About file operation monitoring rules
The File Integrity Monitor is run based on file operation monitoring rules. You can use rule triggering criteria to configure the conditions that trigger the task, and adjust the importance level for detected file operation events recorded in the task log.
A file operation monitoring rule is specified for each monitoring scope.
You can configure the following rule triggering criteria:
- Trusted users.
- File operation markers.
Trusted users
By default, the application treats all user actions as potential security breaches. The trusted user list is empty. You can configure the event importance level by creating a list of trusted users in the file operation monitoring rule settings.
Untrusted user – any user not indicated in the trusted user list in the monitoring scope rule settings. If Kaspersky Security for Windows Server detects a file operation performed by an untrusted user, the File Integrity Monitor task records a Critical event in the task log.
Trusted user – a user or group of users authorized to perform file operations in the specified monitoring scope. If Kaspersky Security for Windows Server detects file operations performed by a trusted user, the File Integrity Monitor task records an Informational event in the task log.
Kaspersky Security for Windows Server cannot determine the users that initiate operations during monitoring interruptions. In this case, the user status is determined to be unknown.
Unknown user – This status is assigned to a user if Kaspersky Security for Windows Server cannot receive information about a user due to a task interruption or a failure of the data synchronization driver or USN Journal. If Kaspersky Security for Windows Server detects a file operation performed by an unknown user, the File Integrity Monitor task records a Warning event in the task log.
File operation markers
When the File Integrity Monitor task runs, Kaspersky Security for Windows Server uses file operation markers to determine that an action has been performed on a file.
A file operation marker is a unique descriptor that can characterize a file operation.
Each file operation can be a single action or a chain of actions with files. Each action of this kind is equated to a file operation marker. If the marker you specify as a rule triggering criterion is detected in a file operation chain, the application logs an event indicating that the given file operation was performed.
The importance level of the logged events does not depend on the selected file operation markers or the number of events.
By default, Kaspersky Security for Windows Server considers all available file operation markers. You can select file operation markers manually in the task's rule settings.
File operation markers
File operation ID | File operation marker | Supported file systems |
|---|---|---|
BASIC_INFO_CHANGE | Attributes or time markers of a file or folder changed | NTFS, ReFS |
COMPRESSION_CHANGE | Compression of a file or folder changed | NTFS, ReFS |
DATA_EXTEND | Size of file or folder increased | NTFS, ReFS |
DATA_OVERWRITE | Data in a file or folder was overwritten | NTFS, ReFS |
DATA_TRUNCATION | File or folder truncated | NTFS, ReFS |
EA_CHANGE | Extended file or folder attributes changed | Only NTFS |
ENCRYPTION_CHANGE | Encryption status of file or folder changed | NTFS, ReFS |
FILE_CREATE | File or folder created for the first time | NTFS, ReFS |
FILE_DELETE | File or folder permanently deleted using a SHIFT+DEL combination | NTFS, ReFS |
HARD_LINK_CHANGE | Hard link created or deleted for file or folder | Only NTFS |
INDEXABLE_CHANGE | Index status of file or folder changed | NTFS, ReFS |
INTEGRITY_CHANGE | Integrity attribute changed for a named file stream | Only ReFS |
NAMED_DATA_EXTEND | Size of a named file stream increased | NTFS, ReFS |
NAMED_DATA_OVERWRITE | Named file stream overwritten | NTFS, ReFS |
NAMED_DATA_TRUNCATION | Named file stream truncated | NTFS, ReFS |
OBJECT_ID_CHANGE | File or folder identifier changed | NTFS, ReFS |
RENAME_NEW_NAME | New name assigned to file or folder | NTFS, ReFS |
REPARSE_POINT_CHANGE | New reparse point created or existing reparse point changed for a file or folder | NTFS, ReFS |
SECURITY_CHANGE | File or folder access rights changed | NTFS, ReFS |
STREAM_CHANGE | New named file stream created or existing named file stream changed | NTFS, ReFS |
TRANSACTED_CHANGE | Named file stream changed by TxF transaction | Only ReFS |
