Using the integrity check tool
March 5, 2024
ID 209025
Kaspersky Scan Engine contains a multitude of various binary modules in the form of dynamic-link libraries, executable files, configuration files, and interface files. A hacker can replace one or more application executable modules or files with other files containing malicious code. To prevent the replacement of modules and files, Kaspersky Scan Engine can check the integrity of application components.
The application checks modules and files for the presence of unauthorized changes or corruption. If an application module or file has an incorrect checksum, it is considered to be corrupted.
The application also checks the integrity of the manifest file containing a list of application files whose integrity is critical for the correct operation of application components.
Starting from Kaspersky Scan Engine version 2.1, KAV SDK objects are delivered as a separate package. For this reason, there are two manifest files in Kaspersky Scan Engine:
- integrity_check.xml is used to check the integrity of the Kaspersky Scan Engine files.
- integrity_check_sdk.xml is used to check the integrity of the KAV SDK files. This file is delivered in the KAV SDK package.
The integrity of the application components is checked by using the integrity check tool located in the directory %service_dir%, where %service_dir% is the directory of Kaspersky Scan Engine.
The manifest files integrity_check.xml and integrity_check_sdk.xml (starting from Kaspersky Scan Engine version 2.1) are protected by the cryptographic signature of Kaspersky. The manifest files are located in the %service_dir% directory.
Root user account privileges are required to run the integrity check tool.
To check the integrity of application components, run the following command:
integrity_checker [options]
By default, the tool uses the integrity_check.xml file located in the directory %service_dir%.
To check the integrity of application components using the manifest file located in a directory other than the default one, run the following command:
integrity_checker [options] %path%
where %path% is the path to the manifest file.
You can run the integrity check tool with the following optional settings:
--help—display Help for tool settings.--version—display tool version.--verbose—expanded output of performed actions and results. If you specify this setting, the output will contain both successful and unsuccessful results of checking the objects listed in the manifest file. If you do not specify this setting, only objects that did not pass the check will be provided.--trace <filename>, where<filename>is the name of the file used for logging events that occur during a scan. The events will be logged at the DEBUG level.
The result of checking each manifest file is displayed next to the name of the manifest file in the following format:
SUCCEEDED—integrity of the files is confirmed (return code0).FAILED—integrity of the files is not confirmed (return code is not0).
If you build executable files for HTTP mode or ICAP mode from the source code, the integrity check tool will always return FAILED when checking %service_dir%/bin/kavhttpd and %service_dir%/bin/kavhttp_client (HTTP mode), or %service_dir%/bin/kavicapd (ICAP mode).
