File Integrity Checks - Use Scan Data as Expected Value

Instead of manually setting a default expected value for your File Integrity checks, you can choose the "Use scan data as expected value" option in the UDC and we’ll set the expected value for you based on the actual value returned by the scan.

It’s a 2-step process to set this up:

1 - Configure your file integrity check to use scan data

Go to PC > Policies > Controls > New > Control, and choose File Integrity Check for Windows or Unix. Select “Use scan data as expected value” for individual technologies or make it the default for all technologies. When selected, you’ll see USE_SCAN_VALUE in the Default Value field. Show meShow me

File Integrity UDC with Use scan data as expected value selected

2 - Enable this option in your compliance profile

Go to PC > Scans > Option Profiles. Create a new profile or edit an existing one. On the Scan tab, select "Auto Update expected value" under File Integrity Monitoring. You must also select "File Integrity Monitoring controls enabled" to include these controls in your scan. Show meShow me

Compliance Profile with Auto Updated expected value option selected

If you have Cloud Agent, enable "Auto Update Expected Value" under Agent Scan Options section in the control. When enabled, we’ll update this control’s expected value with the actual value collected from each cloud agent scan.

To generate reports reflecting results for each agent scan, schedule your compliance reports to run in between the scan interval defined for your agents.

Control Evaluation - How it works

When you first add the control to a policy you’ll see USE_SCAN_VALUE as the expected value for the control.

File Integrity check in policy with USE SCAN VALUE as expected value

After your first scan, we’ll update the expected value with the actual file hash returned by the scan.

File Integrity check in policy with file hash as expected value

You’ll see a posture of Passed for this control in your compliance reports, and you’ll continue to see a posture of Passed as long as the file does not change.

File Integrity check in report with Passed status

If the file changes a different file hash will be returned by the scan and you’ll see a posture of Failed in your reports. This is because the expected value and the actual value no longer match.

File Integrity check in report with Failed status

Launch another scan with "Auto Update expected value" enabled in your compliance profile and we’ll automatically update the expected value for your control in the policy with the value returned by the most recent scan. Now the new value will be used for posture evaluation.

File Integrity check with new file hash as expected value

Handling Errors

In cases where the error codes 2, 27, 28, or 45 are returned then the control posture is not marked as Error in the report. Depending on when error is encountered the posture of the control is marked Pass or Fail.

File does not exist in the 1st scan

File does not exist in the 1st scan

File exists in the 1st scan

File exists in the 1st scan