Data in Kaspersky Endpoint Agent for Windows requests to Kaspersky Anti Targeted Attack Platform

When integrated with the Central Node component, the following data is stored locally on the device with Kaspersky Endpoint Agent installed.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

Data from Kaspersky Endpoint Agent requests to the Central Node component:

  1. In the synchronization requests:
    • Unique ID of Kaspersky Endpoint Agent.
    • Base part of the server web address.
    • Device name.
    • IP address of the device.
    • MAC address of the device.
    • Local time on the device.
    • Self-defense status of Kaspersky Endpoint Agent.
    • Name and version of the operating system that is installed on the device.
    • Kaspersky Endpoint Agent version.
    • Versions of program settings and task settings.
    • Task statuses in Kaspersky Endpoint Agent: IDs of running tasks, execution statuses, execution error codes.
    • Statuses of Kaspersky Endpoint Agent settings: type of applied settings, version of settings, status of applying the settings, error codes of applying the settings.
  2. In requests for obtaining files from the server:
    • Unique IDs of files.
    • Unique ID of Kaspersky Endpoint Agent.
    • Unique IDs of tasks.
    • Base part of the web address of the Central Node server.
    • Host IP address.
  3. In the reports on task execution results:
    • Host IP address.
    • Details of objects detected during IOC or YARA scan.
    • Flags of the additional actions performed by Kaspersky Endpoint Agent after completion of tasks (for example, "deleteFileAfterReboot": false).
    • Task execution errors and return codes.
    • Task completion statuses.
    • Task completion time.
    • Versions of settings used for task execution.
    • Details of objects submitted to the server, quarantined objects, and objects restored from Quarantine: paths to objects, MD5 and SHA256 hashes of objects, IDs of quarantined objects.
    • Details of processes started or stopped on the Kaspersky Endpoint Agent device following the server request: PID and UniquePID, error code, MD5 and SHA256 hashes of objects.
    • Information about services started or stopped on the device following the server request (name of the service, run type, error code, MD5 and SHA256 hashes of service file images).
    • Details of objects for which a memory dump was created for YARA scanning (paths, dump file ID).
    • Files requested by the server.
    • Telemetry packets.
    • Data on running processes:
      • Name of the executable file, including the full path and extension.
      • Process autorun settings.
      • Process ID.
      • Logon session code.
      • Logon session name.
      • Date and time when the process started.
      • MD5 hash of the object.
      • SHA256 hash of the object
    • Data on files:
      • Path to the file.
      • File name.
      • File size.
      • File attributes.
      • File creation date and time.
      • Date and time of the last modification of the file.
      • File description.
      • Company name.
      • MD5 hash of the object.
      • SHA256 hash of the object.
      • Registry key (for autorun points).
  1. Telemetry data:
    • Host IP address.
    • Type of data in the registry prior to the registered modification operation.
    • Data in the registry key prior to the registered modification operation.
    • Text of the processed script or part of it.
    • Type of processed object.
    • Method of sending the command to the command shell.

Data from the requests of the Central Node component to Kaspersky Endpoint Agent:

  1. Task settings:
    • Task types.
    • Task schedule settings.
    • Names and passwords of the accounts that must be used to run tasks.
    • Versions of settings.
    • IDs of quarantined objects.
    • Paths to objects.
    • MD5 and SHA256 hashes of objects.
    • Command line to start the process together with the arguments.
    • Flags of additional actions performed by Kaspersky Endpoint Agent after completion of the task.
    • IOC file identifiers that must be retrieved from the server.
    • IOC files
    • Names of services.
    • Run type of services.
    • Folders for which you need to obtain results of the Get forensics task.
    • Masks of the names and extensions of objects for the Get forensics task.
  2. Network isolation settings:
    • Types of settings.
    • Versions of settings.
    • Lists of network isolation exclusions and exclusion settings: traffic direction, IP addresses, ports, protocols, and full paths to executable files.
    • Flags of additional actions performed by Kaspersky Endpoint Agent.
    • Time of automatic disabling of isolation.
  3. Settings for preventing execution and opening of documents:
    • Types of settings.
    • Versions of settings.
    • Lists of prevention rules and rule settings: paths to objects, types of objects, MD5 and SHA256 hashes of objects.
    • Flags of additional actions performed by Kaspersky Endpoint Agent.
  4. Event filtering settings:
    • Module names.
    • Full paths to objects.
    • MD5 and SHA256 hashes of objects.
    • Identifiers of entries in the Windows event log.
    • Digital certificate settings.
    • Traffic direction, IP addresses, ports, protocols, full paths to executable files.
    • User names.
    • User logon types.
    • Types of telemetry events for which filters are applied.

See also

Data received from the Central Node component

Data in fields of Windows Event Log events of Kaspersky Endpoint Agent

Service data of Kaspersky Endpoint Agent for Windows

Data contained in Kaspersky Endpoint Agent for Windows trace files and dumps

Data sent to Kaspersky if the KSN Statement was accepted

Data in alerts and events

Data contained in task completion reports

Data contained in an install log

Data on files that are blocked from starting

Data related to the performance of tasks
Page top