Data on the events in Windows Event Log is stored in the %SystemRoot%\System32\Winevt\Logs\Kaspersky-Security-Soyuz%4Product.evtx file in a plain and non-encrypted form. The data is stored until Kaspersky Endpoint Agent is uninstalled.
The data can be automatically sent to Kaspersky Security Center.
By default, only users with System and Administrator permissions have read access to the files. Kaspersky Endpoint Agent does not manage access permissions to this folder and the files in this folder. Access is managed by the system administrator.
Event data can contain information about:
User sessions in the operating system.
User accounts in the operating system (userID).
Errors that occurred during the execution of object scan tasks.
Object scan tasks.
Kaspersky Sandbox detections.
Kaspersky Sandbox events.
Kaspersky Endpoint Agent IOC files generated during automatic response.
Object scan results.
Kaspersky Sandbox server certificates.
The object scan queue.
Changes to Kaspersky Endpoint Agent.
Changes to Kaspersky Security Center policies.
Changes to object scan task status.
Kaspersky Security Center policies.
Quarantined objects.
Automatic Threat Response actions.
Errors while interacting with application servers.
Objects blocked by Execution prevention rules.
Results of Delete file tasks.
Results of Terminate process tasks.
Results of Run application tasks.
Results of Get file tasks.
Current Kaspersky Endpoint Detection and Response Optimum license.
Application activation status.
All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.