All data that the application stores locally on the computer, is deleted from the computer when Kaspersky Endpoint Security is uninstalled.
Service data
The built-in agent of Kaspersky Endpoint Security stores the following data locally:
Processed files and data entered by the user during configuration of the built-in agent of Kaspersky Endpoint Security:
Quarantined files
Settings of the built-in agent of Kaspersky Endpoint Security:
Public key of the certificate used for integration with Central Node
License data
Data required for integration with Central Node:
Telemetry event packet queue
Cache of IOC file identifiers received from Central Node
Objects to be passed to the server within the Get file task
The Get forensic task results reports
Data in requests to KATA (EDR)
When integrating with Kaspersky Anti Targeted Attack Platform, the following data is stored locally on the computer:
Data from the built-in agent of Kaspersky Endpoint Security requests to the Central Node component:
In synchronization requests:
Unique ID
Basic part of the server web address
Computer name
Computer IP address
Computer MAC address
Local time on the computer
Self-defense status of Kaspersky Endpoint Security
Name and version of the operating system that is installed on the computer
Version of Kaspersky Endpoint Security
Versions of the application settings and task settings
Task statuses: identifiers of tasks, execution statuses, error codes
In requests for obtaining files from the server:
Unique identifiers of files
Unique Kaspersky Endpoint Security identifier
Unique identifiers of certificates
Basic part of the web address of the server with the Central Node component installed
Host IP-address
In the reports on task execution results:
Host IP-address
Information about the objects detected during an IOC scan or YARA scan
Flags of the additional actions performed upon completion of tasks
Task execution errors and return codes
Task completion statuses
Task completion time
Versions of the settings used for execution of the tasks
Information about the objects submitted to the server, quarantined objects, and objects restored from quarantine: paths to objects, MD5 and SHA256 hashes, identifiers of quarantined objects
Information about the processes started or stopped on a computer at the server's request: PID and UniquePID, error code, MD5 and SHA256 hashes of the objects
Information about the services started or stopped on a computer at the server's request: service name, startup type, error code, MD5 and SHA256 hashes of file images of the services
Information about the objects for which a memory dump was made for a YARA scan (paths, dump file identifier)
Files requested by the server
Telemetry packets
Data on running processes:
Executable file name, including full path and extension
Process autorun parameters
Process ID
Login session ID
Login session name
Date and time when the process was started
MD5 and SHA256 hashes of the object
Data on files:
File path
File name
File size
File attributes
Date and time when the file was created
Date and time when the file was last modified
File description
Company name
MD5 and SHA256 hashes of the object
Registry key (for autorun points)
Data in errors that occur when information about objects was retrieved:
Full name of the object that was processed when an error occurred
Error code
Telemetry data:
Host IP-address
Data type in the registry prior to the committed update operation
Data in the registry key prior to the committed change operation
The text of the processed script or a part of it
Type of the processed object
Way of passing a command to the command interpreter
Data from requests of the Central Node component to the built-in agent of Kaspersky Endpoint Security:
Task settings:
Task type
Task schedule settings
Names and passwords of the accounts under which the tasks can be run
Versions of settings
Identifiers of quarantined objects
Paths to the objects
MD5 and SHA256 hashes of the objects
Command line to start the process with the arguments
Flags of the additional actions performed upon completion of tasks
IOC file identifiers to be retrieved from the server
IOC files
Service name
Service startup type
Folders for which the results of the Get forensic task must be received
Masks of the object names and extensions for the Get forensic task
Network isolation settings:
Types of settings
Versions of settings
Lists of network isolation exclusions and exclusion settings: traffic direction, IP addresses, ports, protocols, and full paths to executable files
Flags of the additional actions
Time of automatic isolation disabling
Execution prevention settings
Types of settings
Versions of settings
Lists of execution prevention rules and rule settings: paths to objects, types of objects, MD5 and SHA256 hashes of objects
Flags of the additional actions
Event filtering settings:
Module names
Full paths to objects
MD5 and SHA256 hashes of the objects
Identifiers of the entries in Windows event log
Digital certificate settings
Traffic direction, IP addresses, ports, protocols, full paths to executable files
User names
User login types
Types of telemetry events for which filters are applied
Data in YARA scan results
The built-in agent of Kaspersky Endpoint Security automatically transfers YARA scan results to Kaspersky Anti Targeted Attack Platform to build a threat development chain.
The data is temporarily stored locally in the queue for sending task execution results to the Kaspersky Anti Targeted Attack Platform server. The data is deleted from the temporary storage once it has been sent.