The Integrity Monitoring module scans for unexpected changes to directories, registry values, registry keys, services, processes, installed software, ports, groups, users, files, and the WQL query statement on agents.
To enable and configure Integrity Monitoring, see Set up integrity monitoring.
A set of Registry values. Available on Windows only.
Tag attributes
The following table provides a list and descriptions of the XML attributes of the
tag itself, as opposed to the attributes of the entity monitored by Integrity Monitoring
Rules.
|
Attribute
|
Description
|
Required
|
Default Value
|
Allowed Values
|
|
base
|
Sets the base key of the RegistryValueSet. Everything else in the tag is relative
to this key. The base must begin with one of the registry branch names: HKEY_CLASSES_ROOT
(or HKCR), HKEY_LOCAL_MACHINE (or HKLM), HKEY_USERS (or HKU), HKEY_CURRENT_CONFIG
(or HKCC)
|
Yes
|
N/A
|
String values resolving to syntactically valid registry key
|
Entity set attributes
The following Entity attributes can be monitored by Integrity Monitoring Rules:
- Size
- Type
- Sha1
- Sha256
- Md5 (deprecated)
Shorthand attributes
- CONTENTS: Resolves to the content hash algorithm set in .
- STANDARD: Size, Type, Contents
Meaning of key
Registry values are name-value pairs stored under a key in the registry. The key under
which they are stored may in turn be stored under another key, very much like files
and directories on a file system. For the purpose of this language the key path to
a value is considered to look like the path to a file. For example, the key path to
the
InstallationFolder value of the agent would be:HKEY_LOCAL_MACHINE\SOFTWARE\Trend Micro\Deep Security Agent\InstallationFolderThe key value for includes and excludes for the RegistryValueSet is matched against
the key path. This is a hierarchical pattern, with sections of the pattern separated
by
/ matched against sections of the key path separated by ""Default value
Each registry key has an unnamed or default value.
This value can be explicitly specified for inclusion and exclusion by using a trailing
/ in patterns. For example, **/ matches all subordinate unnamed values, and *Agent/**/ matches all unnamed values below a key matching *Agent.Registry value names can contain any printable character, including quotes, backslash,
the
@ symbol, and so on.The agent deals with this in Entity key names by using backslash as an escape character,
but only backslashes themselves are escaped. It does this so that it can tell the
difference between a value name containing a backslash and a backslash that occurs
as part of the registry path. This means that value names which end with a backslash
character will match rules designed to match the default or unnamed value.
The following table provides example registry value names and the resulting Entity
key.
|
Value
|
Escaped Form
|
Example
|
|
Hello
|
Hello
|
HKLM\Software\Sample\Hello
|
|
"Quotes"
|
"Quotes"
|
HKLM\Software\Sample\"Quotes"
|
|
back\slash
|
back\\slash
|
HKLM\Software\Sample\back\\slash
|
|
trailing\
|
trailing\\
|
HKLM\Software\Sample\trailing\\
|
|
|
|
HKLM\Software\Sample\
|
|
@
|
@
|
HKLM\Software\Sample\@
|
Subelements
- Include
- Exclude
See Integrity monitoring rules language for a general description of Include and Exclude for their allowed attributes and
subelements.