Contents and storage of trace files

The user is personally responsible for the safety of the data that is stored on their computer, particularly for monitoring and restricting access to the data until it is submitted to Kaspersky.

Trace files are stored on the computer as long as the application is in use, and are deleted permanently when the application is removed.

Trace files are stored in the ProgramData\Kaspersky Lab folder.

The trace file has the following name format: KES<version number_dateXX.XX_timeXX.XX_pidXXX.><trace file type>.log.

The Authentication Agent trace file is stored in the System Volume Information folder and has the following name: KLFDE.{EB2A5993-DFC8-41a1-B050-F0824113A33A}.PBELOG.bin.

You can view data saved in trace files.

All trace files contain the following common data:

• Event time.
• Number of the thread of execution.

  The Authentication Agent trace file does not contain this information.

• Application component that caused the event.
• Degree of event severity (informational event, warning, critical event, error).
• A description of the event involving command execution by a component of the application and the result of execution of this command.

Kaspersky Endpoint Security saves user passwords to a trace file only in encrypted form.

Contents of SRV.log, GUI.log, and ALL.log trace files

SRV.log, GUI.log, and ALL.log trace files may store the following information in addition to general data:

• Personal data, including the last name, first name, and middle name, if such data is included in the path to files on the local computer.
• The user name and password if they were transmitted openly. This data can be recorded in trace files during Internet traffic scanning. Traffic is recorded in trace files only from trafmon2.ppl.
• The user name and password if they are contained in HTTP headers.
• The name of the Microsoft Windows account if the account name is included in a file name.
• Your email address or a web address containing the name of your account and password if they are contained in the name of the object detected.
• Websites that you visit and redirects from these websites. This data is written to trace files when the application scans websites.
• Proxy server address, computer name, port, IP address, and user name used to sign in to the proxy server. This data is written to trace files if the application uses a proxy server.
• Remote IP addresses to which your computer established connections.
• Message subject, ID, sender's name and address of the message sender's web page on a social network. This data is written to trace files if the Web Control component is enabled.

Contents of HST.log, BL.log, Dumpwriter.log, WD.log, AVPCon.dll.log trace files

In addition to general data, the HST.log trace file contains information about the execution of a database and application module update task.

In addition to general data, the BL.log trace file contains information about events occurring during operation of the application, as well as data required to troubleshoot application errors. This file is created if the application is started with the avp.exe –bl parameter.

In addition to general data, the Dumpwriter.log trace file contains service information required for troubleshooting errors that occur when the application dump file is written.

In addition to general data, the WD.log trace file contains information about events occurring during operation of the avpsus service, including application module update events.

In addition to general data, the AVPCon.dll.log trace file contains information about events occurring during the operation of the Kaspersky Security Center connectivity module.

Contents of the AMSI Protection Provider trace files

In addition to general data, the AMSI.log trace file contains information about the results of scans performed on requests from third-party applications.

Contents of trace files of the Mail Threat Protection component

The trace file mcou.OUTLOOK.EXE.log may contain parts of email messages, including email addresses, in addition to general data.

Contents of trace files of the Scan from Context Menu component

The shellex.dll.log trace file contains information about completion of the scan task and data required to debug the application, in addition to general information.

Contents of trace files of the application web plug-in

Trace files are stored on the computer on which Kaspersky Security Center 11 Web Console is deployed, in the folder Program Files\Kaspersky Lab\Kaspersky Security Center Web Console 11\logs. Web Console begins writing data after installation and deletes the trace files after Web Console is removed.

Trace files for Kaspersky Endpoint Security are named as follows: logs-kes_windows-<type of trace file>.DESKTOP-<date of file update>.log.

Trace files of the application web plug-in contain the following information in addition to general data:

• KLAdmin user password for unlocking the Kaspersky Endpoint Security interface (Password protection).
• Temporary password for unlocking the Kaspersky Endpoint Security interface (Password protection).
• User name and password for the SMTP mail server (Email notifications).
• User name and password for the Internet proxy server (Proxy server).
• User name and password for the Change application components task.
• Account credentials and paths specified in Kaspersky Endpoint Security tasks and policy properties.

Contents of the Authentication Agent trace file

In addition to general data, the Authentication Agent trace file contains information about the operation of Authentication Agent and the actions performed by the user with Authentication Agent.

Page top