Creating and configuring a file operations monitoring rule

Support

Support for business applications

Kaspersky Embedded Systems Security 3.x

File Integrity Monitor

Manage File Integrity Monitor via the Web Plug-in

Creating and configuring a file operations monitoring rule

25 October 2023

ID 193218

Get as PDF

To create and configure a file operations monitoring rule using the Web Plug-in:

In the main window of the Kaspersky Security Center Web Console, select Devices → Policies & profiles.
Click the policy name you want to configure.
In the <Policy name> window that opens select the Application settings tab.
Select the System Inspection section.
In the File Integrity Monitor subsection, click the Settings button.
The File Integrity Monitor window opens on the File operations monitoring settings tab.
Click the Add button.
The File operations monitoring rule window appears.
In the Monitor file operations for the scope, specify a path using one of the supported masks:
- <*.ext> — all files with the extension <ext>, regardless of their location
- <*\name.ext> — all files with name <name> and extension <ext>, regardless of their location
- <\dir\*> — all files in folder <\dir>
- <\dir\*\name.ext> — all files with the name <name> and extension <ext> in folder <\dir> and all of its child folders
When specifying a monitoring scope manually, be sure that the path is in the following format: <volume letter>:\<mask>. If the volume letter is missing, Kaspersky Embedded Systems Security for Windows will not add the specified monitoring scope.
On the Trusted users tab, if necessary, specify trusted users in one of the following ways:
- Using the Add button:
  1. Click the Add button.
  2. In the window that opens, in the User name field, specify the user or group of users in SID format.
  3. Click the OK button.
- Using the Add from the list of Administration Server button:
  1. Click the Add from the list of Administration Server button.
  2. In the window that opens, select a user or user group from the list.
  3. Click the OK button.
Trusted users are allowed to operate on files from the selected monitoring scope.

By default, Kaspersky Embedded Systems Security for Windows treats all users not on the trusted user list as untrusted, and generates Critical events for them. For trusted users, statistics are compiled.
On the File operation markers tab, if necessary, specify the file operation markers that you want to monitor:
1. Select the Detect file operations based on the following markers option.
2. In the list of available file operations select the check boxes next to the operations you want to monitor.
By default, Kaspersky Embedded Systems Security for Windows detects all file operation markers. The Detect file operations based on all recognizable markers option is selected.
If you want the application to block all file operations for the selected monitoring scope, select the Detect and block all file operations in the selected area check box.
If you want the application to calculate the checksum of a file after it has been modified:
1. Select the Calculate checksum for the file if possible. The checksum will be available for viewing in the task report check box.
  If the check box is selected, Kaspersky Embedded Systems Security for Windows calculates the checksum of the modified file, if a file operation with at least one selected marker was detected.
  
  If the file operation is detected by several markers, Kaspersky Embedded Systems Security for Windows calculates only the checksum of the final file after all modifications.
  
  If the check box is cleared, Kaspersky Embedded Systems Security for Windows does not calculate the checksum of modified files.
  
  No checksum calculation is performed in the following cases:
  - If the file has become unavailable (for example, due to a change of access permissions).
  - If the file operation was detected in a file that was subsequently removed.
  By default, the check box is cleared.
2. In the Checksum type drop down list, select one of the options:
  - SHA256 hash.
  - MD5 hash.
If necessary, add folders or drives to exclude file operations from monitoring:
1. On the Exclusions tab, select the Exclude the following folders from control check box.
  The check box disables use of exclusions for folders where file operations do not need to be monitored.
  
  If the check box is selected, Kaspersky Embedded Systems Security for Windows skips the monitoring scopes specified in the exclusions list when the File Integrity Monitor task is run.
  
  If the check box is cleared, Kaspersky Embedded Systems Security for Windows logs events for all specified monitoring scopes.
  
  By default, the check box is cleared and the exclusion list is empty.
2. Click the Add button.
3. In the window that opens on the right, in the Folder name field, enter the path to the folder or drive that you want to exclude from the file operations monitoring scope.
4. Click the OK button.
The path to the specified folder or drive will be displayed in the list.
Click the OK button in the File operations monitoring rule window.

The configured file operations monitoring rule will be displayed in the File Integrity Monitor window on the File operations monitoring settings tab.

Kaspersky Professional Services

Implementation services. Health check and security system configuration. Contact us if you need expert help.

Kaspersky Premium Support (MSA): High‑priority incident processing

Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).

Did you find this article helpful?

What can we do better?

Thank you for your feedback! You're helping us improve.