On-demand File Integrity Monitoring
October 10, 2024
ID 209581
While the On-demand File Integrity Monitoring task is running, each object change is determined by comparing the current state of the monitored objects with the original state, which was previously established as a baseline.
You can create several ODFIM tasks.
Baseline
The baseline is established during the first run of the ODFIM task on the computer. For each ODFIM task, a separate baseline is created. The task is performed only if the baseline corresponds to the monitoring scope. If the baseline does not match the monitoring scope, Kaspersky Endpoint Security generates an event about file integrity violation.
You can rebuild a baseline for a task using the corresponding parameter. The baseline is rebuilt after an ODFIM task has finished. Also, a baseline is rebuilt when the parameters of a task change, for example, if a new monitoring scope is added. The baseline will be rebuilt during the next task run.
The ODFIM task creates storage for baselines on a computer that has the File Integrity Monitoring component installed. You can delete a baseline only if you delete the corresponding ODFIM task.
File Integrity Monitoring task settings
Setting | Description |
|---|---|
Rebuild baseline on each task start | This check box enables or disables the rebuilding a system baseline each time the File Integrity Monitoring task is started. If the check box is selected, Kaspersky Endpoint Security rebuilds a system baseline each time the File Integrity Monitoring task is started. If the check box is cleared, Kaspersky Endpoint Security does not rebuild a system baseline each time the File Integrity Monitoring task is started. This check box is cleared by default. |
Use hash for monitoring (SHA-256) | This check box enables or disables use of the SHA-256 hash for the File Integrity Monitoring task. SHA-256 is a cryptographic hash function that produces a 256-bit hash value. The 256-bit hash value is represented as a sequence of 64 hexadecimal digits. If the check box is selected, Kaspersky Endpoint Security uses the SHA-256 hash for the File Integrity Monitoring task. If the check box is cleared, Kaspersky Endpoint Security does not use the SHA-256 hash for the File Integrity Monitoring task. This check box is cleared by default. |
Track directories in monitoring scopes | This check box enables or disables monitoring of the specified directories while the File Integrity Monitoring task is running. If the check box is selected, Kaspersky Endpoint Security monitors the specified directories while the File Integrity Monitoring task is running. If the check box is cleared, Kaspersky Endpoint Security does not monitor the specified directories while the File Integrity Monitoring task is running. This check box is cleared by default. |
Track task access time | This check box enables or disables tracking of the File Integrity Monitoring task access time. If the check box is selected, Kaspersky Endpoint Security tracks the File Integrity Monitoring task access time. If the check box is cleared, Kaspersky Endpoint Security does not track the File Integrity Monitoring task access time. This check box is cleared by default. |
Monitoring scopes | Contains objects that are monitored by the File Integrity Monitoring task. By default, the table contains the Kaspersky internal objects monitoring scope (/opt/kaspersky/kesl/). You can add, configure, delete, move up, or move down scan scopes in the table. |
You can also configure monitoring exclusions and exclusions by mask for the On-demand File Integrity Monitoring task in the Exclusion scopes section.
