Creating and configuring a file operations monitoring rule

To create and configure a file operations monitoring rule using the Application Console:

1. In the Application Console tree, expand the System Inspection node.
2. Select the File Integrity Monitor child node.
3. Click the File Integrity Monitor link in the results pane of the File operations monitoring rules node.

   The File operations monitoring rules window appears.

4. Specify the path for the file operations monitoring scope in one of the following ways:
   • If you want to select a folder or drive through the standard Microsoft Windows dialog:
     1. On the left side of the window, click the Browse button.

        The standard Microsoft Windows Browse for folder window appears.

     2. Select the folder whose file operations you want to monitor.
     3. Click the OK button.
   • If you want to specify a monitoring scope manually, add a path using a supported mask:
     • <*.ext> — all files with the extension <ext>, regardless of their location
     • <*\name.ext> — all files with name <name> and extension <ext>, regardless of their location
     • <\dir\*> — all files in folder <\dir>
     • <\dir\*\name.ext> — all files with the name <name> and extension <ext> in folder <\dir> and all of its child folders

   When specifying a monitoring scope manually, be sure that the path is in the following format: <volume letter>:\<mask>. If the volume letter is missing, Kaspersky Embedded Systems Security for Windows will not add the specified monitoring scope.

5. Click the Add button.

   The monitoring scope will be displayed in the list on the left of the File operations monitoring rules window.

6. If necessary, specify trusted users:
   1. On the Trusted users tab, click the Add button.

      The standard Microsoft Windows Select users or groups window opens.

   2. Select users or user groups that will be allowed to perform operations on files in the selected monitoring scope.
   3. Click the OK button.

   By default, Kaspersky Embedded Systems Security for Windows treats all users not on the trusted user list as untrusted, and generates Critical events for them. For trusted users, statistics are compiled.

7. On the Set file operations markers tab, if necessary, specify the file operation markers that you want to monitor:
   1. Select the Detect file operations based on the following markers option.
   2. In the list of available file operations select the check boxes next to the operations you want to monitor.

   By default, Kaspersky Embedded Systems Security for Windows detects all file operation markers. The Detect file operations based on all recognizable markers option is selected.

8. If you want the application to block all file operations for the selected monitoring scope, select the Detect and block all file operations in the selected area check box.
9. If you want the application to calculate the checksum of a file after it has been modified:
   1. In the Checksum calculation block, select the Calculate checksum for a file final version, after the file was changed, if possible. The checksum will be available for viewing in the task log. The checksum will be available for viewing in the task log check box.
      

      If the check box is selected, Kaspersky Embedded Systems Security for Windows calculates the checksum of the modified file, if a file operation with at least one selected marker was detected.

      If the file operation is detected by several markers, Kaspersky Embedded Systems Security for Windows calculates only the checksum of the final file after all modifications.

      If the check box is cleared, Kaspersky Embedded Systems Security for Windows does not calculate the checksum of modified files.

      No checksum calculation is performed in the following cases:

      • If the file has become unavailable (for example, due to a change of access permissions).
      • If the file operation was detected in a file that was subsequently removed.

      By default, the check box is cleared.

   2. In the Calculate the checksum using the algorithm drop down list select one of the options:
      • MD5 hash
      • SHA256 hash.
10. If necessary, add folders or drives to exclude file operations from monitoring:
    1. On the Set exclusions tab, select the Consider excluded monitoring scope check box.
       

       The check box disables use of exclusions for folders where file operations do not need to be monitored.

       If the check box is selected, Kaspersky Embedded Systems Security for Windows skips the monitoring scopes specified in the exclusions list when the File Integrity Monitor task is run.

       If the check box is cleared, Kaspersky Embedded Systems Security for Windows logs events for all specified monitoring scopes.

       By default, the check box is cleared and the exclusion list is empty.

    2. Click the Browse button.

       The standard Microsoft Windows Browse for folder window appears.

    3. Select a folder or drive.
    4. Click the OK button.
    5. Click the Add button.

    The specified folder or drive will be displayed in the list of exclusions.

    You can also add file operations monitoring scope exclusions manually using the same masks that are used to specify file operations monitoring scopes.

11. Click the Save button.