Kaspersky Security 11.x for Windows Server

About the File Integrity Monitor task

May 25, 2022

ID 146696

The File Integrity Monitor task is designed to track actions performed with the specified files and folders in the monitoring scopes specified in the task settings. You can use the task to detect file changes that may indicate a security breach on the protected device. You can also configure file changes to be tracked during periods in which monitoring is interrupted.

A monitoring interruption occurs when the monitoring scope temporarily falls outside the scope of the task, e.g. if the task is stopped or if an external device is not physically present on a protected device. Kaspersky Security for Windows Server reports detected file operations in the monitoring scope as soon as an external device is reconnected.

If the tasks stops running in the specified monitoring scope due to a reinstallation of the File Integrity Monitor component, this does not constitute a monitoring interruption. In this case, the File Integrity Monitor task is not run.

Requirements on the environment

To start the File Integrity Monitor task, the following conditions must be satisfied:

  • ReFS or NTFS file systems must be used on the protected device.
  • The Windows USN Journal must be enabled. The component queries this journal to receive information about file operations.

    If you enable USN Journal after a rule has been created for a volume and the File Integrity Monitor task has been started, the task must be restarted. If not, the rule will not be applied during monitoring.

Excluded monitoring scopes

You can create excluded monitoring scopes. Exclusions are specified for each separate rule and work only for the indicated monitoring scope. You can specify an unlimited number of exclusions for each rule.

Exclusions have higher priority than the monitoring scope and are not monitored by the task, even if an indicated folder or file is in the monitoring scope. If the settings for one of the rules specify a monitoring scope at a lower level than a folder specified in exclusions, the monitoring scope is not considered when the task is run.

To specify exclusions, you can use the same masks that are used to specify monitoring scopes.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.