Data provision

The operation of certain components of Kaspersky Anti Targeted Attack Platform requires data processing on the Kaspersky side. Components do not send data without the consent of the administrator of Kaspersky Anti Targeted Attack Platform.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

• In the End User License Agreement (for example, during installation of the application).

  According to the terms of the End User License Agreement, you agree to automatically send Kaspersky the information listed in the End User License Agreement under Data Provision. The End User License Agreement is included in the application distribution kit.

• In the KSN Statement (for example, during installation of the application or in the administrator menu after installation).

  When you participate in Kaspersky Security Network, information obtained as a result of Kaspersky Anti Targeted Attack Platform operation is automatically sent to Kaspersky. The list of transmitted data is specified in the KSN Statement. The Kaspersky Anti Targeted Attack Platform user independently decides on his/her participation in KSN. The KSN Statement is included in the application distribution kit.

  Before KSN statistics are sent to Kaspersky, they are accumulated in the cache on servers hosting Kaspersky Anti Targeted Attack Platform components.

Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is sent over encrypted communication channels.

When using Kaspersky Private Security Network, Kaspersky is not sent information about the operation of Kaspersky Anti Targeted Attack Platform. However, KSN statistical data is accumulated in the cache on servers hosting Kaspersky Anti Targeted Attack Platform components to the same extent as when using Kaspersky Security Network. This accumulated KSN statistical data may be transmitted beyond the perimeter of your organization if a server with the Kaspersky Private Security Network application is located outside of your organization.

The Kaspersky Private Security Network administrator must personally ensure the security of such data.

Service data of the application

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Information about the service data of Kaspersky Anti Targeted Attack Platform is provided in the table below.

Service data of Kaspersky Anti Targeted Attack Platform

Page top

Data of the Central Node and Sensor components

This section contains the following information about user data that is stored on the server with the Central Node component and on the server with the Sensor component:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

Traffic data of the Sensor component

Traffic data of the Sensor component is stored on the server with the Sensor component or on the server with Sensor and Central Node components if Sensor and Central Node are installed on the same server or deployed as a cluster.

Traffic data is recorded and stored in sequentially created files. The application stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached (you can configure this setting)
• The configured time interval has elapsed (you can configure this setting)
• The traffic saving service or the entire Kaspersky Anti Targeted Attack Platform application is restarted

As traffic data accrues, Kaspersky Anti Targeted Attack Platform filters data and keeps only the following information:

• Information related to alerts generated as a result of scanning by the Targeted Attack Analyzer technology
• PCAP files in which:
  • Source or destination IP address matches an IP address from the detection
  • Traffic data belongs to the time period within 15 minutes from the detection time

Filtered traffic data is moved to a separate section. The rest of the traffic data (that do not satisfy filtering criteria) is deleted.

Filtered traffic data is saved in sequentially created files. The application stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached
• The configured time interval has elapsed

Filtered data traffic is stored for the last 24 hours. Older data is deleted.

Data in detections

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Information about the data that may be stored when creating

Data in Kaspersky Anti Targeted Attack Platform detections

Data in events

Events may contain user data. If Central Node is installed on a server, information about occurred events is stored in the /data directory. If Central Node is installed as a cluster, the information is stored in ceph storage.

Data is rotated as the disk becomes full.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Event data can contain information related to the following:

• Name of the computer where the event occurred.
• Unique ID of the computer with the Endpoint Agent component.
• Name of the user account under which the event occurred.
• Name of the group that the user belongs to.
• Event type.
• Event time.
• Information about the file for which the event was logged: name, path, full name.
• MD5 and SHA256 hash of the file.
• File creation time.
• File modification time.
• File access rights.
• Environment variables of the process.
• Command-line parameters.
• Text of the command entered into the command line.
• Local IP address of the adapter.
• Local port.
• Remote host name.
• Remote host IP address.
• Port on the remote host.
• URLs and IP addresses of visited websites, and links from these websites.
• Network connection protocol.
• HTTP request method.
• HTTP request header.
• Information about Windows registry variables: path to the variable, variable name, variable value.
• Contents of a script or binary file sent for AMSI scanning.
• Information about the event in the Windows log: event type, event type ID, event ID, user account under which the event was logged, full text of the event from the Windows Event Log in XML format.

Data in reports

If the Central Node component is installed on a server, report data is stored in the /data directory indefinitely. If Central Node is installed as a cluster, the information is stored in ceph storage indefinitely.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Reports may contain the following information:

• Report creation date.
• Time period covered in the report.
• ID of the user account that generated the report.
• Report status.
• Central Node components for which the report was generated.
• Text of the report as HTML code.
• Report description.
• Name of the template that the report was generated from.
• Tenant ID.

Data on objects in Storage and Quarantine

If the Central Node component is installed on a server, data about objects in storage and quarantine is stored in the /data directory indefinitely. If Central Node is installed as a cluster, the information is stored in ceph storage indefinitely.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Data on objects in Storage and quarantine may contain the following information:

• Name of the object.
• Path to the object on the computer with the Endpoint Agent component.
• MD5- and SHA256 hash of the file.
• File size.
• ID of the user that quarantined the object.
• ID of the user that placed the object in Storage.
• IP address of the computer on which the quarantined object is stored.
• Name of the computer on which the quarantined object is stored.
• Unique ID of the computer on which the quarantined object is stored in Storage.
• ID of the TAA (IOA) rule by which the detection was generated.
• Category of the detected object.
• Results for the object scanned using individual modules and technologies of the application.
• File download time.
• Metadata of scanned files and their sources.
• Resulting status of the object in Storage.

Sandbox component data

For the processing time, the body of the file sent by the Central Node component is saved in open form on the server hosting the Sandbox component. During processing, the server administrator can access the sent file in Technical Support Mode. The scanned file is deleted by a special script according to the schedule. Once every 60 minutes by default.

Information about the data stored on the server with the Sandbox component is provided in the table below.

Data stored on the server with the Sandbox component

Data transmitted between application components

Central Node and the Endpoint Agent component

Application used in the role of the Endpoint Agent component send the following to the Central Node component: task completion reports, information on events and alerts that occurred on computers with these applications, and information about terminal sessions.

If there is no connection with the Central Node component, all pending information is accumulated until it is sent to the Central Node component or until the application that is being used in the role of the Endpoint Agent is removed from the computer, but no longer than 21 days.

General information for all events

If an event occurred on the user's computer, the applications send the following data to the events database:

• Event type.
• Event time.
• Event ID.
• Version of the event schema.
• Time when the event was processed by the Central Node server.
• User account for which the event was generated.
• Name of the host where the event occurred.
• IP address of the host.
• Type of the operating system installed on the host.
• OS family.
• OS name.
• OS version.
• The IP address of the network adapter that the application used in the role of the Endpoint Agent uses to connect to the Central Node or Sensor server.
• The version of the application that is being used in the role of the Endpoint Agent component.
• Date of the last update of the KBD databases.
• Date of the last update of the SW databases.
• Index date.
• When marking up events in accordance with TAA (IOA) rules, the following information is transmitted:
  • ID of the triggered indicator of attack.
  • Decision of the triggered indicator of attack.
  • Source of the triggered indicator of attack.
  • Version of the triggered attack indicator.
  • MITRE technique code.
  • MITRE tactic code.
  • Alert importance depending on the security impact this alert may have on the computer or corporate LAN, based on Kaspersky experience.
  • Confidence of the detection depending on the likelihood of false alarms caused by the rule.

Central Node and Kaspersky Endpoint Agent for Windows

If an event occurred on the user's computer, the application sends the following data to the events database:

1. File creation event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • File name.
   • Path to the file.
   • Full name of the file.
   • MD5- and SHA256 hash of the file.
   • Date of file creation and modification.
   • File size.
2. Registry monitoring event.
   • Details of the process that modified the registry: Process ID, process file name, and MD5- and SHA256 hash of the process file.
   • Path to the registry key.
   • Registry value name.
   • Registry value data.
   • Registry value type.
   • Previous path to the registry key.
   • Previous registry value data.
   • Previous registry value type.
3. Driver loading event.
   • File name.
   • Path to the file.
   • Full name of the file.
   • MD5- and SHA256 hash of the file.
   • File size.
   • Date of file creation and modification.
4. Listening port opening event.
   • Details of the process that opened the listening port: process file name, and MD5- and SHA256 hash of the process file.
   • Port number.
   • Adapter IP address.
5. Event in the operating system log.
   • Time of the event, host on which the event occurred, and user account name.
   • Event ID.
   • Channel/log name.
   • Event ID in the log.
   • Provider name.
   • Authentication event subtype.
   • Domain name.
   • Remote IP address.
   • Event header fields: ProviderName, EventId, Version, Level, Task, Opcode, Keywords, TimeCreatedSystemTime, EventRecordId, CorellationActivityId, ExecutionProcessID, ThreadID, Channel, Computer.
   • Event body fields: AccessList, AccessFiles mask, AccountExpires, AllowedToDelegateTo, Application, AuditPolicyChanges, AuthenticationPackageName, CategoryId, CommandLine, DisplayName, Dummy, ElevatedToken, EventCode, EventProcessingFailure, FailureReason, FilterRTID, HandleId, HomeDirectory, HomePath, ImpersonationLevel, IpAddress, IpPort, KeyLength, LayerName, LayerRTID, LmPackageName, LogonGuid, LogonHours, LogonProcessName, LogonType, MandatoryLabel, MemberName, MemberSid, NewProcessId, NewProcessName, NewUacValue, NewValue, NewValueType, ObjectName, ObjectServer, ObjectType, ObjectValueName, OldUacValue, OldValue, OldValueType, OperationType, PackageName, ParentProcessName, PasswordLastSet, PrimaryGroupId, PriviledgeList, ProcessId, ProcessName, ProfileChanged, ProfilePath, Protocol, PublisherId, ResourceAttributes, RestrictedAdminMode, SamAccountName, ScriptPath, ServiceAccount, ServiceFileName, ServiceName, ServiceStartType, ServiceType, SettingType, SettingValue, ShareLocalPath, ShareName, SidHistory, SourceAddress, SourcePort, Status, SubcategoryGuid, SubcategoryId, SubjectDomainName, SubjectLogonId, SubjectUserName, SubjectUserSid, SubStatus, TargetDomainName, TargetLinkedLogonId, TargetLogonId, TargetOutboundDomainName, TargetOutboundUserName, TargetUserName, TargetUserSid, TaskContent, TaskName, TokenElevationType, TransmittedServices, UserAccountControl, UserParameters, UserPrincipalName, UserWorkstations, VirtualAccount, Workstation, WorkstationName.
6. Process start event.
   • Information about the process file: file name, file path, MD5 or SHA256 hash of the file, file size, creation and modification date, name of the organization that issued the digital certificate of the file, digital signature verification result.
   • UniquePID.
   • Process start options.
   • Process start time.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
7. Process stop event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
   • UniquePID.
   • Process start options.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
8. Module loading event.
   • Details of the file that loaded the module: UniquePID, file name, file path, full name of the file, MD5- and SHA256 hash of the file, and file size.
   • DLL name.
   • Path to DLL.
   • DLL full name.
   • MD5 or SHA256 hash of the DLL.
   • DLL size.
   • Date of DLL creation and modification.
   • Name of the organization that issued the digital certificate of the DLL.
   • DLL digital signature verification result.
9. Process startup blocking event.
   • Details of the file that attempted to run: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
   • Command line parameters.
10. File startup blocking event.
    • Details of the file that attempted to open: file name, file path, full name of the file, MD5- and SHA256 hash of the file, type of checksum used for file size blocking (0 – MD5, !=0 – SHA256, not used for search).
    • Details of the executable file: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Details of the parent process: file name, file path, full name of the file, MD5- and SHA256 hash of the file, PID, and UniquePID.
11. Detection event and the result of its processing (when Kaspersky Endpoint Agent for Windows is integrated with Kaspersky Endpoint Security for Windows).
    • Scan result.
    • Name of the detected object.
    • ID of the record in application databases.
    • Release time of the application databases with which the detection was generated.
    • Object processing mode.
    • Category of the detected object (for example, name of a virus).
    • MD5 hash of the detected object.
    • SHA256 hash of the detected object.
    • Unique ID of the process.
    • Process PID displayed in the Windows Task Manager.
    • Process start command line.
    • Reason for the error when processing the object.
    • Contents of the script scanned using AMSI.
12. AMSI scan event.
    • Contents of the script scanned using AMSI.

Central Node and Kaspersky Endpoint Security for Windows

If an event occurred on the user's computer, the application sends the following data to the events database:

1. File modification event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • Information about the created or modified file: name, path, full name, type, MD5 hash, SHA256 hash, creation date, modification date, attributes, attribute modification date, size, zone ID, application name of the file, vendor, name of the organization that issued the digital certificate, description, digital signature verification result, time of the digital signature, original name, name before modification, path before modification, full name before modification.
   • Information about the file to which a link was created: MD5 hash, SHA256 hash, creation date, modification date, attributes, attribute modification date, size, type, zone ID, application name of the file, original name, name of the organization that issued the digital certificate, description, subject of the signature, digital signature verification result, time of the digital signature, full name of the link file.
2. Registry monitoring event.
   • Details of the process that modified the registry: Process ID, process file name, and MD5- and SHA256 hash of the process file.
   • Path to the registry key.
   • Registry value name.
   • Registry value data.
   • Registry value type.
   • Previous path to the registry key.
   • Previous registry value data.
   • Previous registry value type.
   • Type of the operation with the registry.
   • Path to the file where the registry key was saved.
3. Driver loading event.
   • File name.
   • Original file name.
   • Path to the file.
   • Full name of the file.
   • MD5- and SHA256 hash of the file.
   • File size.
   • Date of file creation and modification.
   • File attribute modification date.
   • File size.
   • File type.
   • File attributes.
   • File zone ID.
   • File vendor.
   • File description.
   • Name of the organization that issued the digital certificate.
   • Signature subject.
   • Digital signature verification result.
   • Time of digital signature.
   • URL from which the file was retrieved.
   • Metadata of the message from which the file was retrieved.
4. Listening port opening event.
   • Details of the process that opened the listening port: process file name, and MD5- and SHA256 hash of the process file.
   • Port number.
   • Adapter IP address.
   • Operation status.
5. Remote connection event.
   • Information about the local computer: IP address, port number.
   • Information about the remote computer: IP address, port number, FQDN.
   • Information about TLS encryption of the connection: protocol version, SNI, encrypted SNI, MD5 hash of the certificate file, SHA1 hash of the certificate file, certificate issuer name, certificate serial number, certificate verification result, certificate expiration date, Ja3, Ja3s, MD5 hash of Ja3, MD5 hash of Ja3s, socket type.
   • LANA number.
   • HTTP method.
   • URL that was followed.
   • Process status.
   • Connection direction.
6. DNS lookup event.
   • IPv4 address of the DNS server.
   • Binary mask of the DNS query being performed.
   • DNS response error code.
   • DNS query type ID.
   • Name of the domain for which the DNS record is to be resolved.
   • Date of the DNS response.
7. LDAP event.
   • Search scope.
   • Search query filter.
   • Attributes specified in the query as attributes to be returned.
   • Path to the LDAP container to be searched.
8. Process start event.

   Information about files of the parent and grandparent processes, loader processes, creator processes, running processes: name, path, full name, MD5 hash, SHA256 hash, creation date and time, modification date and time, attributes, attribute modification date and time, size, zone ID, vendor, name of the organization that issued the digital certificate, description, original name, digital signature subject, digital signature verification result, date and time of the digital signature, file version, logon type, login session ID, user account type, user name, user account ID, IP address of the computer from which the logon was made, integrity level, process ID, current directory.

9. Process stop event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
   • Unique ID of the process.
   • Process start options.
   • Information about the parent process: file path, UniquePID, MD5 and SHA256 hash, command line options.
10. Process access event.
    • Operation type.
    • Process access permissions.
    • Call stack.
    • Information about the file of the recipient process and the file of the process from which the handle was duplicated: name, path, full path, MD5 and SHA256 hash, creation date and time, modification date and time, attribute modification date and time, size, unique ID, system ID, command line options, URL from which the file was retrieved, metadata of the message from which the file was retrieved.
11. Module loading event.
    • Details of the file that loaded the module: UniquePID, file name, file path, full name of the file, MD5- and SHA256 hash of the file, and file size.
    • DLL name.
    • Path to DLL.
    • DLL full name.
    • MD5 or SHA256 hash of the DLL.
    • DLL size.
    • DLL attributes.
    • DLL zone ID.
    • DLL application name.
    • Original DLL name.
    • Date of DLL creation and modification.
    • Name of the organization that issued the digital certificate of the DLL.
    • DLL digital signature verification result.
    • DLL digital signature date.
    • Path to replaced DLL.
    • DLL file type.
    • URL from which the file was retrieved.
    • Metadata of the message from which the file was retrieved.
    • .NET assembly name.
    • .NET assembly flags.
    • .NET module flags.
12. Process startup blocking event.
    • Details of the file that attempted to run: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Command line parameters.
13. File startup blocking event.
    • Information about the file that was being opened: file name, file path, full file name, MD5 hash, SHA256 hash, type of checksum that triggered the blocking, (0 for MD5, !=0 for SHA256, not used for search), URL of the website from which the executable file was downloaded, metadata of the message to which the downloaded file was attached.
    • Details of the executable file: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Details of the parent process: file name, file path, full name of the file, MD5- and SHA256 hash of the file, PID, and UniquePID.
14. Event of named pipe being opened and connected to.
    • File name of the process that created or connected to the named pipe.
    • Pipe operation type.
15. Threat detection event and detection processing result.
    • Name of the detected object.
    • MD5 hash of the detected object.
    • SHA256 hash of the detected object.
    • Type of detected object.
    • Scan result.
    • ID of the record in application databases.
    • Version of the application databases used to generate the detection.
    • Object processing mode.
    • Category of the detected object (for example, name of a virus).
    • Protocol.
    • IPv4 or IPv6 address of the local computer.
    • Local port number.
    • IPv4 or IPv6 address of the remote computer.
    • Remote port number.
    • URL from which the file was retrieved.
    • Email address of the sender if the file was obtained from an email message.
    • Full name, MD5 hash, SHA256 hash of the file loader.
    • Unique ID of the process.
    • Process PID displayed in the Windows Task Manager.
    • Process start command line.
    • Reason for the error when processing the object.
    • Contents and type of the script scanned using AMSI.
16. WMI service start event.
    • Operation type.
    • Remote startup flag of the WMI service.
    • Name of the computer on which the WMI service was started.
    • Name of the user that started the WMI service.
    • WMI namespace.
    • Event consumer filter name.
    • Name of the created event consumer.
    • Event consumer source code.
17. AMSI scan event.
    • Contents of the script scanned using AMSI.
    • Content type of the script sent for scanning.
    • Name of the script sent for scanning.
    • MD5 hash of the script file.
    • SHA256 hash of the script file.
18. Code injection event.
    • Information about the recipient process: application name, full application name, path to the application, MD5 hash of the file, SHA256 hash of the file, URL from which the file was downloaded, metadata of the message to which the downloaded file was attached, unique ID of the application, system ID of the application, command line, name of the process DLL, path to the process DLL, address of the process in the address space.
    • Injection method.
    • Modified command line of the process.
    • System call parameters.
    • API call stack at the time of interception of the injection-related function.
19. Interpreted file run event.

    Information about the interpreted file: name, path, full name, MD5, SHA256, file creation date and time, file modification date and time, size, type, attributes, attribute modification date and time, original name, description, zone ID, name of organization that issued the digital certificate, result of digital signature verification, date and time of the digital signature, subject of the digital signature, URL from which the file was obtained, metadata of the message to which the downloaded file was attached.

20. Event in the operating system log.
    • Time of the event, host on which the event occurred, and user account name.
    • Event ID.
    • Channel/log name.
    • Event ID in the log.
    • Provider name.
    • Authentication event subtype.
    • Domain name.
    • Remote IP address.
    • Event header fields: ProviderName, EventId, Version, Level, Task, Opcode, Keywords, TimeCreatedSystemTime, EventRecordId, CorellationActivityId, ExecutionProcessID, ThreadID, Channel, Computer.
    • Event body fields: AccessList, AccessFiles mask, AccountExpires, AllowedToDelegateTo, Application, AuditPolicyChanges, AuthenticationPackageName, CategoryId, CommandLine, DisplayName, Dummy, ElevatedToken, EventCode, EventProcessingFailure, FailureReason, FilterRTID, HandleId, HomeDirectory, HomePath, ImpersonationLevel, IpAddress, IpPort, KeyLength, LayerName, LayerRTID, LmPackageName, LogonGuid, LogonHours, LogonProcessName, LogonType, MandatoryLabel, MemberName, MemberSid, NewProcessId, NewProcessName, NewUacValue, NewValue, NewValueType, ObjectName, ObjectServer, ObjectType, ObjectValueName, OldUacValue, OldValue, OldValueType, OperationType, PackageName, ParentProcessName, PasswordLastSet, PrimaryGroupId, PriviledgeList, ProcessId, ProcessName, ProfileChanged, ProfilePath, Protocol, PublisherId, ResourceAttributes, RestrictedAdminMode, SamAccountName, ScriptPath, ServiceAccount, ServiceFileName, ServiceName, ServiceStartType, ServiceType, SettingType, SettingValue, ShareLocalPath, ShareName, SidHistory, SourceAddress, SourcePort, Status, SubcategoryGuid, SubcategoryId, SubjectDomainName, SubjectLogonId, SubjectUserName, SubjectUserSid, SubStatus, TargetDomainName, TargetLinkedLogonId, TargetLogonId, TargetOutboundDomainName, TargetOutboundUserName, TargetUserName, TargetUserSid, TaskContent, TaskName, TokenElevationType, TransmittedServices, UserAccountControl, UserParameters, UserPrincipalName, UserWorkstations, VirtualAccount, Workstation, WorkstationName, System, SystemProvider, SystemProviderName, SystemProviderGuid, SystemProviderEventSourceName, SystemEventID, SystemEventIDQualifiers, SystemEventRecordID, SystemChannel, SystemTask, SystemOpcode, SystemVersion, SystemLevel, SystemKeywords, SystemTimeCreated, SystemTimeCreatedSystemTime, SystemCorrelation, SystemCorrelationActivityID, SystemExecution, SystemExecutionProcessID, SystemExecutionThreadID, SystemComputer, SystemSecurity, SystemSecurityUserID, UserData, UserDataEventProcessingFailure, UserDataEventProcessingFailureError, UserDataEventProcessingFailureErrorCode, UserDataEventProcessingFailureEventID, UserDataEventProcessingFailurePublisherID, UserDataLogFileCleared, UserDataLogFileClearedSubjectUserSid, UserDataLogFileClearedSubjectUserName, UserDataLogFileClearedSubjectDomainName, UserDataLogFileClearedSubjectLogonId, UserDataFileIsFull, UserDataOperationStartedOperationalProviderName, UserDataOperationStartedOperationalCode, UserDataOperationStartedOperationalHostProcess, UserDataOperationStartedOperationalProcessID, UserDataOperationStartedOperationalProviderPath, UserDataServiceShutdown, UserDataOperationClientFailure, UserDataOperationClientFailureId, UserDataOperationClientFailureClientMachine, UserDataOperationClientFailureUser, UserDataOperationClientFailureClientProcessId, UserDataOperationClientFailureComponent, UserDataOperationClientFailureOperation, UserDataOperationClientFailureResultCode, UserDataOperationClientFailurePossibleCause, EventData, EventDataData, EventDataDataTaskName, EventDataDataPrivilegeList, EventDataDataAttributeLDAPDisplayName, EventDataDataOperationType, EventDataDataObjectClass, EventDataDataAttributeValue, EventDataDataObjectDN, EventDataDataRelativeTargetName, EventDataDataWorkstationName, EventDataDataServiceName, EventDataDataAllowedToDelegateTo, EventDataDataUserAccountControl, EventDataDataProfileChanged, EventDataDataRuleId, EventDataDataRuleName, EventDataDataSubjectUserSid, EventDataDataSubjectUserName, EventDataDataSubjectDomainName, EventDataDataSubjectLogonId, EventDataDataPreviousTime, EventDataDataNewTime, EventDataDataProcessId, EventDataDataProcessName, EventDataDataObjectType, EventDataDataObjectName, EventDataDataAccessList, EventDataDataAccessMask, EventDataDataServiceFileName, EventDataDataServiceType, EventDataDataServiceStartType, EventDataDataServiceAccount, EventDataDataDomainName, EventDataDataDomainSid, EventDataDataTdoType, EventDataDataTdoDirection, EventDataDataTdoAttributes, EventDataDataSidFilteringEnabled, EventDataDataTargetSid, EventDataDataAccessGranted, EventDataDataTargetUserName, EventDataDataTargetDomainName, EventDataDataSamAccountName, EventDataDataSidHistory, EventDataDataDomainPolicyChanged, EventDataDataMinPasswordAge, EventDataDataMaxPasswordAge, EventDataDataForceLogoff, EventDataDataLockoutThreshold, EventDataDataLockoutObservationWindow, EventDataDataLockoutDuration, EventDataDataProperties, EventDataDataPasswordProperties, EventDataDataMinPasswordLength, EventDataDataPasswordHistoryLength, EventDataDataMachineAccountQuota, EventDataDataMixedDomainMode, EventDataDataDomainBehaviorVersion, EventDataDataOemInformation, EventDataDataGroupTypeChange, EventDataDataLogonGuid, EventDataDataTargetUserSid, EventDataDataTargetLogonId, EventDataDataTargetLogonGuid, EventDataDataSidList, EventDataDataWorkstation, EventDataDataStatus, EventDataDataCallerProcessId, EventDataDataCallerProcessName, EventDataDataForestRoot, EventDataDataForestRootSid, EventDataDataOperationId, EventDataDataEntryType, EventDataDataFlags, EventDataDataTopLevelName, EventDataDataDnsName, EventDataDataNetbiosName, EventDataDataAuditSourceName, EventDataDataEventSourceId, EventDataDataErrorCode, EventDataDataGPOList, EventDataDataDestinationDRA, EventDataDataSourceDRA, EventDataDataSourceAddr, EventDataDataNamingContext, EventDataDataOptions, EventDataDataStatusCode, EventDataDataSessionID, EventDataDataStartUSN, EventDataDataPackageName, EventDataDataAuthenticationPackageName, EventDataDataFailureReason, EventDataDataSubStatus, EventDataDataCategoryId, EventDataDataSubcategoryGuid, EventDataDataAuditPolicyChanges, EventDataDataUserPrincipalName, EventDataDataHomeDirectory, EventDataDataHomePath, EventDataDataScriptPath, EventDataDataProfilePath, EventDataDataUserWorkstations, EventDataDataPasswordLastSet, EventDataDataAccountExpires, EventDataDataPrimaryGroupId, EventDataDataOldUacValue, EventDataDataNewUacValue, EventDataDataUserParameters, EventDataDataLogonHours, EventDataDataMemberName, EventDataDataMemberSid, EventDataDataServiceSid, EventDataDataTicketOptions, EventDataDataTicketEncryptionType, EventDataDataPreAuthType, EventDataDataCertIssuerName, EventDataDataCertSerialNumber, EventDataDataCertThumbprint, EventDataDataSettingType, EventDataDataSettingValue, EventDataDataShareName, EventDataDataShareLocalPath, EventDataDataApplication, EventDataDataSourceAddress, EventDataDataSourcePort, EventDataDataProtocol, EventDataDataFilterRTID, EventDataDataLayerName, EventDataDataLayerRTID, EventDataDataLogonType, EventDataDataLogonProcessName, EventDataDataTransmittedServices, EventDataDataLmPackageName, EventDataDataKeyLength, EventDataDataIpAddress, EventDataDataIpPort, EventDataDataImpersonationLevel, EventDataDataRestrictedAdminMode, EventDataDataTargetOutboundUserName, EventDataDataTargetOutboundDomainName, EventDataDataVirtualAccount, EventDataDataTargetLinkedLogonId, EventDataDataElevatedToken, EventDataDataTaskContentNew, EventDataDataTaskContentNewTask, EventDataDataTaskContentNewTaskRegistrationInfo, EventDataDataTaskContentNewTaskRegistrationInfoDate, EventDataDataTaskContentNewTaskRegistrationInfoAuthor, EventDataDataTaskContentNewTaskTriggers, EventDataDataTaskContentNewTaskPrincipals, EventDataDataTaskContentNewTaskPrincipalsPrincipal, EventDataDataTaskContentNewTaskPrincipalsPrincipalid, EventDataDataTaskContentNewTaskPrincipalsPrincipalRunLevel, EventDataDataTaskContentNewTaskPrincipalsPrincipalUserId, EventDataDataTaskContentNewTaskPrincipalsPrincipalLogonType, EventDataDataTaskContentNewTaskSettings, EventDataDataTaskContentNewTaskSettingsMultipleInstancesPolicy, EventDataDataTaskContentNewTaskSettingsDisallowStartIfOnBatteries, EventDataDataTaskContentNewTaskSettingsStopIfGoingOnBatteries, EventDataDataTaskContentNewTaskSettingsAllowHardTerminate, EventDataDataTaskContentNewTaskSettingsStartWhenAvailable, EventDataDataTaskContentNewTaskSettingsRunOnlyIfNetworkAvailable, EventDataDataTaskContentNewTaskSettingsIdleSettings, EventDataDataTaskContentNewTaskSettingsIdleSettingsStopOnIdleEnd, EventDataDataTaskContentNewTaskSettingsIdleSettingsRestartOnIdle, EventDataDataTaskContentNewTaskSettingsAllowStartOnDemand, EventDataDataTaskContentNewTaskSettingsEnabled, EventDataDataTaskContentNewTaskSettingsHidden, EventDataDataTaskContentNewTaskSettingsRunOnlyIfIdle, EventDataDataTaskContentNewTaskSettingsWakeToRun, EventDataDataTaskContentNewTaskSettingsExecutionTimeLimit, EventDataDataTaskContentNewTaskSettingsPriority, EventDataDataTaskContentNewTaskActions, EventDataDataTaskContentNewTaskActionsContext, EventDataDataTaskContentNewTaskActionsExec, EventDataDataTaskContentNewTaskActionsExecCommand, EventDataDataOldSd, EventDataDataNewSd, EventDataDataNotificationPackageName, EventDataDataSecurityPackageName, EventDataDataStopTime, EventDataDataContextInfo, EventDataDataUserData, EventDataDataPayload, EventDataDataOpCorrelationID, EventDataDataAppCorrelationID, EventDataDataDSName, EventDataDataDSType, EventDataDataObjectGUID, EventDataDataFileName, EventDataDataLinkName, EventDataDataTransactionId, EventDataDataOldObjectDN, EventDataDataNewObjectDN, EventDataDatabcdCCID, EventDataDatabMaxSlotIndex, EventDataDatabVoltageSupport, EventDataDatadwProtocols, EventDataDatadwDefaultClock, EventDataDatadwMaximumClock, EventDataDatabNumClockSupported, EventDataDatadwDataRate, EventDataDatadwMaxDataRate, EventDataDatabNumDataRateSupported, EventDataDatadwMaxIFSD, EventDataDatadwSyncProtocols, EventDataDatadwMechanical, EventDataDatadwFeatures, EventDataDataObjectValueName, EventDataDataHandleId, EventDataDataOldValueType, EventDataDataOldValue, EventDataDataNewValueType, EventDataDataNewValue, EventDataDataSubjectUserDomainName, EventDataDataObjectCollectionName, EventDataDataObjectIdentifyingProperties, EventDataDataObjectProperties, EventDataDataparam, EventDataDataCVEID, EventDataDataAdditionalDetails, EventDataDataObjectServer, EventDataDataTaskContent, EventDataDataTaskContentTask, EventDataDataTaskContentTaskRegistrationInfo, EventDataDataTaskContentTaskRegistrationInfoDate, EventDataDataTaskContentTaskRegistrationInfoAuthor, EventDataDataTaskContentTaskTriggers, EventDataDataTaskContentTaskPrincipals, EventDataDataTaskContentTaskPrincipalsPrincipal, EventDataDataTaskContentTaskPrincipalsPrincipalid, EventDataDataTaskContentTaskPrincipalsPrincipalRunLevel, EventDataDataTaskContentTaskPrincipalsPrincipalUserId, EventDataDataTaskContentTaskPrincipalsPrincipalLogonType, EventDataDataTaskContentTaskSettings, EventDataDataTaskContentTaskSettingsMultipleInstancesPolicy, EventDataDataTaskContentTaskSettingsDisallowStartIfOnBatteries, EventDataDataTaskContentTaskSettingsStopIfGoingOnBatteries, EventDataDataTaskContentTaskSettingsAllowHardTerminate, EventDataDataTaskContentTaskSettingsStartWhenAvailable, EventDataDataTaskContentTaskSettingsRunOnlyIfNetworkAvailable, EventDataDataTaskContentTaskSettingsIdleSettings, EventDataDataTaskContentTaskSettingsIdleSettingsStopOnIdleEnd, EventDataDataTaskContentTaskSettingsIdleSettingsRestartOnIdle, EventDataDataTaskContentTaskSettingsAllowStartOnDemand, EventDataDataTaskContentTaskSettingsEnabled, EventDataDataTaskContentTaskSettingsHidden, EventDataDataTaskContentTaskSettingsRunOnlyIfIdle, EventDataDataTaskContentTaskSettingsWakeToRun, EventDataDataTaskContentTaskSettingsExecutionTimeLimit, EventDataDataTaskContentTaskSettingsPriority, EventDataDataTaskContentTaskActions, EventDataDataTaskContentTaskActionsContext, EventDataDataTaskContentTaskActionsExec, EventDataDataTaskContentTaskActionsExecCommand, EventDataDataOldTargetUserName, EventDataDataNewTargetUserName, EventDataDataDeviceId, EventDataDataDeviceDescription, EventDataDataClassId, EventDataDataClassName, EventDataDataVendorIds, EventDataDataCompatibleIds, EventDataDataLocationInformation, EventDataDataAccountName, EventDataDataAccountDomain, EventDataDataLogonID, EventDataDataSessionName, EventDataDataClientName, EventDataDataClientAddress, EventDataDataMajorVersion, EventDataDataMinorVersion, EventDataDataBuildVersion, EventDataDataQfeVersion, EventDataDataServiceVersion, EventDataDataBootMode, EventDataDataStartTime, EventDataDataOldRemark, EventDataDataNewRemark, EventDataDataOldMaxUsers, EventDataDataNewMaxUsers, EventDataDataOldShareFlags, EventDataDataNewShareFlags, EventDataDataOldSD, EventDataDataNewSD, EventDataDataTreeDelete, EventDataDataPuaCount, EventDataDataPuaPolicyId, EventDataDataResourceAttributes, EventDataDataModifiedObjectProperties, EventDataDataDisplayName, EventDataDataDnsHostName, EventDataDataServicePrincipalNames, EventDataDataAttributeSyntaxOID, EventDataDataDummy, EventDataDataComputerAccountChange, EventDataDataMessageNumber, EventDataDataMessageTotal, EventDataDataScriptBlockText, EventDataDataScriptBlockId, EventDataDataPath, EventDataDataImagePath, EventDataDataStartType, EventDataDataAppName, EventDataDataAppVersion, EventDataDataTerminationTime, EventDataDataExeFileName, EventDataDataReportId, EventDataDataPackageFullName, EventDataDataPackageRelativeAppId, EventDataDataHangType, EventDataDataAccessReason, EventDataDataTargetServerName, EventDataDataTargetInfo, EventDataDataTargetProcessId, EventDataDataTargetProcessName, EventDataDataKerberosPolicyChange, EventDataDataSubcategoryId, EventDataBinary.

Central Node and Kaspersky Endpoint Security for Linux

If an event occurred on the user's computer, the application sends the following data to the events database:

1. File modification event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • Information about the created or modified file: name, path, full name, type, MD5 hash, SHA256 hash, creation date, modification date, attributes, attribute modification date, size, zone ID, application name of the file, vendor, name of the organization that issued the digital certificate, description, digital signature verification result, time of the digital signature, original name, name before modification, path before modification, full name before modification.
   • Information about the file to which a link was created: MD5 hash, SHA256 hash, creation date, modification date, attributes, attribute modification date, size, type, zone ID, application name of the file, original name, name of the organization that issued the digital certificate, description, subject of the signature, digital signature verification result, time of the digital signature, full name of the link file.
   • File type.
   • Owner ID.
   • Owner group ID.
   • Owner user name.
   • Owner group name.
   • URL from which the file was retrieved.
   • Metadata of the message from which the file was retrieved.
   • Requested access flags.
   • Indicator of file deletion after a restart.
   • File access flags.
2. Event in the operating system log.
   • Event time.
   • Event type.
   • Event name.
   • Result of the operation.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
3. Process start event.

   Information about files of the parent and grandparent processes, loader processes, creator processes, running processes: name, path, full name, MD5 hash, SHA256 hash, creation date and time, modification date and time, attributes, attribute modification date and time, size, zone ID, vendor, name of the organization that issued the digital certificate, description, original name, digital signature subject, digital signature verification result, date and time of the digital signature, file version, logon type, login session ID, user account type, user name, user account ID, IP address of the computer from which the logon was made, integrity level, process ID, current directory, owner ID, owner group ID, owner user name, owner group name, real user name, real group name, effective group name, effective user name, file access permission flags, URL from which the file was downloaded, metadata of the message from which the file was obtained, process environment variables, command line options, process type.

4. Process stop event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
   • UniquePID.
   • Process start options.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
5. Detection event and the result of its processing.
   • Scan result.
   • Name of the detected object.
   • ID of the record in application databases.
   • Release time of the application databases with which the detection was generated.
   • Object processing mode.
   • Category of the detected object (for example, name of a virus).
   • MD5 hash of the detected object.
   • SHA256 hash of the detected object.
   • Unique ID of the process.
   • PID of the process.
   • Process start command line.
   • Reason for the error when processing the object.
6. DNS lookup event.
   • IPv4 address of the DNS server.
   • Binary mask of the DNS query being performed.
   • DNS response error code.
   • DNS query type ID.
   • Name of the domain for which the DNS record is to be resolved.
   • Date of the DNS response.
7. Code injection event.
   • Information about the recipient process: application name, full application name, path to the application, MD5 hash of the file, SHA256 hash of the file, URL from which the file was downloaded, metadata of the message to which the downloaded file was attached, unique ID of the application, system ID of the application, command line, name of the process DLL, path to the process DLL, address of the process in the address space.
   • Injection method.
   • Modified command line of the process.
   • System call parameters.
   • API call stack at the time of interception of the injection-related function.

Central Node and Kaspersky Endpoint Security for Mac

If an event occurred on the user's computer, the application sends the following data to the events database:

1. File creation event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • File name.
   • Path to the file.
   • Full name of the file.
   • File type.
   • MD5- and SHA256 hash of the file.
   • Date of file creation and modification.
   • File size.
2. Process start event.

   Information about files of the parent and grandparent processes, loader processes, creator processes, running processes: name, path, full name, MD5 hash, SHA256 hash, creation date and time, modification date and time, attributes, attribute modification date and time, size, zone ID, vendor, name of the organization that issued the digital certificate, description, original name, digital signature subject, digital signature verification result, date and time of the digital signature, file version, logon type, login session ID, user account type, user name, user account ID, IP address of the computer from which the logon was made, integrity level, process ID, current directory, owner ID, owner group ID, owner user name, owner group name, real user name, real group name, effective group name, effective user name, file access permission flags, URL from which the file was downloaded, metadata of the message from which the file was obtained, process environment variables, command line options, process type.

3. Process stop event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
   • UniquePID.
   • Process start options.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
4. Threat detection event and detection processing result.
   • Scan result.
   • Name of the detected object.
   • ID of the record in application databases.
   • Release time of the application databases with which the detection was generated.
   • Object processing mode.
   • Category of the detected object (for example, name of a virus).
   • MD5 hash of the detected object.
   • SHA256 hash of the detected object.
   • Unique ID of the process.
   • PID of the process.
   • Process start command line.
   • Reason for the error when processing the object.

Central Node and Sandbox

The Central Node component sends to the Sandbox component files and URLs extracted from the network and email traffic. The files are not changed in any way prior to sending. The Sandbox component sends scan results to the Central Node component.

Central Node and Sensor

The application may transmit the following data between Central Node and Sensor components:

• Files and email messages.
• Data on alerts generated by the Intrusion Detection System and URL Reputation technologies.
• License information.
• List of data excluded from the scan.
• Data of the Endpoint Sensors application, if integration with a proxy server has been configured.
• Application databases, if receiving database updates from the Central Node component is configured.

Servers with PCN and SCN roles

If the application is running in distributed solution mode, data about the following things is transmitted between the PCN and connected SCNs:

• Alerts.
• Events.
• Tasks.
• Policies.
• Scans using IOC, TAA (IOA), IDS, YARA user rules.
• Files in Storage.
• User accounts.
• The license.
• The list of computers with the Endpoint Agent component.
• Objects placed in Storage.
• Objects quarantined on computers with the Endpoint Agent component.
• Files attached to detections.
• IOC and YARA files.

Data contained in application trace files

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Trace files can include any personal data of the user or confidential data of your organization. Files are stored in the /var/log/kaspersky directory indefinitely.

Data of Kaspersky Endpoint Agent for Windows

You can view detailed information about Kaspersky Endpoint Agent data that is stored and processed locally in the Online Help of the application:

• Data in requests to the KATA Central Node component.
• Service data.
• Data contained in trace files and dumps.
• Information about acceptance of the KSN Statement.
• Windows Event Log event data.

Data received from the Central Node component

Kaspersky Endpoint Agent saves the values of settings received from the Central Node component on the hard drive of the computer. Data is saved in open non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

The data is deleted when Kaspersky Endpoint Agent is removed.

Data received from the Central Node component may contain the following information:

• Data on network connections.
• Data on the operating system that is installed on the server with the Central Node component.
• Data on operating system user accounts.
• Data on user sessions in the operating system.
• Data on Windows event log.
• About a RT_VERSION resource.
• About the contents of a PE file.
• About operating system services.
• Certificate of the server with the Central Node component.
• URL- and IP addresses of visited websites.
• HTTP protocol headers.
• Computer name.
• MD5 hashes of files.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Names and values of Windows registry keys.
• Paths to Windows registry keys.
• Names of Windows registry variables.
• Name of the local DNS cache entry.
• Address from the local DNS cache entry in IPv4 format.
• IP address or name of the requested host from the local DNS cache.
• Host of the local DNS cache element.
• Domain name of the local DNS cache element.
• Address of the ARP cache element in IPv4 format.
• Physical address of the ARP cache element.
• Serial number of the logical drive.
• Home folder of the local user.
• Name of the user account that started the process.
• Path to the script that is run when the user logs in to the system.
• Name of the user account under which the event occurred.
• Name of the computer where the event occurred.
• Full paths to files on computers with Kaspersky Endpoint Agent.
• Names of files on computers with Kaspersky Endpoint Agent.
• Masks of files on computers with Kaspersky Endpoint Agent.
• Full names of folders on computers with Kaspersky Endpoint Agent.
• Comments of the file publisher.
• Mask of the process file image.
• Path to the process file image that opened the port.
• Name of the process that opened the port.
• Local IP address of the port.
• Trusted public key of the digital signature of executable modules.
• Process name.
• Process segment name.
• Command-line parameters.

Data in alerts and events

Event data is saved in binary form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata in open non-encrypted form.

Event data can contain information related to the following:

• Data on executable modules.
• Data on network connections.
• About the operating system that is installed on the computer with Kaspersky Endpoint Agent.
• Data on user sessions in the operating system.
• Data on operating system user accounts.
• Data on Windows event log.
• About alerts of Kaspersky Endpoint Security for Windows.
• About organizational units (OU) of Active Directory.
• HTTP protocol headers.
• Fully qualified domain name of the computer.
• MD5- and SHA256 hash of files and their fragments.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Unique IDs of certificates.
• Certificate publisher.
• Certificate subject.
• Name of the algorithm used to generate the certificate fingerprint.
• Address and port of the local network interface.
• Address and port of the remote network interface.
• Application vendor.
• Application name.
• Name of the Windows registry variable.
• Path to the Windows registry key.
• Windows registry variable data.
• Name of the detected object.
• Kaspersky Security Center Network Agent ID.
• Contents of the hosts file.
• Process start command line.

Data contained in task completion reports

Prior to being sent to the Central Node component, the reports and relevant files are temporarily saved on the hard drive of the computer with the Kaspersky Endpoint Agent application. The task completion reports are saved in archived non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\data_queue.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Task completion reports contain the following information:

• Data on task output.
• Data on executable modules.
• Data on operating system processes.
• Data on user accounts.
• Data on user sessions.
• Fully qualified domain name of the computer.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Files of the computer with Kaspersky Endpoint Agent.
• Names of
  alternate streams of NTFS

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  .
• Full paths to files on the computer with Kaspersky Endpoint Agent.
• Full names of folders on the computer with Kaspersky Endpoint Agent.
• Content of the process standard output.
• Content of the process standard error stream.

Data contained in an install log

The administrator can enable the Kaspersky Endpoint Agent installation log (using the msiexec standard procedure) during installation using the command line. The administrator shows the path to the file where the install log will be saved.

The log records installation process steps and the msiexec command line containing the address of the server hosting the Central Node component and the path to the install log file.

Data on files that are blocked from starting

Data on files that are blocked from starting is stored in open non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Data on files that are blocked from starting may contain the following information:

• Full path to the blocked file.
• MD5 hash of the file.
• SHA256 hash of the file.
• Process start command.

Data related to the performance of tasks

When performing a task for placing a file in quarantine, the archive containing this file is temporarily saved in one of the following folders:

• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\temp for Kaspersky Endpoint Agent that is installed as part of Kaspersky Endpoint Security.
• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data\kata\temp for Kaspersky Endpoint Agent that is installed from the Kaspersky Anti Targeted Attack Platform distribution kit.

When performing an application run task on a host, Kaspersky Endpoint Agent locally stores the contents of standard output streams and errors of the running process in plain unencrypted form until the task completion report is sent to the Central Node component. Files are stored in one of the following folders:

• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\temp for Kaspersky Endpoint Agent that is installed as part of Kaspersky Endpoint Security.
• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data\kata\temp for Kaspersky Endpoint Agent that is installed from the Kaspersky Anti Targeted Attack Platform distribution kit.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Kaspersky Endpoint Security for Windows data

For detailed information about data transmitted by Kaspersky Endpoint Security, see the Online Help of the application:

• Provision of data under the End User License Agreement.
• Provision of data when Kaspersky Security Network is used.
• Compliance with European Union law (GDPR).
• Provision of data when using Detection and Response → Kaspersky Anti Targeted Attack Platform (EDR) solutions.

Kaspersky Endpoint Security for Linux data

For detailed information about data transmitted by Kaspersky Endpoint Security, see the Online Help of the application.

Kaspersky Endpoint Security for Mac data

For detailed information about data transmitted by Kaspersky Endpoint Security, see the Online Help of the application.