Service data

Service data of Kaspersky Endpoint Agent include:

• Data that is stored in configuration files as a result of configuring the settings by an administrator.
• Data processed during automatic Threat Response.
• Data processed during integration with Kaspersky Sandbox.
• Data processed during integration with KATA Central Node.
• Data processed during integration with Kaspersky Industrial CyberSecurity for Networks.

Service data are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<product version> file. Data in the Settings subfolder are encrypted using the Encrypting File System (EFS). The data is stored until Kaspersky Endpoint Agent is uninstalled.

The data can be automatically sent to Kaspersky Security Center.

By default, these files can be accessed only by users with System (full access) and Administrator (read and execute) permissions. The %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<product version> folder and the Restored subfolder are also accessible to users with User (read only) permissions.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.

Kaspersky Endpoint Agent stores the following data that are processed during automatic response and integration with Kaspersky Sandbox:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Access password for Kaspersky Endpoint Agent.
   • Quarantined files.
   • Kaspersky Endpoint Agent settings.
   • Credentials of operating system users for starting tasks with certain user permissions.
   • Authentication credentials for Kaspersky Security Center Administration Server.
   • Authentication credentials for the proxy server.
   • Addresses of custom update sources.
   • Public key of the certificate used for integration with Kaspersky Sandbox.
2. Kaspersky Endpoint Agent cache:
   • Time when scan results were written to the cache.
   • MD5 hash of the scan task.
   • Scan task identifier.
   • Scan result for the object.
3. Queue of the object scan requests:
   • ID of the object in the queue.
   • Time when the object was placed in the queue.
   • Processing status of the object in the queue.
   • ID of the user session in the operating system where the object scan task was created.
   • System identifier (SID) of the operating system user whose account was used to create the object scan task.
   • MD5 hash of the object scan task.
4. Information about the tasks for which Kaspersky Endpoint Agent awaits scan results from Kaspersky Sandbox:
   • Time when the object scan task was received.
   • Object processing status.
   • ID of the user session in the operating system where the object scan task was created.
   • Identifier of the object scan task.
   • MD5 hash of the object scan task.
   • System identifier (SID) of the operating system user whose account was used to create the task.
   • XML schema of the automatically created IOC.
   • MD5 or SHA256 hash of the scanned object.
   • Processing errors.
   • Names of the objects for which the scan task was created.
   • Scan result for the object.

When integrated with the KATA Central Node component, Kaspersky Endpoint Agent stores the following data locally:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Quarantined files.
   • Kaspersky Endpoint Agent settings:
     • Access password for Kaspersky Endpoint Agent.
     • Credentials of operating system users for starting tasks with certain user permissions.
     • Authentication credentials for Kaspersky Security Center Administration Server.
     • Authentication credentials for the proxy server.
     • Addresses of custom update sources.
     • Public key of the certificate used for integration with KATA Central Node.
     • Public key of the certificate used for integration with Kaspersky Sandbox.
     • License data.
2. Data required for integration with KATA Central Node:
   • Updatable telemetry filtering schemes.
   • Telemetry event packet queue.
   • Cache of IOC file identifiers received from KATA Central Node.
   • Objects to be passed to the server within the Get file task.
   • The Get forensic task results reports.

When integrated with KICS for Networks server, Kaspersky Endpoint Agent stores the following data locally:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Kaspersky Endpoint Agent settings:
     • Access password for Kaspersky Endpoint Agent.
     • Credentials of operating system users for starting tasks with certain user permissions.
     • Authentication credentials for Kaspersky Security Center Administration Server.
     • Authentication credentials for the proxy server.
     • Addresses of custom update sources.
     • Public key of the certificate used for integration with KICS for Networks.
     • License data.
2. Data required for integration with KICS for Networks:
   • Updatable telemetry filtering schemes.
   • Telemetry event packet queue.

Page top