Service data of Kaspersky Endpoint Agent for Windows

Service data of Kaspersky Endpoint Agent include:

• Data that is stored in configuration files as a result of configuring the settings by an administrator.
• Data processed as part of automatic Threat Response.
• Data processed during integration with Kaspersky Sandbox.
• Data processed during integration with the KATA Central Node component.
• Data processed during integration with Kaspersky Industrial CyberSecurity for Networks.

Service data are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<product version> file. Data in the Settings subfolder are encrypted using the Encrypting File System (EFS). The data is stored until Kaspersky Endpoint Agent is uninstalled.

This data can be automatically sent to Kaspersky Security Center.

By default, only users with System and Administrator permissions have access to the files (full access for System, read and execute for Administrator). The %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<product version> folder and the Restored subfolder are also accessible to users with User (read only) permissions.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.

Kaspersky Endpoint Agent stores the following data that are processed during automatic response and integration with Kaspersky Sandbox:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Kaspersky Endpoint Agent access password.
   • Quarantined files.
   • Kaspersky Endpoint Agent settings.
   • Credentials of operating system users for starting tasks with certain user permissions.
   • Authentication credentials for Kaspersky Security Center Administration Server.
   • Authorization credentials for the proxy server.
   • Addresses of custom update sources.
   • Public key of the certificate used for integration with Kaspersky Sandbox.
2. Kaspersky Endpoint Agent cache:
   • Time when scan results were written to the cache.
   • MD5 hash of the scan task.
   • Scan task identifier.
   • Object scan result.
3. Queue of the object scan requests:
   • ID of the object in the queue.
   • Time when the object was queued.
   • Processing status of the queued object.
   • ID of the user session in the operating system where the object scan task was created.
   • System identifier (SID) of the operating system user whose user account permissions were used to create the object scan task.
   • MD5 hash of the object scan task.
4. Information about the tasks for which Kaspersky Endpoint Agent awaits scan results from Kaspersky Sandbox:
   • Time when the object scan task was received.
   • Object processing status.
   • ID of the user session in the operating system where the object scan task was created.
   • ID of the object scan task.
   • MD5 hash of the object scan task.
   • System identifier (SID) of the operating system user whose user account was used to create the task.
   • XML schema of the automatically created IOC.
   • MD5 or SHA256 hash of the scanned object.
   • Processing errors.
   • Names of the objects that the scanning task was created for.
   • Object scan result.

When integrated with the KATA Central Node component, Kaspersky Endpoint Agent stores the following data locally:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Quarantined files.
   • Kaspersky Endpoint Agent settings:
     • Kaspersky Endpoint Agent access password.
     • Credentials of operating system users for starting tasks with certain user permissions.
     • Authentication credentials for Kaspersky Security Center Administration Server.
     • Authorization credentials for the proxy server.
     • Addresses of custom update sources.
     • Public key of the certificate used for integration with KATA Central Node.
     • Public key of the certificate used for integration with Kaspersky Sandbox.
     • License data.
2. Data required for integration with the KATA Central Node component:
   • Updatable telemetry filtering schemes.
   • Telemetry event packet queue.
   • Cache of IOC file identifiers received from the KATA Central Node component.
   • Objects to be passed to the server as part of the Get file task.
   • Reports on the Get forensics task results.

Kaspersky Endpoint Agent locally stores the following data when integrated with the Kaspersky Industrial CyberSecurity for Networks server:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Kaspersky Endpoint Agent settings:
     • Kaspersky Endpoint Agent access password.
     • Credentials of operating system users for starting tasks with certain user permissions.
     • Authentication credentials for Kaspersky Security Center Administration Server.
     • Authorization credentials for the proxy server.
     • Addresses of custom update sources.
     • Public key of the certificate for integration with Kaspersky Industrial CyberSecurity for Networks.
     • License data.
2. Data required for integration with Kaspersky Industrial CyberSecurity for Networks.
   • Updatable telemetry filtering schemes.
   • Telemetry event packet queue.

See also Data received from the Central Node component Data in fields of Windows Event Log events of Kaspersky Endpoint Agent Data in Kaspersky Endpoint Agent for Windows requests to Kaspersky Anti Targeted Attack Platform Data contained in Kaspersky Endpoint Agent for Windows trace files and dumps Data sent to Kaspersky if the KSN Statement was accepted Data in alerts and events Data contained in task completion reports Data contained in an install log Data on files that are blocked from starting Data related to the performance of tasks

Page top