Integrity Monitoring

Integrity Monitoring allows you to monitor specific areas on a computer for changes. Vulnerability ProtectionDeep Security has the ability to monitor installed software, running services, processes, files, directories, listening ports, registry keys, and registry values. It functions by performing a baseline scan of the areas on the computer specified in the assigned rules and then periodically rescanning those areas to look for changes. The Vulnerability ProtectionDeep Security Manager ships with predefined Integrity Monitoring Rules and new Integrity Monitoring Rules are provided in Security Updates.

Recommendation Scans will recommend Integrity Monitoring Rules for a computer.

The typical procedure for enabling Integrity Monitoring on a computer is to:

1. Turn on Integrity Monitoring (either globally or on a specific computer)
2. Run a Recommendation Scan on the computer
3. Apply the recommended Integrity Monitoring Rules
4. Optionally, apply any Integrity Monitoring Rules you may have written yourself for the computer
5. Build a Baseline for the computer by opening the computer's Details window, going to the Integrity Monitoring page, and clicking "Rebuild Baseline".
6. Periodically scan for changes (either manually or by creating a Scheduled Task)

Basic configuration

To enable Integrity Monitoring functionality on a computer:

1. In the Policy/Computer editor, go to Integrity Monitoring > General
2. Select On , and then click Save

Use the main Integrity Monitoring page to turn Integrity Monitoring on or off and to set whether Integrity Monitoring Rules that are recommended after a Recommendation Scan are automatically applied.

• On: Scheduled Integrity Monitoring Scans. Integrity Monitoring scans can be scheduled just like other Vulnerability ProtectionDeep Security operations. Changes to the Entities monitored since the last scan will be identified and an Event will be recorded.
  Multiple changes to monitored entities between scans will not be tracked, only the last change will be detected. To detect and report multiple changes to an entity's state , consider increasing the frequency of scheduled scans (i.e. daily instead of weekly for example) or select Real Time Integrity Monitoring for entities that change frequently.
• Off: On Demand Integrity Monitoring Scans. Integrity Monitoring scans for changes can also be initiated by the Administrator and would function similar to scheduled Integrity Monitoring scans.
• Real Time: Real Time Integrity Monitoring. Real Time Integrity Monitoring provides the ability to monitor Entity changes in real time and raise Integrity Monitoring events when changes are detected. Events are forwarded in real time via syslog to the SIEM or when the next heartbeat communication (configurable) to the Vulnerability ProtectionDeep Security Manager occurs.

The Integrity Monitoring page in a computer's Details window has extra options that apply to the specific computer only. On it you can initiate a scan for changes or rebuild the baseline data for the computer. You can also initiate a Recommendation Scan or clear existing Recommendations.

For information on writing custom Integrity Monitoring Rules, see the documentation for the Integrity Monitoring Rules page and Integrity Monitoring Rules Language in the Reference section.