Back to overview

CIM – virus protection suitable for industrial applications

CIFS Integrity Monitoring (CIM) is an antivirus sensor from Phoenix Contact which is suitable for industrial applications. CIM is able to detect whether Windows-based systems such as controllers, operator interfaces or PCs have been manipulated, e.g., by malware, without the need to load virus patterns.

Where is CIM used?

CIM is predominantly used to protect non-patchable systems. Non-patchable systems are largely Window-based systems with one or more of the following properties:

  • The system has an outdated operating system for which Microsoft no longer provides security patches, e.g., Windows 2000 or earlier.
  • Systems which may no longer be modified because the delivery state has been certified by the manufacturer or a competent authority. In the event of software modification, e.g., as a result of an operating system update, the warranty would be voided or certification from the relevant authority would cease.
  • Systems which may not be equipped with a virus scanner due to time-critical applications, e.g., in order to maintain realtime capability. Or those that are unable to update virus patterns because there is no Internet connection, for example.
  • Systems which are intentionally not equipped with virus scanners or IDS/IPS (intrusion detection systems/intrusion prevention systems) because the entire application would be stopped even in the event of a false alarm.
  • Systems whose users do not have the necessary expertise to install virus scanners or IDS/IPS without adversely affecting the system.

Non-patchable systems are used in various sectors of industry: e.g., for analysis systems in the chemical and pharmaceutical industry, for airbag manufacture in the automotive industry, as well as production with PC-based controllers.

How CIM works

CIFS Integrity Monitoring (CIM)  

CIFS Integrity Monitoring (CIM)

CIM regularly checks Windows systems against a reference status to determine whether certain files (e.g., .exe or .dll) have been changed.

If a file system to be checked is reconfigured or modified, a reference or integrity database must be created. This database contains the checksums of all files to be checked and is used as a basis for comparison (reference). It is either created on the first check or explicitly due to a specific reason.
If the checksum of a file has changed, this means that the file has been modified. If the user did not perform this change, it may have been modified by malware. The deletion or addition of a file is also detected. When a checksum change is detected, CIM generates an alarm either via e-mail or SNMP trap. The integrity database itself is protected against manipulation.

Firewall and CIM comparison

Regulates data traffic using protocols, addresses, etc.Has no effect on communication
Uses a static set of rulesUses hash values (digital fingerprints) of files to detect manipulation
False alarms are not possibleFalse alarms are not possible
Does not detect any changes to filesDetects and indicates every change to a file
Works autonomously and staticallyWorks dynamically and interacts with other systems

Advantages of CIM

CIM offers many advantages for demanding industrial applications: 

  • Conserves the resources of the monitored system, e.g., CPU power or network load.
  • Virus patterns do not have to be loaded.
  • No false alarms during the integrity check.
  • False alarms from the external virus scanner do not affect the monitored system as the external virus scanner cannot delete files or block their use.
  • CIM monitors systems dynamically.
  • CIM supplements security activities with virus scanning in closed systems and protects files against manipulation.

Back to overview
Further information on mGuard products
Further information on mGuard functions


8240 Parkhill Drive
Milton, Ontario L9T 5V7