Data in fields of Windows Event Log events of Kaspersky Endpoint Agent
Windows Event Log data is stored in the %SystemRoot%\System32\Winevt\Logs\Kaspersky-Security-Soyuz%4Product.evtx file in plain unencrypted form. The data is stored until Kaspersky Endpoint Agent is uninstalled.
This data can be automatically sent to Kaspersky Security Center.
By default, only users with System and Administrator permissions have read-access to the files. Kaspersky Endpoint Agent does not manage access permissions to this folder and the files in this folder. It is the system administrator who determines access permissions.
Event data can contain information related to the following:
Data on user sessions in the operating system.
Operating system user accounts (userID).
Errors occurred during object scan tasks execution.
Object scanning tasks.
Kaspersky Sandbox alerts.
Kaspersky Sandbox events.
Kaspersky Endpoint Agent IOC files generated as part of automatic Threat Response.
Object scan results.
Kaspersky Sandbox server certificates.
The object scan queue.
Modified settings of Kaspersky Endpoint Agent.
Changes of Kaspersky Security Center policies.
Modified status of an object scan task.
Kaspersky Security Center policies.
Quarantined objects.
Automatic Threat Response actions.
Errors of interaction with program servers.
Objects blocked in accordance with prevention rules.
Results of Delete file tasks.
Results of Kill process tasks.
Results of Run program tasks.
Results of Get file tasks.
The active license of Kaspersky Endpoint Detection and Response Optimum.
Program activation status.
All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.