How to check the integrity of application components

The Kaspersky application contains a variety of binary modules in the form of dynamic-link libraries, executable files, configuration files, and interface files. Intruders can replace one or more application executable modules or application files with other files containing malicious code. To prevent replacement of modules and files, the Kaspersky application can check the integrity of application components. The application checks modules and files for unauthorized changes or corruption. If an application module or file has an incorrect checksum, it is considered to be corrupted.

The application checks the integrity of files in a special list called a manifest file. The manifest file for an application component lists the application files whose integrity is critical for correct operation of the component. The manifest file is digitally signed and its integrity is also checked.

The integrity of the application components is checked using an integrity check utility.

The integrity check utility must be run under the account with root privileges.

The integrity check utility is installed together with the application and is located at /opt/kaspersky/kfl/bin/integrity_checker.

The manifest file is located at /opt/kaspersky/kfl/bin/integrity_check.xml.

To check integrity of the application components, run the following command:

integrity_checker [<path to manifest file>] --signature-type kds-with-filename

The default path is for a manifest file located in the same directory as the integrity checker utility.

You can run the utility with the following optional settings:

• --crl <directory> – path to the directory containing the Certificate Revocation List.
• --version – display the version of the utility.
• --verbose – display detailed information about performed actions and their results. If you do not specify this setting, only errors, objects that did not pass the check, and scan statistics summary will be displayed.
• --trace <file name>, where <file name> is the name of the file where events that happen during scans will be logged at the DEBUG level of detail.
• --signature-type kds-with-filename is the type of the signature to be checked (this setting is required for checking the application package).
• --single-file <file> – scan only one file in the manifest; ignore the other objects in the manifest.

You can view description of all available integrity check utility settings in the help on the utility options by running the integrity_checker --help command.

The result of checking the manifest file is displayed as one of the following statuses:

• SUCCEEDED — integrity of the files has been confirmed (return code 0).
• FAILED – integrity of the files has not been confirmed (return code is not 0).

If an application integrity violation is detected during application startup, the Kaspersky application generates an IntegrityCheckFailed event in the event log.