Table of contents
Topics on this page
Enable and configure Integrity Monitoring
Enable Integrity Monitoring
Run a Recommendation scan
Disable real-time scanning
Apply the Integrity Monitoring rules
Build a baseline for the computer
Periodically scan for changes
Test Integrity Monitoring
Improve Integrity Monitoring scan performance
Limit resource usage
Change the content hash algorithm
Integrity Monitoring event tagging

Set up Integrity Monitoring

The Integrity Monitoring protection module detects changes to files and critical system areas like the Windows registry that could indicate suspicious activity. The module does this by comparing current conditions to a previously recorded baseline reading. Workload Security ships with predefined Integrity Monitoring rules and provides new Integrity Monitoring rules in security updates.

Integrity Monitoring detects changes made to the system, but does not prevent or undo the changes.

You need a Workload Security license to enable integrity monitoring.

Enable and configure Integrity Monitoring

You can enable Integrity Monitoring in policies or at the computer level:

  1. Turn on Integrity Monitoring.
  2. Run a recommendation scan.
  3. Apply the Integrity Monitoring rules.
  4. Build a baseline for the computer.
  5. Periodically scan for changes.
  6. Test Integrity Monitoring.

Once you have enabled Integrity Monitoring, you can also learn more about the following:

Enable Integrity Monitoring

You can enable Integrity Monitoring in the settings for a computer or in policies.

  1. Open the Policy or Computer editor.
  2. Go to Integrity Monitoring > General.
  3. Choose the Configuration.
  4. On
  5. Inherited (On) (See policies, inheritance, and overrides.)
  6. Click Save.

Run a Recommendation scan

Run a recommendation scan on the computer to get recommendations for appropriate rules. Recommended Integrity Monitoring rules may result in too many monitored entities and attributes. The best practice is to decide what is critical and should be monitored, then create custom rules or tune the predefined rules. Pay extra attention to rules that monitor frequently-changed properties such as process IDs and source port numbers because they can be noisy and may need some tuning.

  1. From the Computer editor, go to Integrity Monitoring > General.
  2. Under Recommendations, click Scan for Recommendations.
  3. Specify whether Workload Security should implement the recommendations that it finds.

Disable real-time scanning

If you enable real-time Integrity Monitoring scans and find that some recommended rules produce too many events, you can disable real-time scanning for those rules.

  1. Go to Policies > Common Objects > Rules > Integrity Monitoring Rules.
  2. Double-click the rule.
  3. On the Options tab, clear the Allow Real Time Monitoring box.

Apply the Integrity Monitoring rules

When you run a recommendation scan, you can have Workload Security implement the recommended rules or you can manually assign rules. Integrity Monitoring rules should be as specific as possible to improve performance and to avoid conflicts and false positives. For example, do not create a rule that monitors the entire hard drive. Some Integrity Monitoring rules require local configuration. You can also create custom rules to monitor for specific changes that concern your organization, such as a new user being added or new software being installed. For information on how to create a custom rule, see Integrity monitoring rules language. If you assign one of these rules or one of these rules gets assigned automatically, an alert notifies you to configure the rule.

  1. In the Computer or Policy editor, go to Integrity Monitoring > General.
  2. Review the list of Assigned Integrity Monitoring Rules.
  3. To add or remove Integrity Monitoring rules:
  4. Click Assign/Unassign.
  5. Select or deselect rules.
  6. To edit a rule locally, right-click the rule and select Properties.
  7. To edit a rule globally, right-click the rule and select Properties (Global).

Build a baseline for the computer

The baseline is the original secure state compared against Integrity Scan results. You should run a new baseline scan after applying patches. To create a new baseline for Integrity Scans on a computer:

  1. In the Computer editor, go to Integrity Monitoring > General.
  2. Click Rebuild Baseline.

Periodically scan for changes

Perform an Integrity Monitoring scan using one of these methods:

  • On-demand scans initiate an on-demand Integrity Monitoring scan as needed
  • From the Computer editor, go to Integrity Monitoring > General.
  • Under Integrity Scan, click Scan for Integrity.
  • Scheduled scans schedule Integrity Monitoring scans just like other Workload Security operations. Workload Security verifies whether the entities are being monitored and records an event for any changes since the last scan. This scan detects only the last change; it does not track multiple changes between scans. To detect and report multiple changes to an entity's state, consider increasing the frequency of scheduled scans or enable real-time scanning. For more information on scheduled tasks, see Schedule Workload Security to perform tasks.
  • Go to Administration > Scheduled Tasks > New.
  • In the New Scheduled Task wizard, select Scan Computers for Integrity Changes.
  • Select the frequency for the scheduled scan.
  • Specify the information requested by the New Scheduled Task wizard.
  • Real-time scans monitor for changes in real time and create Integrity Monitoring events when the scan detects changes. Events are forwarded in real time via syslog to the security information and event management (SIEM) or when the next heartbeat communication to Workload Security occurs. For agent version 11.0 or later on 64-bit Linux platforms and agent version 11.2 or later on 64-bit Windows servers, the real-time scan results indicate the user and process that changed the file. For details about which platforms support this feature, see Supported features by platform.

Real-time monitoring of an entire disk for changes to any file can affect performance and result in too many Integrity Monitoring events. Trend Micro recommends specifying a folder other than the root drive. If you choose to monitor the root drive (C:) in real time, Workload Security only monitors executable files and scripts.

  1. From the Computer or Policy editor, go to Integrity Monitoring > General.
  2. Select Real Time.

Test Integrity Monitoring

Before continuing with Integrity Monitoring configuration, test that the rules and baseline work correctly:

  1. Ensure Integrity Monitoring is enabled.
  2. From the Computer or Policy editor, go to Integrity Monitoring > Assigned Integrity Monitoring Rules.
  3. Click Assign/Unassign.

  4. Enable the appropriate rule for the operating system:

    • For Windows, search for 1002773 - Microsoft Windows - 'Hosts' file modified and enable the rule. This rule raises an alert when changes are made to
      C:\windows\system32\drivers\etc\hosts.
      • For Linux, search for 1003513 - Unix - File attributes changes in /etc location and enable the rule. This rule raises an alert when changes are made to the /etc/hosts file.

  5. Modify the hosts file and save the changes.

  6. Go to Integrity Monitoring > General.
  7. Click Scan for Integrity.
  8. Go to Events & Reports > Integrity Monitoring Events.
  9. Verify the record for the modified hosts file. A record of the detection indicates Integrity Monitoring is working correctly.

Improve Integrity Monitoring scan performance

Changing the following settings may help improve the performance of Integrity Monitoring scans:

Limit resource usage

Integrity Monitoring uses local central processing unit (CPU) resources when creating the baseline comparing a later state to the baseline. If you find that Integrity Monitoring is consuming more resources than you want, you can restrict the CPU usage to the following levels:

  • High scans files one after another without pausing.
  • Medium pauses between scanning files to conserve CPU resources.
  • Low pauses between scanning files for a longer interval than the Medium setting.

To change the Integrity Monitoring CPU Usage Level: - Open the Computer or Policy editor and go to Integrity Monitoring > Advanced.

Change the content hash algorithm

You can choose the hash algorithm that Integrity Monitoring uses to store baseline information. Avoid using more than one algorithm to prevent detrimental effects on performance.

Integrity Monitoring event tagging

Event tagging can help you to sort events and determine which ones are legitimate and which need further investigation.

Manually apply tags to events by right-clicking the event and selecting Add Tags. You can apply the tag to only the selected event or to similar Integrity Monitoring events. You can also use auto-tagging to group and label multiple events.

You can use these sources to perform the tagging:

  • A Local Trusted Computer.
  • The Trend Micro Certified Safe Software Service.
  • A Trusted Common Baseline, which is a set of file states collected from a group of computers.

Trusted Common Baseline is no longer available as of January 1, 2022. Events that were tagged prior to July 12, 2021 retain their tags, but you must use other methods to tag newer Integrity Monitoring events.

For more information on event tagging, see Apply tags to identify and group events.

To configure auto-tagging, go to Events and Reports > Integrity Monitoring Events > Auto-Tagging > New Trusted Source.