Data provision

The operation of certain components of Kaspersky Anti Targeted Attack Platform requires data processing on the Kaspersky side. Components do not send data without the consent of the administrator of Kaspersky Anti Targeted Attack Platform.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

• In the End User License Agreement (for example, during installation of the application).

  According to the terms of the End User License Agreement, you agree to automatically send Kaspersky the information listed in the End User License Agreement under Data Provision. The End User License Agreement is included in the application distribution kit.

• In the KSN Statement (for example, during installation of the application or in the administrator menu after installation).

  When you participate in Kaspersky Security Network, information obtained as a result of Kaspersky Anti Targeted Attack Platform operation is automatically sent to Kaspersky. The list of transmitted data is specified in the KSN Statement. The Kaspersky Anti Targeted Attack Platform user independently decides on his/her participation in KSN. The KSN Statement is included in the application distribution kit.

  Before KSN statistics are sent to Kaspersky, they are accumulated in the cache on servers hosting Kaspersky Anti Targeted Attack Platform components.

Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is sent over encrypted communication channels.

When using Kaspersky Private Security Network, Kaspersky is not sent information about the operation of Kaspersky Anti Targeted Attack Platform. However, KSN statistical data is accumulated in the cache on servers hosting Kaspersky Anti Targeted Attack Platform components to the same extent as when using Kaspersky Security Network. This accumulated KSN statistical data may be transmitted beyond the perimeter of your organization if a server with the Kaspersky Private Security Network application is located outside of your organization.

The Kaspersky Private Security Network administrator must personally ensure the security of such data.

Service data of the application

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Service data of Kaspersky Anti Targeted Attack Platform include:

• Data on user accounts.
• Information about computers connected to the Central Node component on which the Endpoint Agent component is installed.
• Data about presets and prevention rules.
• Information about tasks assigned to computers with the Endpoint Agent component.
• Data about TAA (IOA) user-defined rules.
• Data about user IDS user-defined rules.
• Data about IOC user-defined rules.
• Data on network isolation rules.
• Data about scan exclusions.
• Data on report templates.
• Information about Endpoint Agent component certificates.

  The above data is stored indefinitely on the server hosting the Central Node component in the / data directory if the Central Node component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• System event log

  OS log files are stored indefinitely in the /var/log directory on the server hosting the Central Node component.

• Log with information about the application operation.

  The log file is stored indefinitely in the /data directory on the server hosting the Central Node component, if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• File scan queue.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. The data is retained until the scan is completed.

• Files received from computers with the Endpoint Agent component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Files with YARA and IDS rules (user-defined and from Kaspersky).

  Files are stored indefinitely in the /data directory on the server hosting the Central Node component, if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• Files with data about alerts sent to external systems.

  Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• Artifacts of the Sandbox component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Files for which alerts were created by the Sandbox component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Certificate files used for the authentication of application components.

  Files are stored indefinitely in the /var/log directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with the Endpoint Agent component.

• Encryption keys that are transmitted between application components.

  Files are stored indefinitely in the /var/log directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with the Endpoint Agent component.

The application stores the following information about user accounts:

• Account ID.
• Account name.
• The hash and salt of the account password.
• Domain name of the user.
• Account role.
• Account status.
• Access rights to tenants in distributed solution and multitenancy mode.
• ID of the tenant in distributed solution and multitenancy mode.

The application stores the following information about computers connected to the Central Node component on which the Endpoint Agent component is installed:

• ID of the computer assigned by Kaspersky Security Center.
• Computer name.
• IP address of the computer.
• The operating system used on the computer.
• The version of the application that fills the role of the component.
• Self-Defense status.
• Date and time when the first and last telemetry packet were sent to the Central Node component.
• Date and time of the last IOC scan run.
• Result of the last IOC scan run.

The application stores the following information about the prevention rules:

• MD5 or SHA256 hash of the file that is prevented from running.
• The account name of the user who created the prevention rule.
• The account name of the user who changed the prevention rule.
• List of computers on which the file is prevented from running.
• Prevention rules change log.

The application stores the following information about tasks assigned to computers with the Endpoint Agent component:

• Task type.
• Computer name.
• IP address of the computer.
• Task creation date and time.
• Task expiration date.
• Name of the user account that created the task.
• Task settings data.
• Task report data.
• Task comments.

The application stores the following information about TAA (IOA) user-defined rules:

• Rule name.
• Source code of the request being scanned.
• Rule ID.
• Rule status.
• Rule creation date and time.
• The importance that was specified when the rule was added.
• Level of confidence that depends on the likelihood of false alarms as defined by the user when the rule was added.

The application stores the following information about IDS user-defined rules:

• Account name of the user who uploaded the rules file.

The application stores the following information about IOC user-defined rules:

• Account name of the user who uploaded the rules file.
• Name of the IOC file.
• Contents of the IOC file.

The application stores the following information about network isolation rules:

• Account name of the user that enabled network isolation.
• ID of the isolated computer.
• Rule name.
• Rule status.
• List of resources excluded from network isolation.

The application stores the following information about scan exclusions:

• Account name of the user that added the exception.
• List of objects excluded from the scan.
• Rule exception ID.

The application stores the following information about report templates:

• ID of the user account that created or modified the template.
• Template creation date.
• Date of last modification of the template.
• Text of the template as HTML code.

The application stores the following information about Endpoint Agent component certificates:

• Account name of the user who uploaded the certificate file.
• Digest of the certificate.
• Serial number of the certificate.
• Public key.

Data of the Central Node and Sensor components

This section contains the following information about user data that is stored on the server with the Central Node component and on the server with the Sensor component:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

Traffic data of the Sensor component

Traffic data of the Sensor component is stored on the server with the Sensor component or on the server with Sensor and Central Node components if Sensor and Central Node are installed on the same server or deployed as a cluster.

Traffic data is recorded and stored in sequentially created files. The application stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached (you can configure this setting)
• The configured time interval has elapsed (you can configure this setting)
• The traffic saving service or the entire Kaspersky Anti Targeted Attack Platform application is restarted

As traffic data accrues, Kaspersky Anti Targeted Attack Platform filters data and keeps only the following information:

• Information related to alerts generated by the Targeted Attack Analyzer technology
• PCAP files in which:
  • Source or destination IP address matches an IP address from the alert
  • Traffic data belongs to the time period within 15 minutes from the alert time

Filtered traffic data is moved to a separate section. The rest of the traffic data (that do not satisfy filtering criteria) is deleted.

Filtered traffic data is saved in sequentially created files. The application stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached
• The configured time interval has elapsed

Filtered data traffic is stored for the last 24 hours. Older data is deleted.

Data in alerts

Alerts may contain user data. If the Central Node component is installed on the server, information about alerts and files that resulted in an alert are stored on the server hosting the Central Node component in the /data/var/lib/kaspersky/storage/pgsql/10/data/ directory. When the Central Node component is installed on a cluster, information about alerts and files that resulted in an alert are stored on the storage servers.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

The following information is stored in all alerts:

• Alert time.
• Category of the detected object.
• Name of the detected file.
• Detected URL.
• MD5 and SHA256 hash of the detected file.
• User comments added to the alert information.
• ID of the TAA rule by which the alert was generated.
• IP address and name of the computer on which the alert was generated.
• ID of the computer on which the alert was generated.

When an alert is changed, the following information is stored on the server:

• The user account that modified the alert.
• The user account to which the alert was assigned.
• Date and time of alert modification.

If an email message was detected, the following information may be stored on the server:

• Email addresses of the sender and recipients of the message, including the recipients of copies and blind carbon copies of the message.
• Subject of the email message.
• Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
• All service headers of the message (as they appear in the message).

If the alert was generated by URL Reputation technology, the following information may be stored on the server:

• Name of the computer from which the data was sent.
• Name of the computer that received the data.
• The IP address of the computer from which the data was sent.
• The IP address of the computer that received the data.
• The URI of the transferred resource.
• Information about the proxy server.
• Unique ID of the email message.
• Email addresses of the sender and recipients of the message (including the recipients of copies and blind carbon copies of the message).
• Subject of the email message.
• Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
• List of detected objects.
• Time of network connection.
• URL of network connection.

If the alert was generated by Intrusion Detection System technology, the following information may be stored on the server:

• Name of the computer from which the data was sent.
• Name of the computer that received the data.
• The IP address of the computer from which the data was sent.
• The IP address of the computer that received the data.
• Transmitted data.
• Data transfer time.
• URL extracted from the file containing the traffic, User Agent, and method.
• File containing the traffic where the alert occurred.

If the alert was generated using YARA rules, the following information can be stored on the server:

• Version of YARA rules that was used to generate the alert.
• Category of the detected object.
• Name of the detected object.
• MD5 hash of the detected object.

If the alert was generated using the Sandbox component, the following information may be stored on the server:

• Version of the application databases used to generate the alert.
• Category of the detected object.
• Names of detected objects.
• MD5 hashes of detected objects.
• Information about detected objects.

If the alert was generated by IOC or TAA (IOA) user rules, the following information can be stored on the server:

• Date and time of scan completion.
• IDs of the computers on which the alert was generated.
• Name of TAA (IOA) rule.
• Name of the IOC file.
• Information about detected objects.

If the alert was generated by Anti-Malware Engine technology, the following information may be stored on the server:

• Versions of databases of Kaspersky Anti Targeted Attack Platform components that were used to generate the alert.
• Category of the detected object.
• List of detected objects.
• MD5 hash of detected objects.
• Additional information about the alert.

Data in events

Events may contain user data. If the Central Node component is installed on the server, information about occurred events is stored on the server with the component in the /data/var/lib/kaspersky/storage/fastsearch/elasticsearch/data/ directory. When the Central Node component is installed on a cluster, information is stored on storage servers.

Data is rotated as the disk becomes full.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Event data can contain information related to the following:

• Name of the computer where the event occurred.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Name of the user account under which the event occurred.
• Name of the group that the user belongs to.
• Event type.
• Event time.
• Information about the file for which the event was logged: name, path, full name.
• MD5 and SHA256 hash of the file.
• File creation time.
• File modification time.
• File access rights.
• Environment variables of the process.
• Command-line parameters.
• Text of the command entered into the command line.
• Local IP address of the adapter.
• Local port.
• Remote host name.
• Remote host IP address.
• Port on the remote host.
• URLs and IP addresses of visited websites, and links from these websites.
• Network connection protocol.
• HTTP request method.
• HTTP request header.
• Information about Windows registry variables: path to the variable, variable name, variable value.
• Contents of a script or binary file sent for AMSI scanning.
• Information about the event in the Windows log: event type, event type ID, event ID, user account under which the event was logged, full text of the event from the Windows Event Log in XML format.

Data in reports

Reports may contain user data. If the Central Node component is installed on the server, information about occurred events is stored indefinitely on the server with the component in the /data/var/lib/kaspersky/storage/pgsql/10/data/ directory. When the Central Node component is installed on a cluster, information is stored on storage servers.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Reports may contain the following information:

• Report creation date.
• Time period covered in the report.
• ID of the user account that generated the report.
• Report status.
• Text of the report as HTML code.

Data on objects in Storage and quarantine

Objects in Storage and quarantine may contain user data. Information about objects in Storage and about copies of objects quarantined on computers with Kaspersky Endpoint Agent using the Get file tasks is stored indefinitely on the Central Node server in the /data/var/lib/kaspersky/storage/pgsql/10/data/ directory.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Data on objects in Storage and quarantine may contain the following information:

• Name of the object.
• Path to the object on the computer with Kaspersky Endpoint Agent.
• MD5 and SHA256 hash of the file.
• ID of the user who quarantined the object on the computer with Kaspersky Endpoint Agent.
• ID of the user who placed the object in Storage.
• IP address of the computer on which the quarantined object is stored.
• Name of the computer on which the quarantined object is stored.
• Unique ID of the computer on which the quarantined object is stored in Storage.
• ID of the TAA (IOA) rule by which the alert was generated.
• Category of the detected object.
• Results for the object scanned using individual modules and technologies of the application.

Sandbox component data

For the processing time, the body of the file sent by the Central Node component is saved in open form on the server hosting the Sandbox component. During processing, the server administrator can access the sent file in Technical Support Mode. The scanned file is deleted by a special script according to the schedule. Once every 60 minutes by default.

Information about the data stored on the server with the Sandbox component is provided in the table below.

Data stored on the server with the Sandbox component

Data transmitted between application components

Central Node, Kaspersky Endpoint Agent for Windows, Kaspersky Endpoint Security for Windows

The Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows applications send the following to the Central Node component: reports about running tasks, information about events and alerts that occurred on computers running these applications, and information about terminal sessions.

If there is no connection with the Central Node component, all data to be sent is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Agent for Windows or Kaspersky Endpoint Security for Windows is removed from the computer, but no longer than 21 days.

If an event occurred on the user's computer, the applications send the following data to the events database:

1. General information for all events:
   • Event type.
   • Event time.
   • User account for which the event was generated.
   • Name of the host where the event occurred.
   • IP address of the host.
   • Type of the operating system installed on the host.
2. File creation event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • File name.
   • Path to the file.
   • Full name of the file.
   • MD5 and SHA256 hash of the file.
   • Date of file creation and modification.
   • File size.
3. Registry monitoring event.
   • Details of the process that modified the registry: Process ID, process file name, and MD5- and SHA256 hash of the process file.
   • Path to the registry key.
   • Registry value name.
   • Registry value data.
   • Registry value type.
   • Previous path to the registry key.
   • Previous registry value data.
   • Previous registry value type.
4. Driver loading event.
   • File name.
   • Path to the file.
   • Full name of the file.
   • MD5 and SHA256 hash of the file.
   • File size.
   • Date of file creation and modification.
5. Listening port opening event.
   • Details of the process that opened the listening port: process file name, and MD5- and SHA256 hash of the process file.
   • Port number.
   • Adapter IP address.
6. Event in the operating system log.
   • Time of the event, host on which the event occurred, and user account name.
   • Event ID.
   • Channel/log name.
   • Event ID in the log.
   • Provider name.
   • Authentication event subtype.
   • Domain name.
   • Remote IP address.
   • Event header fields: ProviderName, EventId, Version, Level, Task, Opcode, Keywords, TimeCreatedSystemTime, EventRecordId, CorellationActivityId, ExecutionProcessID, ThreadID, Channel, Computer.
   • Event body fields: AccessList, AccessFiles mask, AccountExpires, AllowedToDelegateTo, Application, AuditPolicyChanges, AuthenticationPackageName, CategoryId, CommandLine, DisplayName, Dummy, ElevatedToken, EventCode, EventProcessingFailure, FailureReason, FilterRTID, HandleId, HomeDirectory, HomePath, ImpersonationLevel, IpAddress, IpPort, KeyLength, LayerName, LayerRTID, LmPackageName, LogonGuid, LogonHours, LogonProcessName, LogonType, MandatoryLabel, MemberName, MemberSid, NewProcessId, NewProcessName, NewUacValue, NewValue, NewValueType, ObjectName, ObjectServer, ObjectType, ObjectValueName, OldUacValue, OldValue, OldValueType, OperationType, PackageName, ParentProcessName, PasswordLastSet, PrimaryGroupId, PriviledgeList, ProcessId, ProcessName, ProfileChanged, ProfilePath, Protocol, PublisherId, ResourceAttributes, RestrictedAdminMode, SamAccountName, ScriptPath, ServiceAccount, ServiceFileName, ServiceName, ServiceStartType, ServiceType, SettingType, SettingValue, ShareLocalPath, ShareName, SidHistory, SourceAddress, SourcePort, Status, SubcategoryGuid, SubcategoryId, SubjectDomainName, SubjectLogonId, SubjectUserName, SubjectUserSid, SubStatus, TargetDomainName, TargetLinkedLogonId, TargetLogonId, TargetOutboundDomainName, TargetOutboundUserName, TargetUserName, TargetUserSid, TaskContent, TaskName, TokenElevationType, TransmittedServices, UserAccountControl, UserParameters, UserPrincipalName, UserWorkstations, VirtualAccount, Workstation, WorkstationName.
7. Process start event.
   • Information about the process file: file name, file path, MD5 or SHA256 hash of the file, file size, creation and modification date, name of the organization that issued the digital certificate of the file, digital signature verification result.
   • UniquePID.
   • Process start options.
   • Process start time.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
8. Process stop event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
   • UniquePID.
   • Process start options.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
9. Module loading event.
   • Details of the file that loaded the module: UniquePID, file name, file path, full name of the file, MD5- and SHA256 hash of the file, and file size.
   • DLL name.
   • Path to DLL.
   • DLL full name.
   • MD5 or SHA256 hash of the DLL.
   • DLL size.
   • Date of DLL creation and modification.
   • Name of the organization that issued the digital certificate of the DLL.
   • DLL digital signature verification result.
10. Process startup blocking event.
    • Details of the file that attempted to run: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Command-line parameters.
11. File startup blocking event.
    • Details of the file that attempted to open: file name, file path, full name of the file, MD5- and SHA256 hash of the file, type of checksum used for file size blocking (0 – MD5, !=0 – SHA256, not used for search).
    • Details of the executable file: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Details of the parent process: file name, file path, full name of the file, MD5- and SHA256 hash of the file, PID, and UniquePID.
12. Event of Kaspersky Endpoint Security for Windows.
    • Scan result.
    • Name of the detected object.
    • ID of the record in application databases.
    • Release time of the application databases with which the alert was generated.
    • Object processing mode.
    • Category of the detected object (for example, name of a virus).
    • MD5 hash of the detected object.
    • SHA256 hash of the detected object.
    • Unique ID of the process.
    • Process PID displayed in the Windows Task Manager.
    • Process run command line.
    • Reason for the error when processing the object.
    • Contents of the script scanned using AMSI.
13. AMSI scan event.
    • Contents of the script scanned using AMSI.

Central Node, Kaspersky Endpoint Agent for Linux, Kaspersky Endpoint Security for Linux

The Kaspersky Endpoint Agent for Linux and Kaspersky Endpoint Security for Linux applications send the following to the Central Node component: reports about running tasks, information about events and alerts that occurred on computers running these applications, and information about terminal sessions.

If there is no connection with the Central Node component, all data to be sent is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Agent for Linux or Kaspersky Endpoint Security for Linux is removed from the computer, but no longer than 21 days.

If an event occurred on the user's computer, the applications send the following data to the events database:

1. General information for all events:
   • Event type.
   • Event time.
   • User account for which the event was generated.
   • Name of the host where the event occurred.
   • IP address of the host.
   • Type and version of the operating system that is installed on the host.
   • Name of the host that was used to remotely log in to the system.
   • Name of the user assigned when registering in the system.
   • Group to which the user belongs.
   • User name that was used to log in to the system.
   • Group of the user whose name was used to log in to the system.
   • Name of the user who created the file.
   • Name of the group whose users can modify or delete the file.
   • Permissions that can be used to gain access to the file.
   • Inherited privileges of the file.
2. Process start event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, and file size.
   • UniquePID.
   • Command that was used to start the process.
   • Process type.
   • Environment variables of the process.
   • Process start time.
   • Process end time.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
3. File creation event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • File name.
   • Path to the file.
   • Full name of the file.
   • File type.
   • MD5 and SHA256 hash of the file.
   • Date of file creation and modification.
   • File size.
4. Event in the operating system log.
   • Event time.
   • Event type.
   • Result of the operation.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.

Central Node and Sandbox

The Central Node component sends to the Sandbox component files and URLs extracted from the network and email traffic. The files are not changed in any way prior to sending. The Sandbox component sends scan results to the Central Node component.

Central Node and Sensor

The application may transmit the following data between Central Node and Sensor components:

• Files and email messages.
• Data on alerts generated by the Intrusion Detection System and URL Reputation technologies.
• License information.
• List of data excluded from the scan.
• Data of the Endpoint Sensors application, if integration with a proxy server has been configured.
• Application databases, if receiving database updates from the Central Node component is configured.

Servers with PCN and SCN roles

If the application is running in distributed solution mode, the following data is transmitted between the PCN and connected SCNs:

• Data on alerts.
• Data on events.
• Data on tasks.
• Data on policies.
• Data on scans using IOC, TAA (IOA), IDS, YARA user rules.
• Data on files in Storage.
• Data on user accounts.
• About the license.
• The list of computers with the Endpoint Agent component.
• Objects placed in Storage.
• Objects quarantined on computers with the Endpoint Agent component.
• Files attached to alerts.
• IOC and YARA files.

Data contained in application trace files

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Trace files can include any personal data of the user or confidential data of your organization. Files are stored in the /data/var/log/kaspersky directory indefinitely.

Data of Kaspersky Endpoint Agent for Windows

You can view detailed information about Kaspersky Endpoint Agent data that is stored and processed locally in the Online Help of the application:

• Data in requests to the KATA Central Node component.
• Service data.
• Data contained in trace files and dumps.
• Information about acceptance of the KSN Statement.
• Windows Event Log event data.

Data received from the Central Node component

Kaspersky Endpoint Agent saves the values of settings received from the Central Node component on the hard disk of the computer. Data is saved in open non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

The data is deleted when Kaspersky Endpoint Agent is removed.

Data received from the Central Node component may contain the following information:

• Data on network connections.
• Data on the operating system that is installed on the server with the Central Node component.
• Data on operating system user accounts.
• Data on user sessions in the operating system.
• Data on Windows event log.
• About a RT_VERSION resource.
• About the contents of a PE file.
• About operating system services.
• Certificate of the server with the Central Node component.
• URL- and IP addresses of visited websites.
• HTTP protocol headers.
• Computer name.
• MD5 hashes of files.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Names and values of Windows registry keys.
• Paths to Windows registry keys.
• Names of Windows registry variables.
• Name of the local DNS cache entry.
• Address from the local DNS cache entry in IPv4 format.
• IP address or name of the requested host from the local DNS cache.
• Host of the local DNS cache element.
• Domain name of the local DNS cache element.
• Address of the ARP cache element in IPv4 format.
• Physical address of the ARP cache element.
• Serial number of the logical drive.
• Home folder of the local user.
• Name of the user account that started the process.
• Path to the script that is run when the user logs in to the system.
• Name of the user account under which the event occurred.
• Name of the computer where the event occurred.
• Full paths to files on computers with Kaspersky Endpoint Agent.
• Names of files on computers with Kaspersky Endpoint Agent.
• Masks of files on computers with Kaspersky Endpoint Agent.
• Full names of folders on computers with Kaspersky Endpoint Agent.
• Comments of the file publisher.
• Mask of the process file image.
• Path to the process file image that opened the port.
• Name of the process that opened the port.
• Local IP address of the port.
• Trusted public key of the digital signature of executable modules.
• Process name.
• Process segment name.
• Command-line parameters.

Data in alerts and events

Event data is saved in binary form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata in open non-encrypted form.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Event data can contain information related to the following:

• Data on executable modules.
• Data on network connections.
• About the operating system that is installed on the computer with Kaspersky Endpoint Agent.
• Data on user sessions in the operating system.
• Data on operating system user accounts.
• Data on Windows event log.
• About alerts of Kaspersky Endpoint Security for Windows.
• About organizational units (OU) of Active Directory.
• HTTP protocol headers.
• Fully qualified domain name of the computer.
• MD5- and SHA256 hash of files and their fragments.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Unique IDs of certificates.
• Certificate publisher.
• Certificate subject.
• Name of the algorithm used to generate the certificate fingerprint.
• Address and port of the local network interface.
• Address and port of the remote network interface.
• Application vendor.
• Application name.
• Name of the Windows registry variable.
• Path to the Windows registry key.
• Windows registry variable data.
• Name of the detected object.
• Kaspersky Security Center Network Agent ID.
• Contents of the hosts file.
• Process start command line.

Data contained in task completion reports

Prior to being sent to the Central Node component, the reports and relevant files are temporarily saved on the hard disk of the computer with the Kaspersky Endpoint Agent application. The task completion reports are saved in archived non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\data_queue.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Task completion reports contain the following information:

• Data on task output.
• Data on executable modules.
• Data on operating system processes.
• Data on user accounts.
• Data on user sessions.
• Fully qualified domain name of the computer.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Files of the computer with Kaspersky Endpoint Agent.
• Names of
  alternate streams of NTFS

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  .
• Full paths to files on the computer with Kaspersky Endpoint Agent.
• Full names of folders on the computer with Kaspersky Endpoint Agent.
• Content of the process standard output.
• Content of the process standard error stream.

Data contained in an install log

The administrator can enable the Kaspersky Endpoint Agent installation log (using the msiexec standard procedure) during installation using the command line. The administrator shows the path to the file where the install log will be saved.

The log records installation process steps and the msiexec command line containing the address of the server hosting the Central Node component and the path to the install log file.

Data on files that are blocked from starting

Data on files that are blocked from starting is stored in open non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Data on files that are blocked from starting may contain the following information:

• Full path to the blocked file.
• MD5 hash of the file.
• SHA256 hash of the file.
• Process start command.

Data related to the performance of tasks

When performing a task for placing a file in quarantine, the archive containing this file is temporarily saved in one of the following folders:

• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\temp for Kaspersky Endpoint Agent that is installed as part of Kaspersky Endpoint Security.
• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data\kata\temp for Kaspersky Endpoint Agent that is installed from the Kaspersky Anti Targeted Attack Platform distribution kit.

When performing an application run task on a host, Kaspersky Endpoint Agent locally stores the contents of standard output streams and errors of the running process in plain unencrypted form until the task completion report is sent to the Central Node component. Files are stored in one of the following folders:

• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\temp for Kaspersky Endpoint Agent that is installed as part of Kaspersky Endpoint Security.
• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data\kata\temp for Kaspersky Endpoint Agent that is installed from the Kaspersky Anti Targeted Attack Platform distribution kit.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Data of Kaspersky Endpoint Agent for Linux

Kaspersky Endpoint Agent for Linux stores and processes data locally to provide base functionality and audit capability, as well as to improve the speed with which Kaspersky Technical Support can solve potential problems.

Computers with Kaspersky Endpoint Agent for Linux store data prepared to be sent automatically to Kaspersky Anti Targeted Attack Platform servers and Kaspersky Security Center.

This data may include personal data of the user or confidential data of your organization.

Transmission of data from computers with Kaspersky Endpoint Agent for Linux to the server with the Central Node component cannot be disabled.

Do not use the Kaspersky Endpoint Agent for Linux application on computers from which data transfer is forbidden by your corporate policy.

Data received from Kaspersky Endpoint Agent for Linux is stored in a database on the server hosting the Central Node component and is rotated as disk space is filled.

Files that are prepared to be sent by Endpoint Agent for Linux to the server with the Central Node component are stored on computers hosting Endpoint Agent for Linux in plain unencrypted form in the same folder that is used as the default folder for storing files on each computer with Kaspersky Endpoint Agent before they are sent.

Files from computers with Kaspersky Endpoint Agent for Linux are only sent to the server with the Central Node component via a secure SSL connection.

The Kaspersky Anti Targeted Attack Platform administrator must take steps to ensure the security of computers with Kaspersky Endpoint Agent for Linux and Kaspersky Anti Targeted Attack Platform servers with the data listed above. The administrator of Kaspersky Anti Targeted Attack Platform is responsible for access to this information.

This section contains the following information about user data that is stored on computers with Endpoint Agent for Linux:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is removed.

Data in Kaspersky Endpoint Agent for Linux requests to Kaspersky Anti Targeted Attack Platform

When integrated with the Central Node component, the following data is stored locally on the device with Kaspersky Endpoint Agent for Linux installed.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is removed.

1. In the synchronization requests:
   • Unique ID of Kaspersky Endpoint Agent for Linux.
   • Device name.
   • Local time on the device.
   • Name and version of the operating system that is installed on the device.
   • Version of Kaspersky Endpoint Agent for Linux.
   • Versions of application settings and task settings.
   • Task statuses in Kaspersky Endpoint Agent for Linux: identifiers of running tasks, execution statuses, execution error codes.
2. Data on running processes:
   • Information about the executable file of the process. For the scope of data about the file, see below.
   • Process autorun settings.
   • Values of environment variables.
   • Process ID.
   • Parent process ID.
   • Logon session code.
   • Logon session name.
   • IDs of users and groups that started the process.
   • Date and time when the process started.
   • Information about stopped processes:
     • Process ID.
     • Date and time when the process was stopped.
   • Data on files:
     • Path to the file.
     • File name.
     • File size.
     • File attributes.
     • File creation date and time.
     • Date and time of the last modification of the file.
     • Names and unique IDs of the user and group that own the file.
     • Access rights of the file.
     • Unique identifier of the file.
   • Information about file modifications:
     • Unique identifier of the file.
     • Type of operation performed on the file (writing, reading, attribute modification, renaming, deletion).
   • Information about the logon session:
     • Date and time when the logon session began.
     • Type of the session.
     • Name of the user that initiated the session.
     • Type of the user that initiated the session.
     • Remote computer IP address.
   • Data about detections on the computer with Kaspersky Endpoint Agent for Linux.
     • Type of detected object.
     • Name of the object and full path to the object.
     • Name of the alert.
     • MD5 hash of the object.
     • URL from which the object was downloaded.
     • Remote computer IP address.
     • IP address of the local computer.
     • Alert processing result.

   Before it is sent, data is stored in the /var/opt/kaspersky/epagent/data/cache/queue directory in plain unencrypted form. By default, only users with root permissions have access to the files.

3. Settings of tasks received by Kaspersky Endpoint Agent for Linux from the Central Node:
   • Task types.
   • Task schedule settings.
   • Names and passwords of the accounts under which the tasks can be run.
   • Versions of settings.
   • Paths to objects.
   • MD5 and SHA256 hashes of objects.
   • Command line to start the process together with the arguments.
   • Information about the individual task is stored on the device until Kaspersky Endpoint Agent receives a deletion request from the Central Node or until Kaspersky Endpoint Agent itself is removed from the device.

   Task data is stored in the /var/opt/kaspersky/epagent/tasks directory in plain unencrypted form. By default, only users with root permissions have access to the files.

4. In the reports on task execution results sent by Kaspersky Endpoint Agent for Linux to the Central Node:
   • Task execution errors and return codes.
   • Task completion statuses.
   • Task completion time.
   • Versions of settings used for task execution.
   • Information about objects sent to the server (paths to objects, MD5 and SHA256 hashes of objects).
   • Files requested by the server.
   • Content of the process standard output.
   • Content of the process standard error stream.
   • Kaspersky Endpoint Agent for Linux sends task execution result reports to the Central Node.

   Task execution result data is stored in the /var/opt/kaspersky/epagent/tasks directory in plain unencrypted form. By default, only users with root permissions have access to the files.

   Information with the task execution report is deleted after the information is sent to the Central Node.

Service data of Kaspersky Endpoint Agent for Linux

Service data of Kaspersky Endpoint Agent for Linux includes data that is stored in configuration files as a result of an administrator configuring settings locally or using the Kaspersky Security Center plug-in.

Service data is stored in the /var/opt/kaspersky/epagent/settings and /var/opt/kaspersky/epagent/policy directories. The data is stored until Kaspersky Endpoint Agent for Linux is uninstalled.

This data can be automatically sent to Kaspersky Security Center.

By default, only users with root permissions have access to the files.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is removed.

Kaspersky Endpoint Agent for Linux stores the following data:

• Address of the Central Node server.
• Public key of the server certificate for integration with the Central Node.
• Container with the client certificate for integration with the Central Node.
• Authorization credentials for the proxy server.
• Addresses of custom update sources.
• Configuring the frequency of synchronization and sending telemetry to the Central Node server.

Data contained in Kaspersky Endpoint Agent for Linux trace files and dumps

Data contained in trace files

Users are responsible for the security of data stored on their computers, in particular for monitoring and restricting access to the data before it is sent to Kaspersky.

Trace files are stored on the computer during the entire period when the application is used and are permanently deleted when the application is removed.

By default, trace files are saved in the /var/log/kaspersky/epagent/ directory. You can view data in trace files. Accessing the default trace file directory requires root permissions.

All trace files contain the following general data:

• Time when the event occurred.
• Number of the thread of execution.
• Application component that initiated the event.
• Event importance level (information, warning, critical, error).
• Description of the event that occurred in connection with an application component running a command, and the result of the command.

In addition to general information, trace files can contain the following data:

• Kaspersky Endpoint Agent component statuses and their working data
• Information about all operating system objects and events including user activity information
• Data contained in operating system objects (for example, contents of files that can include personal data of users)
• Network traffic data (for example, contents of website forms that can include bank card data or other confidential data)
• Data received from Kaspersky servers (for example, version of the application databases)

Trace data is recorded to the lena2021-01-18T052236.log file. When the file size reaches 10 MB, the file is saved in the /var/log/kaspersky/epagent/ directory. A new file with a timestamp is created to record current data. Up to 10 files with trace data can be stored in the directory. When the size of the last created file reaches 10 MB, the oldest file is deleted.

Trace files of other applications are stored on the computer until the application is removed.

Data contained in dump files

Stored dump files can contain personal data. To monitor and restrict access to data, you must take steps to ensure the security of dump files.

Dump files are generated automatically whenever the application crashes, and are stored on the computer during the entire period when the application is used. Dump files are permanently deleted when the application is removed.

Dump files are stored in the /var/opt/kaspersky/epagent/dumps/ directory.

A dump file contains the entire memory dump of Kaspersky Endpoint Agent for Linux processes for the moment when the dump file is created. The dump file can also contain personal data.

Accessing dump files requires root permissions.

Kaspersky Endpoint Security for Windows data

For detailed information about data transmitted by Kaspersky Endpoint Security, see the Online Help of the application:

• Provision of data under the End User License Agreement.
• Provision of data when Kaspersky Security Network is used.
• Compliance with European Union law (GDPR).

Kaspersky Endpoint Security for Linux data

For detailed information about data transmitted by Kaspersky Endpoint Security, see the Online Help of the application.