Clarification on Custom Path Configuration in Server File Integrity Monitoring Policy

Question

Hi Team,

While reviewing a Server File Integrity Monitoring (FIM) policy, I noticed that although FIM is enabled, no custom file paths have been specified under the included or excluded locations.

Based on my understanding, in such cases only the default system directories are being monitored. While Sophos FIM does offer OS-level monitoring for critical directories (e.g., system32, etc.), it does not automatically cover application-specific or business-critical directories unless these are explicitly defined is this understanding correct here ?

To improve coverage, I’m considering defining additional paths under included-locations such as:

Windows:
C:\Windows\System32\, C:\inetpub\wwwroot\, and custom application folders like D:\FinanceApp\Config\
Linux:
/etc/, /var/log/, /usr/bin/, /home/<app>, /opt/<custom_app>/

Additionally, to reduce noise, I plan to define excluded-locations for directories where frequent benign changes are expected:

C:\Temp\, C:\ProgramData\Cache\, /var/tmp/, /var/cache/

Could the community confirm if this is the right approach? Are there any best practices or gotchas when configuring FIM paths for both security effectiveness and operational efficiency?

Thanks in advance!

Rutvik Chavda · Answer

Hello Suhas Khade, Thank you for reaching out to the Sophos Community Forum. Please refer to this information if that helps you. Your understanding is correct. When File Integrity Monitoring (FIM) is enabled in Sophos but no custom file paths are specified under the included or excluded locations, only the default critical system files and directories are monitored (for example, C:\Windows\System32\ on Windows). Application-specific or business-critical directories aren’t monitored automatically; these must be explicitly added under custom monitoring paths in the FIM policy. To enhance monitoring coverage, it’s best practice to define additional locations to be monitored, such as: Windows: C:\Windows\System32\ C:\inetpub\wwwroot\ D:\FinanceApp\Config\ (or other custom application directories) Linux: /etc/ /var/log/ /usr/bin/ /home// /opt// To reduce noise and improve operational efficiency, use excluded locations for directories where frequent benign changes are expected, for example: Windows: C:\Temp\ C:\ProgramData\Cache\ Linux: /var/tmp/ /var/cache/ Key recommendations: Use Sophos Central Admin to explicitly add custom monitoring paths in your FIM policy. Apply exclusions as specifically as possible to avoid missing important changes. Regularly review and update both monitored and excluded locations as your environment evolves. Integrate FIM alerts with your security operations for prompt response. This approach ensures thorough coverage of system and application files while minimising unnecessary alerts. Please refer to this article for reference: File Integrity Monitoring Policy Let me know if you need any further help.