Integrity monitoring rules

Integrity monitoring rules allow the Deep Security Agents to scan for and detect changes to a computer's files, directories, and registry keys and values, as well as changes in installed software, processes, listening ports, and running services. These changes are logged as Events in the Manager and can be configured to generate Alerts like any other Events. Integrity Monitoring Rules can be assigned directly to computers or can be made part of a Policy.

Integrity Monitoring Rules specify which Entities (files, registry keys, services, etc) to monitor for changes. Deep Security scans all the Entities specified by the rules assigned to a computer and creates a baseline against which to compare future scans of the computer. If future scans do not match the baseline, the Deep Security Manager will log an Integrity Monitoring Event and trigger an Alert (if so configured).

Integrity Monitoring Rule icons:

  • Normal Integrity Monitoring Rules
  • Integrity Monitoring Rules that have configuration options

From the main page you can:

  • Create New Integrity Monitoring Rules from scratch ()
  • Import Integrity Monitoring Rules from an XML file
  • Examine or modify the Properties of an existing Integrity Monitoring Rule ()
  • Duplicate (and then modify) existing Integrity Monitoring Rules ()
  • Delete a Integrity Monitoring Rule ()
  • Export () one or more Integrity Monitoring Rules to an XML or CSV file. (Either export them all by clicking the Export button or choose from the list to export only those that are selected or displayed.)
Integrity Monitoring Rules that are assigned to one or more computers or that are part of a Policy cannot be deleted.

Clicking New () or Properties () displays the Integrity Monitoring Rules Properties window.

Integrity Monitoring Rule Properties

General Information

The name and description of the Integrity Monitoring Rule, and -- if the rule is issued by Trend Micro -- the minimum versions of the Agent and the Deep Security Manager that are required for the Rule to function.

Details

Setting the severity of a rule has no effect on how the rule is implemented or applied. Severity levels can be useful as sorting criteria when viewing a list of Integrity Monitoring Rules. More importantly, each severity level is associated with a severity value; this value is multiplied by a computer's Asset Value to determine the Ranking of an Event. (See Administration > System Settings > Ranking.)

Identification

Date when the rule was first issued and when it was last updated, as well as a unique identifier for the rule.

Content

The Content tab only appears for Integrity Monitoring Rules that you create yourself. Integrity Monitoring Rules issued by Trend Micro have a Configuration tab instead that displays the Integrity Monitoring Rule's configuration options (if any). Integrity Monitoring Rules issued by Trend Micro are not editable (although you can duplicate them and then edit the copy.)

You have the choice between three templates for creating new Integrity Rules: the Registry Value template, the File template, or the Custom (XML) template. Use the Registry Value template for creating Integrity Monitoring Rules that monitor changes to registry values. Use the File template for creating simple Integrity Monitoring Rules that monitor changes to files only. Use the Custom (XML) template to write rules in XML for monitoring directories, registry values, registry keys, services, processes, installed software, ports, (and files).

This section of the help describes the use of the Registry Value and File templates. For information on writing Integrity Monitoring Rules in XML using the Custom (XML) template, see Integrity monitoring rules language.

Registry Value Template

Base Key

Select the base key to monitor and whether or not to monitor contents of sub keys.

Value Names

List value names to be included or excluded. You can use "?" and "*" as wildcard characters.

Attributes

Use "Standard" to monitor changes in size or content. For other attributes, see RegistryValueSet.

Base Directory

Specifies the base directory for the rule. Everything else about the rule will be relative to this directory. Select "Include Sub Directories" to include sub directories. For example, a valid entry would be C:\Program Files\MySQL and selecting "Include Sub Directories".

File Names

Use the File Names fields to include or exclude specific files. You can also use wildcards (" ? " for a single character and " * " for zero or more characters).

These fields can be left blank to monitor all files in the base directory, but this can be very demanding on system resources if there are many and/or large files in the directory.

Attributes

The following file attributes can be monitored for change:

  • Created: Timestamp when the file was created.
  • LastModified: Timestamp when the file was last modified.
  • LastAccessed: Timestamp when the file was last accessed. On Windows this value does not get updated immediately, and recording of the last accessed timestamp can be disabled as a performance enhancement. See File Times for details. The act of scanning a file requires that the Agent open the file, which will change its last accessed timestamp. On Unix, the Agent will use the O_NOATIME flag if it is available when opening the file, which will prevent the OS from updating the last accessed timestamp and will speed up scanning.
  • Permissions: The file's security descriptor (in SDDL format) on Windows or Posix-style ACLs on Unix systems that support ACLs, otherwise the Unix style rwxrwxrwx file permissions in numeric (octal) format.
  • Owner: User ID of the file owner (commonly referred to as the "UID" on Unix).
  • Group: Group ID of the file owner (commonly referred to as the "GID" on Unix).
  • Size: size of the file.
  • Sha1: SHA-1 hash.
  • Sha256: SHA-256 hash.
  • Md5: MD5 hash.
  • Flags: Windows-only. Flags returned by the GetFileAttributes() Win32 API. Windows Explorer calls these the "Attributes" of the file: Read-only, Archived, Compressed, etc.
  • SymLinkPath (Linux/Unix only): If the file is a symbolic link, the path of the link is stored here. Windows NTFS supports Unix-like symlinks, but only for directories, not files. Windows shortcut objects are not true symlinks since they are not handled by the OS; the Windows Explorer handles shortcut files ( *.lnk ) but other applications that open a *.lnk file will see the contents of the lnk file.
  • InodeNumber (Linux/Unix only): The inode number of the file.
  • DeviceNumber (Linux/Unix only): Device number of the disk on which the inode associated with the file is stored.
  • BlocksAllocated (Linux/Unix only): The number of blocks allocated to store the file.

You can use the shorthand keyword "STANDARD", which will look for changes to:

  • Created
  • LastModified
  • Permissions
  • Owner
  • Group
  • Size
  • Contents
  • Flags (Windows only)
  • SymLinkPath (Unix only)

Options

  • Alert when this rule logs an event: Triggers an Alert if the rule is triggered.
  • Allow Real Time Monitoring: This options is selected by default. When it is not selected, the Integrity Monitoring events will be raised only when you perform a scan for changes.

Assigned To

Displays a list of Policies which include this Integrity Monitoring Rule as well as any computers to which this Integrity Monitoring Rule has been assigned directly. Integrity Monitoring Rules can be assigned to Policies in the Policies page and to computers in the Computers page.