Integrity monitoring settings

The Integrity Monitoring module monitors specific areas on a computer for changes. It can monitor installed software, running services, processes, files, directories, listening ports, registry keys, and registry values. It functions by performing a baseline scan of the areas on the computer specified in the assigned rules and then periodically rescanning those areas to look for changes.

The Integrity Monitoring section of the Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). has the following tabbed sections:

General

Integrity Monitoring

You can configure this Policy or Computer to inherit its Integrity Monitoring On or Off state from its parent Policy or you can lock the setting locally.

Integrity Scan (Computer Editor only)

Click Scan For Integrity to perform on an on-demand Integrity Scan on this computer.

Baseline (Computer Editor only)

The Baseline is the original secure state that an Integrity Scan's results will be compared against. Click Rebuild Baseline to create a new Baseline for Integrity Scans on this computer. Click View Baseline to view the current Baseline data.

Assigned Integrity Monitoring Rules

Displays the Integrity Monitoring Rules that are in effect for this Policy or computer. To add or remove Integrity Monitoring Rules, click Assign/Unassign. This will display a window showing all available Integrity Monitoring Rules from which you can select or deselect Rules.

From a Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). window, you can edit a Integrity Monitoring Rule so that your changes apply only locally in the context of your editor, or you can edit the Rule so that the changes apply globally to all other Policies and Computers that are using the Rule.

To edit the Rule locally, select the Rule and click Properties () or right-click the Rule and click Properties.

To edit the Rule globally, right-click the Rule and click Properties (Global).

Recommendations

Displays when the last Recommendation Scan occurred and number of recommended Integrity Monitoring Rules.

Advanced

Content Hash Algorithms

Select the hash algorithm(s) that will be used by the Integrity Monitoring module to store baseline information. You can select more than one algorithm, but this is not recommended because of the detrimental effect on performance.

VM Scan Cache

For information on Integrity Monitoring Scan Cache Configurations, see Virtual Appliance Scan Caching.

CPU Usage

Integrity Monitoring uses local CPU resources during the system scan that leads to the creation of the initial baseline and during the system scan that compares a later state of the system to the previously created baseline. If you are finding that Integrity Monitoring is consuming more resources than you want it to, you can restrict the CPU Usage to the following levels:

  • High: Unlimited CPU usage
  • Medium: The Integrity Monitoring process will not consume more than 50% of CPU resources
  • Low: The Integrity Monitoring process will not consume more than 25% of CPU resources

Events

Integrity Monitoring Events are displayed the same way as they are in the main Deep Security Manager window except that only Events relating to this Policy or specific computer are displayed.