Views:
The Integrity Monitoring protection module detects changes to files and critical system areas like the Windows registry that could indicate suspicious activity. The module does this by comparing current conditions to a previously recorded baseline. Server & Workload Protection has predefined Integrity Monitoring rules and provides new Integrity Monitoring rules in security updates.
Integrity Monitoring detects changes made to the system, but does not prevent or undo the changes.
Note
Note
You need a Workload license to enable integrity monitoring.

Enable Integrity Monitoring Parent topic

You can enable Integrity Monitoring in policies or at the computer level. Enabling Integrity Monitoring involves several procedures:

Procedure

  1. Turn on Integrity Monitoring.
  2. Run a Recommendation scan.
  3. Apply the Integrity Monitoring rules.
  4. Build a baseline for the computer.
  5. Periodically scan for changesPeriodically scan for changes.
  6. Test Integrity Monitoring.

What to do next

When you enable Integrity Monitoring, you should learn more about its capabilities:

Turn on Integrity Monitoring Parent topic

You can enable Integrity Monitoring in the settings for a computer or in policies.

Procedure

  1. Open the Policy or Computer editor.
  2. Go to Integrity Monitoring General.
  3. Choose the Configuration:
  4. Click Save.

Run a recommendation scan Parent topic

Run a recommendation scan on the computer to get recommendations for appropriate rules. Recommended Integrity Monitoring rules may result in too many monitored entities and attributes. The best practice is to decide what is critical and should be monitored, then create custom rules or tune the predefined rules. Pay extra attention to rules that monitor frequently-changed properties such as process IDs and source port numbers because such rules can be noisy and may need some tuning.

Procedure

  1. From the Computer editor, go to Integrity MonitoringGeneral.
  2. On the General tab under Recommendations, click Scan for Recommendations.
  3. Specify whether Server & Workload Protection should implement the recommendations that it finds.

Disable real-time scanning Parent topic

If you enable real-time Integrity Monitoring scans and find that some recommended rules produce too many events, you can disable real-time scanning for those rules.

Procedure

  1. Go to Policies Common Objects Rules Integrity Monitoring Rules.
  2. Double-click the rule.
  3. On the Options tab, clear the Allow Real Time Monitoring box.

Apply the Integrity Monitoring rules Parent topic

When you run a recommendation scan, you can have Server & Workload Protection automatically implement the recommended rules or you can manually assign rules. You can edit a rule locally, so the changes apply only to that computer or policy, or globally, so the changes apply to all policies or computers that use the rule. You can also create custom rules to monitor for specific changes that concern your organization, such as a new user being added or new software being installed. For information on how to create a custom rule, see Integrity monitoring rules language.
Some Integrity Monitoring rules require local configuration. If you assign one of these rules to your computers or one of these rules gets assigned automatically, an alert notifies you to configure the rule.
Tip
Tip
Integrity Monitoring rules should be as specific as possible to improve performance and to avoid conflicts and false positives. For example, do not create a rule that monitors the entire hard drive.

Procedure

  1. In the Computer or Policy editor, go to Integrity Monitoring General.
  2. Review the list of Assigned Integrity Monitoring Rules.
  3. To assign or unassign a rule:
    1. Click Assign/Unassign.
    2. Select or deselect rules.
  4. To edit a rule locally, right-click the rule and select Properties.
  5. To edit a rule globally, right-click the rule and select Properties (Global).

Build a baseline for the computer Parent topic

The baseline is the original secure state compared against Integrity Scan results. A best practice is to run a new baseline scan after applying patches.
To create a new baseline for Integrity Scans on a computer:

Procedure

  1. In the Computer editor, go to Integrity Monitoring General.
  2. Click Rebuild Baseline.

Periodically scan for changes Parent topic

Perform an Integrity Monitoring scan using one of these methods:
  • On-demand scans initiate an on-demand integrity monitoring scan as needed by.
    1. From the Computer editor, go to Integrity MonitoringGeneral.
    2. Under Integrity Scan, click Scan for Integrity.
  • Scheduled scans schedule integrity monitoring scans just like other Server & Workload Protection operations. Server & Workload Protection verifies whether the entities are being monitored and records an event for any changes since the last scan. This scan detects only the last change; it does not track multiple changes between scans. To detect and report multiple changes to an entity's state, increase the frequency of scheduled scans or enable real-time scanning. For more information on scheduled tasks, see Schedule Server & Workload Protection to perform tasks.
    1. Select Administration Scheduled Tasks New.
    2. In the New Scheduled Task Wizard, select Scan Computers for Integrity Changes.
    3. Select the frequency for the scheduled scan.
    4. Specify the information requested by the New Scheduled Task Wizard.
  • Real-time scans monitor for changes in real time and create integrity monitoring events when the scan detects changes. Events are forwarded in real time via syslog to the security information and event management (SIEM) or when the next heartbeat communication to Server & Workload Protection occurs. For agent versions 11.0 or later on 64-bit Linux platforms and agents version 11.2 or later on 64-bit Windows servers, the real-time scan results indicate the user and process that changed the file. For details about which platforms support this feature, see Supported features by platform.
    Real-time monitoring of an entire disk for changes to any file can affect performance and result in too many events. Trend Micro recommends specifying a folder other than the root drive. If you choose to monitor the root drive (C:) in real time, Server & Workload Protection only monitors executable files and scripts.
    1. From the Computer or Policy Editor, go to Integrity Monitoring General.
    2. Select Real Time.

Test Integrity Monitoring Parent topic

Before continuing with Integrity Monitoring configuration, verify that the rules and baseline work correctly:

Procedure

  1. Ensure Integrity Monitoring is enabled.
  2. From the Computer or Policy editor, go to Integrity Monitoring Assigned Integrity Monitoring Rules.
  3. Click Assign/Unassign.
  4. Enable the appropriate rule for the operating system:
    • For Windows, search for 1002773 - Microsoft Windows - 'Hosts' file modified and enable the rule. This rule raises an alert when changes are made to C:\windows\system32\drivers\etc\hosts.
    • For Linux, search for 1003513 - Unix - File attributes changes in /etc location and enable the rule. This rule raises an alert when changes are made to the /etc/hosts file.
  5. Modify the hosts file and save the changes.
  6. Go to Integrity Monitoring General.
  7. Click Scan for Integrity.
  8. Go to Events & Reports Integrity Monitoring Events.
  9. Verify the record for the modified host file. A record of the detection indicates Integrity Monitoring is working correctly.

Improve Integrity Monitoring scan performance Parent topic

You can change the following settings to help improve the performance of Integrity Monitoring scans:

Limit resource usage Parent topic

Integrity Monitoring uses local central processing unit (CPU) resources when creating the baseline and comparing a later state to the baseline. If you find that Integrity Monitoring is consuming more resources than you want, you can restrict the CPU usage to the following levels:
  • High scans files one after another without pausing.
  • Medium pauses between scanning files to conserve CPU resources.
  • Low pauses between scanning files for a longer interval than the Medium setting.
To change the Integrity Monitoring CPU Usage Level:

Procedure

  • Open the Computer or Policy editor and go to Integrity Monitoring Advanced.

Change the content hash algorithm Parent topic

You can choose the hash algorithm that Integrity Monitoring uses to store baseline information. Avoid using more than one algorithm to prevent detrimental effects on performance.

Integrity Monitoring event tagging Parent topic

Event tagging can help you sort events and determine which ones are legitimate and which need further investigation.
Manually apply tags to events by right-clicking the event and selecting Add Tag(s). You can apply the tag to only the selected event or to similar Integrity Monitoring events. You can also use auto-tagging to group and label multiple events.
You can use these sources to perform the tagging:
  • A Local Trusted Computer.
  • The Trend Micro Certified Safe Software Service.
  • A Trusted Common Baseline, which is a set of file states collected from a group of computers.
    As of January 1, 2022, Trusted Common Baseline is no longer available Events tagged prior to July 12, 2021 retain their tags, but you must use other methods to tag newer Integrity Monitoring events.
For more information on event tagging, see Apply tags to identify and group events.

Procedure

  • To configure auto-tagging, go to Events and Reports Integrity Monitoring Events Auto-Tagging New Trusted Source.