Data transmitted between program components
Central Node and Kaspersky Endpoint Agent for Windows (previously known as Endpoint Sensors)
Kaspersky Endpoint Agent for Windows sends the following to the Central Node component: task completion reports, information about events and alerts that occurred on computers with Kaspersky Endpoint Agent for Windows, and information about terminal sessions.
If there is no connection with the Central Node component, all data to be sent is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Agent for Windows is removed from the computer, but no longer than 21 days.
If an event occurs on the user's computer, Kaspersky Endpoint Agent for Windows sends the following data to the events database:
- General information for all events:
- Event type.
- Event time.
- User account for which the event was generated.
- Name of the host where the event occurred.
- Type of the operating system installed on the host.
- File creation event.
- Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
- File name.
- Path to the file.
- Full name of the file.
- MD5- and SHA256 hash of the file.
- Date of file creation and modification.
- File size.
- Registry monitoring event.
- Details of the process that modified the registry: Process ID, process file name, and MD5- and SHA256 hash of the process file.
- Path to the registry key.
- Registry value name.
- Registry value data.
- Registry value type.
- Previous path to the registry key.
- Previous registry value data.
- Previous registry value type.
- Driver loading event.
- File name.
- Path to the file.
- Full name of the file.
- MD5- and SHA256 hash of the file.
- File size.
- Date of file creation and modification.
- Listening port opening event.
- Details of the process that opened the listening port: process file name, and MD5- and SHA256 hash of the process file.
- Port number.
- Adapter IP address.
- Event in the operating system log.
- Time of the event, host on which the event occurred, and user account name.
- Event ID.
- Channel/log name.
- Event ID in the log.
- Provider name.
- Authentication event subtype.
- Domain name.
- Remote IP address.
- Event header fields: ProviderName, EventId, Version, Level, Task, Opcode, Keywords, TimeCreatedSystemTime, EventRecordId, CorellationActivityId, ExecutionProcessID, ThreadID, Channel, Computer.
- Event body fields: AccessList, AccessMask, AccountExpires, AllowedToDelegateTo, Application, AuditPolicyChanges, AuthenticationPackageName, CategoryId, CommandLine, DisplayName, Dummy, ElevatedToken, EventCode, EventProcessingFailure, FailureReason, FilterRTID, HandleId, HomeDirectory, HomePath, ImpersonationLevel, IpAddress, IpPort, KeyLength, LayerName, LayerRTID, LmPackageName, LogonGuid, LogonHours, LogonProcessName, LogonType, MandatoryLabel, MemberName, MemberSid, NewProcessId, NewProcessName, NewUacValue, NewValue, NewValueType, ObjectName, ObjectServer, ObjectType, ObjectValueName, OldUacValue, OldValue, OldValueType, OperationType, PackageName, ParentProcessName, PasswordLastSet, PrimaryGroupId, PriviledgeList, ProcessId, ProcessName, ProfileChanged, ProfilePath, Protocol, PublisherId, ResourceAttributes, RestrictedAdminMode, SamAccountName, ScriptPath, ServiceAccount, ServiceFileName, ServiceName, ServiceStartType, ServiceType, SettingType, SettingValue, ShareLocalPath, ShareName, SidHistory, SourceAddress, SourcePort, Status, SubcategoryGuid, SubcategoryId, SubjectDomainName, SubjectLogonId, SubjectUserName, SubjectUserSid, SubStatus, TargetDomainName, TargetLinkedLogonId, TargetLogonId, TargetOutboundDomainName, TargetOutboundUserName, TargetUserName, TargetUserSid, TaskContent, TaskName, TokenElevationType, TransmittedServices, UserAccountControl, UserParameters, UserPrincipalName, UserWorkstations, VirtualAccount, Workstation, WorkstationName.
- Process start event.
- Information about the process file: file name, file path, MD5 or SHA256 hash of the file, file size, creation and modification date, name of the organization that issued the digital certificate of the file, digital signature verification result.
- UniquePID.
- Process start options.
- Process start time.
- Process end time.
- Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
- Module loading event.
- Details of the file that loaded the module: UniquePID, file name, file path, full name of the file, MD5- and SHA256 hash of the file, and file size.
- DLL name.
- Path to DLL.
- DLL full name.
- MD5 or SHA256 hash of the DLL.
- DLL size.
- Date of DLL creation and modification.
- Name of the organization that issued the digital certificate of the DLL.
- DLL digital signature verification result.
- Process startup blocking event.
- Details of the file that attempted to run: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
- Command-line parameters.
- File startup blocking event.
- Details of the file that attempted to open: file name, file path, full name of the file, MD5- and SHA256 hash of the file, type of checksum used for file size blocking (0 – MD5, !=0 – SHA256, not used for search).
- Details of the executable file: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
- Details of the parent process: file name, file path, full name of the file, MD5- and SHA256 hash of the file, PID, and UniquePID.
- Event of Kaspersky Endpoint Security for Windows.
- Scan result.
- Name of the detected object.
- ID of the record in program databases.
- Release time of the program databases with which the alert was generated.
- Object processing mode.
- Category of the detected object (for example, name of a virus).
- MD5 hash of the detected object.
- SHA256 hash of the detected object.
- Unique ID of the process.
- Process PID displayed in the Windows Task Manager.
- Process run command line.
- Reason for the error when processing the object.
- Contents of the script scanned using AMSI.
- AMSI scan event.
- Contents of the script scanned using AMSI.
Central Node and Kaspersky Endpoint Agent for Linux
Kaspersky Endpoint Agent for Linux sends the following to the Central Node component: task completion reports, information on events and alerts that occurred on computers with Kaspersky Endpoint Agent for Linux, and information on terminal sessions.
If there is no connection with the Central Node component, all data to be sent is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Agent for Linux is removed from the computer, but no longer than 21 days.
If an event occurs on the user's computer, Kaspersky Endpoint Agent for Linux sends the following data to the events database:
- General information for all events:
- Event type.
- Event time.
- User account for which the event was generated.
- Name of the host where the event occurred.
- Type and version of the operating system that is installed on the host.
- Name of the host that was used to remotely log in to the system.
- Name of the user assigned when registering in the system.
- Group to which the user belongs.
- User name that was used to log in to the system.
- Group of the user whose name was used to log in to the system.
- Name of the user who created the file.
- Name of the group whose users can modify or delete the file.
- Permissions that can be used to gain access to the file.
- Inherited privileges of the file.
- Process start event.
- Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, and file size.
- UniquePID.
- Command that was used to start the process.
- Process type.
- Environment variables of the process.
- Process start time.
- Process end time.
- Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
- File creation event.
- Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
- File name.
- Path to the file.
- Full name of the file.
- File type.
- MD5- and SHA256 hash of the file.
- Date of file creation and modification.
- File size.
- Event in the operating system log.
- Event time.
- Event type.
- Result of the operation.
- Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
Central Node and Sandbox
The Central Node component sends to the Sandbox component files and URLs extracted from the network and email traffic. The files are not changed in any way prior to sending. The Sandbox component sends scan results to the Central Node component.
Central Node and Sensor
The program may transmit the following data between Central Node and Sensor components:
- Files and email messages.
- Data on alerts generated by the Intrusion Detection System and URL Reputation technologies.
- License information.
- List of data excluded from the scan.
- Data of the Endpoint Sensors program, if integration with a proxy server has been configured.
- Program databases, if the receipt of database updates from the Central Node component is configured.
Servers with PCN and SCN roles
If the program is running in distributed solution mode, the following data is transmitted between the PCN and connected SCNs:
- Data on alerts.
- Data on events.
- Data on tasks.
- Data on policies.
- Data on scans using IOC, TAA (IOA), IDS, YARA user rules.
- Data on files in Storage.
- Data on user accounts.
- About the license.
- List of computers with Kaspersky Endpoint Agent
- Objects placed in Storage.
- Objects quarantined on computers with Kaspersky Endpoint Agent.
- Files attached to alerts.
- IOC and YARA files.
Page top