrity check utility from a certified CD to ensure integrity of the utility. When running the utility from the CD, specify the full path to the manifest file.

The integrity check utility installed with the application is located at the following paths:

• To check the application package, graphical user interface package and the Network Agent – /opt/kaspersky/kesl/bin/integrity_check_tool.
• To check Kaspersky Endpoint Security administration plug-in – the directory where the executable modules (DLL) of the administration plug-in are located:
  • C:\Program Files\Kaspersky Lab\Kaspersky Security Center\Plugins\<plug-in version>.linux.plg\integrity_check_tool.exe – for 32-bit operating systems.
  • C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center\Plugins\<plug-in version>.linux.plg\integrity_check_tool.exe – for 64-bit operating systems.

The manifest files are located at the following paths:

• /opt/kaspersky/kesl/bin/integrity_check.xml – to check integrity of the application package.
• /opt/kaspersky/kesl/bin/gui_integrity_check.xml – to check integrity of the graphical user interface package.
• /opt/kaspersky/klnagent/bin/integrity_check.xml – to check the Network Agent in 32-bit operating systems.
• /opt/kaspersky/klnagent64/bin/integrity_check.xml – to check the Network Agent in 64-bit operating systems.

To check integrity of the application components, run the following command:

integrity_check_tool -v[|--verify] -m[|--manifest] <path to the manifest file>

By default, the path to the integrity_check.xml file is used. This file is located in the directory from which the integrity check utility is run.

You can run the utility with the following optional settings:

• -V, --verbose – display detailed information about performed actions and their results. If you do not specify this setting, only errors, objects that did not pass the check, and scan statistics summary will be displayed.
• -L, --log-file <file>, where <file> – the name of the file used for logging events that occur during integrity check. By default, events are passed to the standard stdout stream.
• -l, --log-level <0-1000>, where <0-1000> is the level of event output details. The default level of detail is 0.

You can view description of all available integrity check utility settings in the help on the utility options by running the integrity_check_tool -h [--help] command.

The result of checking the manifest files is displayed as follows:

• SUCCEEDED — integrity of the files has been confirmed (return code 0).
• FAILED – integrity of the files has not been confirmed (return code is not 0).

If violation of integrity of the application, graphical user interface, or the Network Agent is detected when the application starts, Kaspersky Endpoint Security registers the IntegrityCheckFailed event in the event log and in Kaspersky Security Center.