The data for building the threat development chain is stored in the %ProgramData%\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain\detects folder in open, unencrypted form. By default, this data is stored for 7 days. The data is automatically sent to Kaspersky Security Center.
All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.
By default, only users with System and Administrator permissions have read access to the files. Kaspersky Endpoint Agent does not manage access permissions to this folder and the files in this folder. Access is managed by the system administrator.
Data for creating a threat development chain may contain the following information:
Incident date and time.
Detection name.
Scan mode.
Status of the last action related to the detection.
Reason why the detection processing failed.
Detected object type.
Detected object name.
Threat status after the object is processed by EPP.
Reason why execution of actions on the object failed.
Actions performed by EPP to roll back malicious actions (for EPPs that support rollback of malicious actions).
Information about the processed object:
Unique identifier of the process.
Unique identifier of the parent process.
Unique identifier of the process file.
Windows process identifier.
Process command line.
User account that started the process.
Code of the logon session in which the process is running.
Type of the session in which the process is running (for example, "interactive", "remote interactive").
Integrity level of the process being processed.
Membership of the user account that started the process in the privileged local and domain groups (for example, Administrators, Domain Administrators, Enterprise Administrators, Schema Administrators).
Identifier of the processed object.
Full name of the processed object.
Identifier of the protected device.
Full name of the object (local file name or downloaded file web address).
MD5 hash of the processed object.
SHA256 hash of the processed object.
Type of the processed object.
Creation date of the processed object.
Date when the processed object was last modified.
Size of the processed object.
Attributes of the processed object.
Organization that signed the processed object.
Result of the processed object digital certificate verification.
Security identifier (SID) of the processed object.
Time zone identifier of the processed object.
Web address of the processed object download (only for files on disk).
Name of the application that downloaded the file.
MD5 hash of the application that downloaded the file.
SHA256 hash of the application that downloaded the file.
Name of the application that last modified the file.
MD5 hash of the application that last modified the file.
SHA256 hash of the application that last modified the file.
Number of processed object starts.
Date and time when the processed object was first started.
Unique identifiers of the file.
Full name of the file (local file name or downloaded file web address).
Path to the processed Windows registry variable.
Name of the processed Windows registry variable.
Value of the processed Windows registry variable.
Type of the processed Windows registry variable.
Indicator of the processed registry key membership in the autorun point.
Web address of the processed web request.
Link source of the processed web request.
User agent of the processed web request.
Type of the processed web request ("GET" or "POST").
Local IP port of the processed web request.
Remote IP port of the processed web request.
Connection direction (inbound or outbound) of the processed web request.
Identifier of the process into which the malicious code was embedded.