Configure a Directory Integrity Check (Windows)

This control checks the integrity of files and directories that you’re interested in and gives you up to the minute visibility on changes to files/directories and their permissions. It calculates hash based file integrity at the directory level, and automatically updates snapshots after changes.

The statement you provide is like the control name that describes what it is and how it should be implemented in the environment. You'll also need to decide which category the control belongs to. This is important because users can search and filter controls by category, they can also search by keywords in the statement.

These are the search parameters you want to use. You'll tell us where to start our search (the base directory) and what you want to match. 

Base Directory

The base directory is the directory you want to search. Be as specific as you can to reduce the search time (there is a time limit). Then tell us how many levels we should search within the directory.

File/Directory Name

Use these fields to find files and directories based on the name. You'll notice that * is used by default for the File Name Include and Directory Name Include, meaning that all files will be a match.

Note - When entering a file name, be sure to include only the file name, not the path to the file. When entering a directory name, only include the directory, not a file name.

Search Limits

You'll also want to set search limits - the max search time and the max number of results to return. We'll stop the search as soon as we hit one of these limits.

Data Type - The actual value returned for this control is a String, meaning we'll return a string value in the scan results.

Description - The control description will appear in compliance policies and reports. If you change the description at a later time, the description will be updated for all controls that use the same set of parameters.

File System Object Types

Select each file system object type you want to include in the search. For a Windows Directory Integrity Check only File type is available.


The digest of file/directory changes is calculated at scan time and is used for control evaluation. 

The hash type identifies the algorithm to be used for computing the file hash. The supported hash types are: MD5 (insecure competitive matching only) 16-byte digest, SHA1 (insecure competitive matching only) 20-byte digest, and SHA256 (Secure) 32-byte digest.

Permission Monitoring

The "Include permission monitor" option is selected by default. This means we'll consider permission changes when calcuating file/directory digest.

Your control may apply to many technologies. Select each technology you're interested in and provide a rationale statement and expected value.

Time Saving Tip: If you plan to enter the same settings for each technology you only need to do it once. Make your selections in the "Default Values" section first and then select the check box for each technology you want. You'll see that the settings get copied automatically to each technology that you select.

Make these settings:

Rationale - Enter a rationale statement describing how the control should be implemented for each technology.

Expected Value - You have the following options:

Automatically set the value - The "Use scan data as expected value" option is selected for you initially. This means we’ll set the expected value for you based on the actual value returned by the scan. You'll see "regular expression" for the Operator and "USE_SCAN_VALUE" for the Default Value. 

Manually set the value - If you clear/disable the "Use scan data as expected value" option, then you can customize the directories/files that are included in snapshots used to calculate integrity and Pass/Fail status. Select from the Cardinality and Operator options listed. We recommend you set the Default Value to .* (to match any value) and then check the actual value returned by the scan in a policy report. Then you can copy/paste the actual value into your policy.

See Directory Integrity Checks - Use Scan Data as Expected Value to learn more.

Add up to 10 references for the control. These may be references to internal policies, documents and web sites. For each reference, enter a description, a URL or both. When providing a URL, you must start the URL with http://, https:// or ftp://. For example, enter to link to the Qualys web site. Once added users have the option to include references in policy reports.

You'll see the Agent Scan tab in the control when you have Cloud Agent. This tab includes options that apply only when using cloud agent scan data. See Agent UDC Support to learn about these options.


Ready to scan?

You must select this setting in the option profile you apply to your scan: Enable the Dissolvable Agent. When editing your profile, you'll see this setting under Dissolvable Agent (in the Scan section).


Quick Links

Directory Integrity Checks - Use Scan Data as Expected Value

User-Defined Controls

Regular Expressions (PCRE)

Agent UDC Support