CIFS Integrity Monitoring (CIM) is an antivirus sensor from Phoenix Contact which is suitable for industrial applications. CIM is able to detect whether Windows-based systems such as controllers, operator interfaces or PCs have been manipulated, e.g., by malware, without the need to load virus patterns.
CIM is predominantly used to protect non-patchable systems. Non-patchable systems are largely Window-based systems with one or more of the following properties:
Non-patchable systems are used in various sectors of industry: e.g., for analysis systems in the chemical and pharmaceutical industry, for airbag manufacture in the automotive industry, as well as production with PC-based controllers.
CIM regularly checks Windows systems against a reference status to determine whether certain files (e.g., .exe or .dll) have been changed.
If a file system to be checked is reconfigured or modified, a reference or integrity database must be created. This database contains the checksums of all files to be checked and is used as a basis for comparison (reference). It is either created on the first check or explicitly due to a specific reason.
If the checksum of a file has changed, this means that the file has been modified. If the user did not perform this change, it may have been modified by malware. The deletion or addition of a file is also detected. When a checksum change is detected, CIM generates an alarm either via e-mail or SNMP trap. The integrity database itself is protected against manipulation.
The CIFS antivirus scan connector enables external virus scanners to perform a virus scan on system drives protected by the FL MGUARD that are otherwise not externally accessible, e.g. industrial PCs in production cells. All network drives are combined by the FL MGUARD and mirrored to the outside as a single drive. This virtual drive can now be checked by an external virus scanner without the virus scanner having to access the real system.
|Regulates data traffic using protocols, addresses, etc.||Has no effect on communication|
|Uses a static set of rules||Uses hash values (digital fingerprints) of files to detect manipulation|
|False alarms are not possible||False alarms are not possible|
|Does not detect any changes to files||Detects and indicates every change to a file|
|Works autonomously and statically||Works dynamically and interacts with other systems|
CIM offers many advantages for demanding industrial applications: