Configuring monitoring rules

To add a monitoring scope, perform the following steps:

1. Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
2. Select the administration group for which you want to configure application settings.
3. Perform one of the following actions in the details pane of the selected administration group:
   • To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
   • To configure the application for a single protected device, select the Devices tab and open the Application settings window.

     If an active Kaspersky Security Center policy is applied to a device and blocks changes to application settings, then these settings cannot be edited in the Application settings window.

4. In the System inspection section in the File Integrity Monitor subsection, click the Settings button.

   The File Integrity Monitor window opens.

5. In the Monitoring scope section, click the Add button.

   The File operations monitoring rule window opens.

6. Add a monitoring scope in one of the following ways:
   • If you want to select folders through the standard Microsoft Windows dialog:
     1. Click the Browse button.

        The standard Microsoft Windows Browse For Folder window opens.

     2. In the window that opens, select the folder for which you want to monitor operations, and click the OK button.
   • If you want to specify a monitoring scope manually, add a path using a supported mask:
     • <*.ext> - all files with the extension <ext>, regardless of their location;
     • <*\name.ext> - all files with name <name> and extension <ext>, regardless of their location;
     • <\dir\*> - all files in folder <\dir>;
     • <\dir\*\name.ext> - all files with the name <name> and extension <ext> in folder <\dir> and all of its child folders.

   When specifying a monitoring scope manually, be sure that the path is in the following format: <volume letter>:\<mask>. If the volume letter is missing, Kaspersky Security for Windows Server will not add the specified monitoring scope.

7. In the Trusted users tab, click the Add button.

   The standard Microsoft Windows Select Users or Groups window opens.

8. Select the users or groups of users for whom file operations are allowed in the selected monitoring scope, and click the OK button.

   By default, Kaspersky Security for Windows Server treats all users not on the trusted user list as untrusted, and generates Critical events for them.

9. Select the File operation markers tab.
10. If required, perform the following actions to select several markers:
    1. Select the Detect file operations basing on the following markers option.
    2. In the list of available file operations select the check boxes next to the operations you want to monitor.

    By default Kaspersky Security for Windows Server detects all file operation markers, the Detect file operations basing on all recognizable markers option is selected.

11. If you want Kaspersky Security for Windows Server to calculate a file checksum after an operation is performed, do the following:
    1. Select the Calculate checksum for the file if possible. The checksum will be available for viewing in the task report check box.
       

       If the check box is selected, Kaspersky Security for Windows Server calculates the checksum of the modified file, if a file operation with at least one selected marker was detected.

       If the file operation is detected by several markers, Kaspersky Security for Windows Server calculates only the checksum of the final file after all modifications.

       If the check box is cleared, Kaspersky Security for Windows Server does not calculate the checksum of modified files.

       No checksum calculation is performed in the following cases:

       • If the file has become unavailable (for example, due to a change of access permissions).
       • If the file operation was detected in a file that was subsequently removed.

       The check box is cleared by default.

    2. In the Checksum type drop down list, select one of the options:
       • MD5 hash
       • SHA256 hash
12. If you do not want to monitor all file operations in the list of available file operations, select the check boxes next to the operations you want to monitor.
13. If necessary, add excluded monitoring scopes by performing the following steps:
    1. Select the Exclusions tab.
    2. Select the Exclude the following folders from control check box.
       

       The check box disables use of exclusions for folders where file operations do not need to be monitored.

       If the check box is selected, Kaspersky Security for Windows Server skips the monitoring scopes specified in the exclusions list when the File Integrity Monitor task is run.

       If the check box is cleared, Kaspersky Security for Windows Server logs events for all specified monitoring scopes.

       By default, the check box is cleared and the exclusion list is empty.

    3. Click the Add button.

       The Select folder to add window opens.

    4. In the window that opens, specify the folder that you want to exclude from the monitoring scope.
    5. Click OK.

       The specified folder is added to the list of excluded scopes.

14. Click OK in the File operations monitoring rule window.

    The specified rule settings will be applied to the selected monitoring scope of the File Integrity Monitor task.