About data provision when using Kaspersky Security Network
By accepting the Kaspersky Security Network Statement, you agree to automatically transmit the following information:
If the Enable Kaspersky Security Network check box is selected and the Enable extended KSN mode check box is cleared, the following information is transmitted:
Web address of the page from which the user was directed to the scanned web address
Web address whose reputation is requested
Version of the protocol used to connect to Kaspersky services
ID of the anti-virus databases
ID of the scan task that detected the threat
ID of the subsystem that initiated the request
ID of the connection protocol and the utilized port number
IDs of installed updates
Name and ID of the detected threat according to the Kaspersky classification
Public certificate key
Type and full version of Kaspersky Endpoint Security
Hash (SHA256) of the certificate with which the scanned object was signed
Hash of the scanned file (MD5, SHA2-256 and SHA1) and file templates (MD5)
If the Enable extended KSN mode check box is selected in addition to the Enable Kaspersky Security Network check box, the following information is also transmitted in addition to the information listed above:
Trusted executable files and non-executable files, or parts thereof, transmitted for the purpose of preventing false positives.
The following information included in application activity reports is transmitted:
Web addresses and IP addresses called by the application
Web addresses and IP addresses from which the started file was received
Certificate term start and expiration date and time, if the transmitted file has a digital signature - the date and time of the signature, name of the certificate issuer, information about the certificate owner, thumbprint and public certificate key and their computation algorithms, and the serial number of the certificate
Headers of process windows
ID of anti-virus databases, name of the detected threat according to the classification of the Rightholder
Names and paths to files that were accessed by the process
Names of registry keys and their values that were accessed by the process
Account name used to start the process
Name, size, and version of the transmitted file, its description and checksums (MD5, SHA2-256, SHA1), format ID, name of its developer, name of the product to which the file belongs, full path to the file on the computer and the path template code, and the date and time of file creation and modification
Information about the license installed in the software, license ID, and its type and expiration date
checksums (MD5, SHA2-256, SHA1) of the name of the computer on which the process was started
Local time of the computer when the information was transmitted
The following additional information is transmitted:
Web addresses and IP addresses of the requested web resource, information about the file and web client accessing the web resource, the name, size and checksums (MD5, SHA2-256, SHA1) of the file, full path to the file and path template code, the result of checking its digital signature, and its status in KSN
If a potentially malicious object is detected, the following information about process memory data is provided: elements of the system object hierarchy (ObjectManager), UEFI BIOS memory data, and the names and values of registry keys.
Web pages and emails containing suspicious and malicious objects.
Version of the software update component, the number of software update component crashes when running update tasks during component operation, ID of the update task type, the number of unsuccessful update task terminations of the software update component.
Data on errors that occurred in the operation of the software component: ID of the software status, error code and type, as well as the time it occurred, IDs of the component, module and process of the product in which the error occurred, ID of the task or category of the update during which the error occurred, logs of drivers used by the software (error code, module name, name of the source file and string where the error occurred), ID of the method for identifying the error that occurred in software operation, and the name of the process that initiated the interception or exchange of traffic that led to the error in software operation.
Data on a system dump (BSOD): indicator of a BSOD occurring on the computer, name of the driver that caused the BSOD, memory stack and address in the driver, indicator of the duration of the OS session prior to the BSOD, memory stack of the driver crash, type of saved memory dump, indicator that the OS session lasted more than 10 minutes prior to the BSOD, unique ID of the dump, and the date and time of the BSOD.
Data on updates of anti-virus databases and components of the software: names, dates, and time of index files loaded as a result of the last update and loaded in the current update, as well as the date and time when the last update finished, and the names of the updated categories of files and their checksums (MD5, SHA2-256, SHA1).
ID of the scan task that detected the threat.
Information for authenticating certificates with which files were signed: certificate thumbprint, checksum computation algorithm, public key and serial number of the certificate, name of the certificate issuer, result of checking the certificate, and the ID of the certificate database.
Information about the version of the operating system (OS) installed on the computer and installed update packages, bit rate, revision and settings of the OS operating mode, and the version and checksums (MD5, SHA2-256, SHA1) of the OS kernel file.
Information about rollback of malware actions: data on the file whose activity was rolled back (name of the file, full path to the file, its size and checksums (MD5, SHA2-256, SHA1)), data on successful and unsuccessful actions to delete, rename and copy files and restore the values in the registry (names of registry keys and their values), and information about system files modified by malware, before and after rollback.
Information about executable file emulation: size of the file and its checksums (MD5, SHA2-256, SHA1), version of the emulation component, depth of emulation, vector of characteristics of logical blocks and functions within logical blocks obtained during emulation, and data from the executable file PE-header structure.
Information about the date of installation and activation of the software on the computer: the type of license installed and its validity period, the ID of the partner from whom the license was purchased, the license serial number, the type of software installation on the computer (new installation, upgrade, etc.), the indicator of successful installation or the number of the installation error, the unique ID of the software installation on the computer, the type and ID of the application with which the update is performed, and the ID of the update task.
Information about loaded software modules: name, size and checksums (MD5, SHA2-256, SHA1) of the module file, full path to it and the path template code, digital signature settings of the module file, data and time of signature creation, name of the subject and organization that signed the module file, ID of the process in which the module was loaded, name of the module supplier, and the sequence number of the module in the loading queue.
Information about files downloaded by the user: URLs and IP addresses from which the files were downloaded and the download pages, ID of the download protocol and connection port number, indicator of malicious activity of addresses, attributes and size of the file and its checksums (MD5, SHA2-256, SHA1), information about the process that downloaded the file (checksums (MD5, SHA2-256, SHA1), date and time of creation and linking, autorun indicator, attributes, names of packers, information about the signature, executable file indicator, format ID, entropy), file name, file path on the computer, digital signature of the file and information about the signature, URL on which the detection occurred, number of the script on the page that turned out to be suspicious or malicious, information about completed http requests and responses to them.
Information about running applications and their modules: data on processes running in the system (process ID (PID), process name, details of the account under which the process was started and the application and command that started the process, as well as an indicator of whether the application or process is trusted, the full path to process files and the command line, level of integrity of the process, description of the product to which the process belongs (the product name and publisher details), as well as information about currently used digital certificates and information required to verify them or indication of the absence of a digital signature of the file), as well as information about modules loaded into processes (name, size, type, creation date, attributes, check sums (MD5, SHA2-256, SHA1), and path), PE file header information, and the name of the packer (if the file was packed).
Information about the set of all installed updates and about the set of the most recently installed updates and/or remote updates, type of event that caused update information to be sent, amount of time that elapsed after installation of the last update, and information about the anti-virus databases that were loaded when the information was transmitted.
Information about an unsuccessful last restart of the operating system: the number of unsuccessful restarts since the OS was installed, system dump data (error code and parameters, name, version and checksum (CRC32) of the module that caused the error in OS operation, error address as an offset in the module, and checksums (MD5, SHA2-256, SHA1) of the system dump).
Information about the Rightholder's software: full version, type, localization and operating status of the utilized software, versions of installed software components and their operating status, data on installed software updates, the TARGET filter value, and the version of the protocol utilized to connect to the Rightholder's services.
Information about scanned objects: the assigned trust group to which or from which the file was moved, the reason for moving the file to the given category, the category ID, information about the source of categories and the category database versions, indicator of whether the file has a trusted certificate, name of the file developer, file version, and the name and version of the application to which the file belongs.
Information about scanned files and URLs: checksums of the scanned file (MD5, SHA2-256, SHA1) and file patterns (MD5), size of the pattern, type of detected threat and its name according to the Rightholder's classification, ID of anti-virus databases, URL whose reputation was queried, as well as the URL of the page from which the user was directed to the scanned URL, the ID of the connection protocol, and the utilized port number.
Information about the process that launched the attack on the software's self-defense: name and size of the process file, its checksums (MD5, SHA2-256, SHA1), full path to the file and the path template code, dates and time of creation and linking of the process file, executable file indicator, attributes of the process file, information about the certificate with which the process file was signed, code of the account used to start the process, ID of the operations that were performed for access to the process, type of resource with which the operation is performed (process, file, registry object, window search using the FindWindow function), name of the resource with which the operation is performed, indicator of operation success, the status of the process file and its signature in KSN.
Information about the operation of protection components: full versions of components, code of the event that overflowed the event queue, and the number of such events, the total number of event queue overflows, information about the process file that initiated the event (name of the file and path to it on the computer, path template code, checksums (MD5, SHA2-256, SHA1) of the process associated with the file, file version), ID of the completed event capture, full version of the capture filter, ID of the captured event type, size of the event queue and the number of events between the first event in queue and the current event, the number of overdue events in queue, information about the process that initiated the current event (name of the process file and path to it on the computer, path template code, checksums (MD5, SHA2-256, SHA1) of the process), event processing time, maximum permissible event processing time, and the data transmission probability value.
Information about software operation on the computer: data on CPU usage, data on memory usage (Private Bytes, Non-Paged Pool, Paged Pool), number of active threads in the software process and pending threads, and the duration of software operation prior to the error.
Information about the results of categorizing requested web resources containing the scanned URL and IP address of the host, version of the software component that performed the categorization, categorization method, and the set of categories determined for the web resource.
Information about network attacks: IP addresses of the attacking computer (IPv4 and IPv6), computer port number targeted by the network attack, ID of the protocol of the IP packet in which the attack was registered, target of the attack (company name, website), attack response flag, weighted level of the attack, and the trust level value.
Information about network connections: version and check sums (MD5, SHA2-256, SHA1) of the file of a process that opened the port, path to the process file and its digital signature, local and remote IP addresses, numbers of the local and remote connection ports, connection status, and port opening time.
Information about events in system logs: event time, name of the log in which the event was detected, event type and category, and the name of the event source and its description.
Information about the computer's anti-virus protection status: versions, dates and time of release of the anti-virus databases being used, statistical data on updates and connections with the Rightholder's services, and the ID of the task and ID of the software component that performed the scan.
Information about third-party applications that caused an error: their name, version and localization, error code and information about it from the system log of applications, address of error occurrence and memory stack of the third-party application, indicator of the error in the software component, amount of time the third-party application operated prior to the error, checksums (MD5, SHA2-256, SHA1) of the application process image in which the error occurred, path to this application process image and the path template code, information from the OS system log with a description of the error associated with the application, information about the application module in which the error occurred (error ID, error address as an offset in the module, name and version of the module, ID of the application crash in the Rightholder's plug-in and memory stack of the crash, and the amount of time the application operated prior to the malfunction).
Information about software crashes: date and time of dump creation, its type, name of the process associated with the dump, version and time when statistics were sent with the dump, type of event that caused the software crash (unexpected power outage, crash of a third-party Rightholder's application, intercept processing errors), and the date and time of the unexpected power outage.
Information about attacks related to spoofing network resources, and DNS- and IP addresses (IPv4 or IPv6) of visited websites.
Information about utilized digital certificates required for verifying their authenticity: checksums (SHA256) of the certificate with which the scanned object was signed, and the public certificate key.
Information about detected vulnerabilities: the vulnerability ID in the vulnerabilities database, the vulnerability danger class, and the status of detection.
Information about the hardware installed on the computer: the type, name, model, and version of the firmware, specifications of embedded and connected devices, and the unique ID of the computer on which the software is installed.
Information about software installed on the computer: name of the software and its developers, utilized registry keys and their values, information about files of the installed software (checksums (MD5, SHA2-256, SHA1), name, path to the file on the computer, size, version and digital signature), information about kernel objects, drivers, services, Microsoft Internet Explorer extensions, printing system extensions, Windows Explorer extensions, Active Setup elements, control panel applets, entries of the hosts file and system registry, and the versions of browsers and mail clients.
Information about all potentially malicious objects and activities: name of the detected object and full path to the object on the computer, checksums of processed files (MD5, SHA2-256, SHA1), detection date and time, names and sizes of infected files and paths to them, path template code, indicator of whether the object is a container, names of the packer (if the file was packed), file type code, file format ID, list of actions performed by malware and the decision made by the software and user in response to them, ID of the anti-virus databases that were used to make the decision, the name of the detected threat according to the Rightholder's classification, the level of danger, the detection status and detection method, reason for inclusion into the analyzed context and sequence number of the file in the context, checksums (MD5, SHA2-256, SHA1), the name and attributes of the executable file of the application through which the infected message or link was transmitted, depersonalized IP addresses (IPv4 and IPv6) of the host of the blocked object, file entropy, file autorun indicator, time when the file was first detected in the system, the number of times the file has been run since the last statistics were sent, information about the name, checksums (MD5, SHA2-256, SHA1) and size of the mail client through which the malicious object was received, ID of the software task that performed the scan, indicator of whether the file reputation or signature was checked, file processing result, checksum (MD5) of the pattern collected for the object, the size of the pattern in bytes, and the technical specifications of the applied detection technologies.
Executable files and non-executable files, wholly or partially.
Number of software dumps and system dumps (BSOD) since the software was installed and since the last update, ID and version of the software module in which the malfunction occurred, the memory stack in the software process, and information about the anti-virus databases when the malfunction occurred.
Description of WMI repository classes and class instances.
Reports on activities of applications.
Network traffic data packages.
Sectors participating in the OS loading process.
Service information about software operation: version of the compiler, indicator of malicious activity of the scanned object, version of the set of transmitted statistics, information about the availability and validity of statistical data, ID of the condition for generating the transmitted statistics, and indicator of whether the software is operating in interactive mode.