Creating and configuring a file operations monitoring rule
3 August 2023
ID 146698
To create and configure a file operations monitoring rule using the Administration Plug-in:
- Expand the Managed devices node in the Kaspersky Security Center Administration Console tree.
- Select the administration group for which you want to configure application settings.
- Perform one of the following actions in the details pane of the selected administration group:
- To configure application settings for a group of protected devices, select the Policies tab and open the Properties: <Policy name> window.
- To configure the settings of a task or application for an individual protected device, select the Devices tab and go to local task settings or application settings.
- Do one of the following:
- If you are creating a file operations monitoring rule in a policy, in the System inspection section in the File Integrity Monitor block, click the Settings button.
The File Integrity Monitor window opens on the File operations monitoring settings tab.
- If you are creating a file operations monitor rule for a local task, in the Properties: File Integrity Monitor window, go to the Settings section.
- If you are creating a file operations monitoring rule in a policy, in the System inspection section in the File Integrity Monitor block, click the Settings button.
- In the Monitoring scope block, click the Add button.
The File operations monitoring rule window appears.
- Add a file operations monitoring scope in one of the following ways:
- If you want to select a folder or drive through the standard Microsoft Windows dialog:
- Click the Browse button.
The standard Microsoft Windows Browse for folder window appears.
- Select the folder whose file operations you want to monitor.
- Click the OK button.
- Click the Browse button.
- If you want to specify a monitoring scope manually, add a path using a supported mask:
- <*.ext> — all files with the extension <ext>, regardless of their location
- <*\name.ext> — all files with name <name> and extension <ext>, regardless of their location
- <\dir\*> — all files in folder <\dir>
- <\dir\*\name.ext> — all files with the name <name> and extension <ext> in folder <\dir> and all of its child folders
When specifying a monitoring scope manually, be sure that the path is in the following format: <volume letter>:\<mask>. If the volume letter is missing, Kaspersky Industrial CyberSecurity for Nodes will not add the specified monitoring scope.
- If you want to select a folder or drive through the standard Microsoft Windows dialog:
- If necessary, specify trusted users:
- On the Trusted users tab, in the context menu of the Add button, select the method for adding trusted users.
The User or user group selection window opens.
- Select the users or groups of users for whom file operations are allowed in the selected monitoring scope.
- Click the OK button.
By default, Kaspersky Industrial CyberSecurity for Nodes treats all users not on the trusted user list as untrusted, and generates Critical events for them. For trusted users, statistics are compiled.
- On the Trusted users tab, in the context menu of the Add button, select the method for adding trusted users.
- On the File operation markers tab, if necessary, specify the file operation markers that you want to monitor:
- Select the Detect file operations based on the following markers option.
- In the list of available file operations select the check boxes next to the operations you want to monitor.
By default, Kaspersky Industrial CyberSecurity for Nodes detects all file operation markers. The Detect file operations based on all recognizable markers option is selected.
- If you want the application to block all file operations for the selected scope, select the Detect and block all file operations in the selected area check box.
- If you want the application to calculate the checksum of a file after it has been modified:
- Select the Calculate checksum for the file if possible. The checksum will be available for viewing in the task report check box.
- In the Checksum type drop down list, select one of the options:
- MD5 hash
- SHA256 hash.
- If necessary, add folders or drives to be excluded from the selected file operations monitoring scope:
- On the Exclusions tab, select the Exclude the following folders from control check box.
- Click the Add button.
The Exclusion from the controlled scope window opens.
- Click the Browse button.
The standard Microsoft Windows Browse for folder window appears.
- Select a folder or drive.
- Click the OK button.
The specified folder or drive will be displayed in the list of exclusions on the Exclusions tab.
You can also add file operations monitoring scope exclusions manually using the same masks that are used to specify file operations monitoring scopes.
- Click the File operations monitoring rule button in the OK window.
The configured file operations monitoring rule is displayed in the File Integrity Monitor window / Properties: File Integrity Monitor in the Monitoring scope block.