Please enable JavaScript in your browser!
Changes in the system after Kaspersky Endpoint Agent installation
Windows Installer service performs the following changes on the protected device during Kaspersky Endpoint Agent installation:
Creates Kaspersky Endpoint Agent folders. Registers Kaspersky Endpoint Agent keys in the system registry. Registers Kaspersky Endpoint Agent services and drivers. Kaspersky Endpoint Agent folders on the protected device
When Kaspersky Endpoint Agent is installed, the following folders are created on the device:
The default Kaspersky Endpoint Agent installation folder that contains Kaspersky Endpoint Agent executable files: In 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Endpoint Agent\ In 64-bit version of Microsoft Windows: %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\ Folder containing Kaspersky Endpoint Agent (x86) drivers:In 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Endpoint Agent\drivers\<OS version>\<driver name> In 64-bit version of Microsoft Windows: %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\drivers\x64\<OS version>\<driver name> Folders containing IOC files:In 32-bit version of Microsoft Windows:%ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc\1.0 %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc\1.1 In 64-bit version of Microsoft Windows:%ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc\1.0 %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc\1.1 Folders containing Kaspersky Endpoint Agent system files:%ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Images %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue
%ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Kata %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Kmp %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Syslog %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Hunts %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Settings %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Tasks %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\DSKM %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Temp %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Temp\Tasks %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Bases Folder containing system files for Kaspersky Security Network operation.%ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Ksn Folder containing quarantined files:%ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Quarantine Folder containing files restored from the quarantine:%ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Restored Folder containing Kaspersky Security Center policy configuration files:%ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Policy Folders containing system files for Kaspersky Sandbox operation:%ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Sandbox %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Sandbox\Queue Folder containing files of updatable components:%ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Update Folder containing shortcut files for the Start menu:%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Kaspersky Endpoint Agent Kaspersky Endpoint Agent services and drivers
The following Kaspersky Endpoint Agent services are registered and started under the system account (SYSTEM):
SOYUZ.exe is the main Kaspersky Endpoint Agent service that manages its tasks and operation processes. VOSTOK.dll (executed in proton.exe) is a service that provides interaction between Kaspersky Endpoint Agent and the Central Node component. ANGARA.dll (executed in proton.exe) is a service that provides interaction between Kaspersky Endpoint Agent and EPP in scenarios of Kaspersky Sandbox integration. The following Kaspersky Endpoint Agent drivers are registered on the device:
klsnsr.sys is Event Tracing for Windows (ETW) driver. klncap.sys is ETW network packet analyzer. System registry keys
As a result of Kaspersky Endpoint Agent installation, the following registry keys are created:
Registry keys are listed in the 32-bit application view.
[HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ProdDisplayName] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ProdVersion] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorVersion] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorFlags] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\NagentMinVer] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorPath] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\UninstallString3] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\UninstallString3KPD] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\ProductCode] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\NoPPL] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\BFESDDL] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Enable] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Folder] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Enable(Example)] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Folder(Example)] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\EnableKillChain] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\SvmUpdateMode] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\MsiPath] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\AgentPath] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\EventsExpirationTimeout] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallID] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallTime] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallLCID] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallLocalization] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallPlatformType] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\Version] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Trace\Configuration] [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Trace\Configuration(Example)] [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\StartMenu] [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\UninstallShortcut2] [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\RelNotes] [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\License] [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\Ksn] [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\Kmp] [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\ProductUrl] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\angara] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klelaml] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klncap] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klsnsr] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vostok] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soyuz]
Page top