You can get lists of files, processes, and autorun points from selected Kaspersky Endpoint Agent for Windows hosts. To do so, you must create a forensic collection task.
To create a forensic collection task:
Select the Tasks section in the program web interface window.
This opens the task table.
Click the Add button and select Forensics in the Get data drop-down list.
This opens the task creation window.
Configure the following settings:
Information type is the type of collected data. Select the check box next to one, multiple, or all settings:
Processes list if you want to get a list of processes running on the host at the time of the task execution.
Autorun points list if you want to get a list of autorun points.
The autorun points list includes information about programs added to the startup folder or registered in the Run keys of the registry, as well as programs that are automatically run at startup of a Kaspersky Endpoint Agent host and when a user logs in to the operating system on the specified hosts.
Kaspersky Endpoint Agent supports gathering data for the following autorun points:
Logon.
Run.
Explorer.
Shell.
Office.
Internet Explorer®.
Tasks.
Services.
Drivers.
Telephony.
Cryptography.
Debuggers.
COM.
Session Manager.
Network.
LSA.
Applications.
Codecs.
Shellex.
WMI.
Unspecified.
File list if you want to get a list of files stored in the selected folder or in all host folders at the time of the task execution.
If you have selected the File list check box, in the Source type group of settings, select one of the following options:
All local disks if you want the list of files to include files stored in all folders on local disks at the time of the task execution.
Directory if you want the file list to include files stored in the specified folder and its subfolders at the time when the task is run.
If you selected Directory, in the Start directory field, specify the path to the folder from which the file search should start.
You can use the following prefixes:
System environment variables.
User-defined environment variables.
When using user-defined environment variables, the list of files includes information about files in folders of all users who have set the specified environment variables. If user-defined environment variables override system environment variables, the list of files includes information about files in folders based on the values of system environment variables.
In the Hosts field, enter the IP address or name of the host to which you want to assign the task.
You can specify multiple hosts.
The data collection task can only be assigned to hosts with the Kaspersky Endpoint Agent for Windows program version 3.10 or later. Getting a list of autorun points is only supported on hosts with Kaspersky Endpoint Agent for Windows 3.12 or later.
If necessary, you can specify the following search criteria for files in folders:
File mask is the mask of files to be included in the list of files.
Alternative data streams is the check box that enables recording information about alternate data streams in the file list.
If the requested file is linked to other NTFS data streams, running the task yields all files of NTFS data streams that the requested file is linked to.
The check box is selected by default.
Maximum nesting level is the maximum nesting level of folders in which the program searches for files.
Exclusions is the path to the folders in which you want to prohibit the search for information about files.
Description is the task description.
Click Add.
The forensic collection task is created. The task runs automatically after it is created.
Upon completion of the task, the program places the ZIP-archive which contains file with the selected data into the Storage. If the task completed successfully, you can download the archive to your local computer.
Users with the Security auditor role cannot create forensic collection tasks.
Users with the Security officer role do not have access to tasks.