Event data are stored in the %SystemRoot%\System32\Winevt\Logs\Kaspersky-Security-Soyuz%4Product.evtx file in a plain and non-encrypted form. The data are stored until Kaspersky Endpoint Agent is uninstalled.
These data can be sent to Kaspersky Security Center automatically and are not sent to Kaspersky Sandbox.
By default, only users with System and Administrator permissions have read access to the files. Kaspersky Endpoint Agent does not manage access rights to this folder and the files within. The access is managed by the system administrator.
Event data can contain information about:
User sessions in the operating system.
User accounts in the operating system.
Execution errors of object scan tasks.
Object scan tasks.
Detections.
IOC files generated as part of automatic Threat Response.
Object scan results.
Kaspersky Sandbox server certificates.
The object scan queue.
Modifications of Kaspersky Endpoint Agent.
Modifications of KSC policies.
Changes of scan task status.
KSC policies.
Quarantined objects.
Automatic Threat Response actions.
Errors while interacting with an application server in the cluster.