Skip to main content


Integrity Monitoring

Integrity Monitoring reviews and validates changes made on Windows and Linux endpoints to assess the integrity of multiple entities.

Integrity Monitoring operates based on default rules, provided by Bitdefender, and custom rules. These rules are available in the Policies > Integrity Monitoring Rules page of the Control Center.

Based on these rules, Integrity Monitoring takes action when events are generated for files, folders, registry entries, users, services and installed software. These events are displayed on the Reports > Integrity Monitoring Events page of the Control Center.

You can also create a portlet, as well as two types of reports based on Integrity Monitoring events:

  • Integrity Monitoring activity, which displays events from the events page.

  • Integrity Monitoring configuration changes, which displays Bitdefender Trusted as well as Unapproved events.

Integrity Monitoring also comes with hardcoded restrictors, which automate best practices to reduce alert fatigue and prevent a negative impact on performance.

Integrity Monitoring is available for all standard products, except for GravityZoneEDR and BitdefenderFRAT. It is delivered as an add-on for products with a license key, and as a licensing option for monthly subscriptions.

By default, it stores the detected events for 7 days. In addition, it comes with a data retention add-on to store the events. You have three options from which can choose: 90 days, 180 days and 1 year of data retention.

After you add the license, log back in to GravityZone . Two new pages are available in the main menu of the Control Center:

  • Under Policies, the new page named Integrity Monitoring Rules contains the rules, rule sets and related options for configuring Integrity Monitoring .

  • Under Reports, the new page named Integrity Monitoring Events contains all the detected events. The events listed in this page are based on default and/or custom rules.


In addition, the policy settings include a new section named Integrity Monitoring, where you enable the module and select the rule set that you want to apply with the policy.

Integrity Monitoring limitations


  • Integrity Monitoring monitors a large set of registry keys and values, with some exceptions. For a full list of monitored registry keys and values, refer to this document.

  • Changes made by GravityZone excluded processes do not generate events.


  • Integrity Monitoring does not support protected containers.

  • Integrity Monitoring does not start if the backend is switched from kprobes to auditd.

  • The InstalledSoftware event is only generated for Debian-based operating systems.

  • The service_added events only work once per service.

  • Multiple sequential events are processed at a slower rate.

  • Different text editors could generate different events for the same file modification due to their use of different APIs.

  • Operations performed as another user, using the runuser command, trigger events with a void user field.

  • Integrity Monitoring is not compatible with 32-bit operating systems

Related topics

For more information about Integrity Monitoring, refer to: