Creating a data collection task

You can get lists of files, processes, and autorun points from selected Kaspersky Endpoint Agent for Windows hosts. To do so, you must create a data collection task.

To create a data collection task:

1. Select the Tasks section in the program web interface window.

   This opens the task table.

2. Click Add and select Get forensics.

   This opens the task creation window.

3. Configure the following settings:
   1. Information type is the type of collected data. Select the check box next to one, multiple, or all settings:
      • Processes list if you want to get a list of processes running on the host at the time of the task execution.
      • Autorun points list if you want to get a list of autorun points.

        The autorun points list includes information about programs added to the startup folder or registered in the Run keys of the registry, as well as programs that are automatically run at startup of a Kaspersky Endpoint Agent host and when a user logs in to the operating system on the specified hosts.

        List of supported autorun points

        Kaspersky Endpoint Agent supports gathering data for the following autorun points:

        • Logon.
        • Run.
        • Explorer.
        • Shell.
        • Office.
        • Internet Explorer®.
        • Tasks.
        • Services.
        • Drivers.
        • Telephony.
        • Cryptography.
        • Debuggers.
        • COM.
        • Session Manager.
        • Network.
        • LSA.
        • Applications.
        • Codecs.
        • Shellex.
        • WMI.
        • Unspecified.
      • File list if you want to get a list of files stored in the selected folder or in all host folders at the time of the task execution.
   2. If you have selected the File list check box, in the Source type group of settings, select one of the following options:
      • All local disks if you want the list of files to include files stored in all folders on local disks at the time of the task execution.
      • Folder if you want the file list to include files stored in the specified folder and its subfolders at the time when the task is run.
   3. If you selected Folder, in the Start folder field, specify the path to the folder from which the file search should start.

      You can use the following prefixes:

      • System environment variables.
      • User-defined environment variables.

        When using user-defined environment variables, the list of files includes information about files in folders of all users who have set the specified environment variables. If user-defined environment variables override system environment variables, the list of files includes information about files in folders based on the values of system environment variables.

   4. In the Hosts field, enter the IP address or name of the host to which you want to assign the task.

      The data collection task can only be assigned to hosts with the Kaspersky Endpoint Agent for Windows program version 3.10 or later. Getting a list of autorun points is only supported on hosts with Kaspersky Endpoint Agent for Windows 3.12 and higher.

      If necessary, you can specify the following search criteria for files in folders:

      • File mask is the mask of files to be included in the list of files.
      • Alternative data streams is the check box that enables recording information about alternate data streams in the file list.

        If the requested file is linked to other NTFS data streams, running the task yields all files of NTFS data streams that the requested file is linked to.

        The check box is selected by default.

      • Maximum nesting level is the maximum nesting level of folders in which the program searches for files.
      • Exclusions is the path to the folders in which you want to prohibit the search for information about files.
      • Description is the task description.
4. Click Add.

The data collection task is created. The task runs automatically after it is created.

Upon completion of the task, the program places the ZIP-archive which contains file with the selected data into the Storage. If the task completed successfully, you can download the archive to your local computer.

If you are using the distributed solution and multitenancy mode, the archive is placed in Storage of the Central Node server to which the hosts specified in the Hosts field are connected.

Users with the Security auditor role cannot create data collection tasks.

Users with the Security officer role do not have access to tasks.

See also Managing tasks Viewing the task table Viewing information about a task Creating a process termination task Creating a task to scan hosts using YARA rules Creating a service management task Creating a program execution task Creating a file download task Creating a file deletion task Creating a file quarantine task Creating a quarantined file recovery task Creating a copy of a task Deleting tasks Filtering tasks by creation time Filtering tasks by type Filtering tasks by name Filtering tasks by file name and path Filtering tasks by description Filtering tasks by server name Filtering tasks based on the name of the user that created the task Filtering tasks by processing status Clearing a task filter

Page top