About data provision

In the course of its operation, the application uses data that requires the consent of the KSMG administrator to be transmitted and processed.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

In the End User License Agreement.
In accordance with the terms and conditions of the End User License Agreement that you have accepted, you consent to automatic real-time provision of information required for improving the security level of the mail server to Kaspersky. This information is enumerated in the End User License Agreement under "Conditions regarding Data Processing":
- Type, version, and localization of the application
- Versions of installed updates
- Activation code and unique activation ID of the current license activation code
- Computer ID and application installation ID
- Type, version, and number of bits of the operating system
- Name of the virtual environment
- IDs of application components that were active at the time of data submission
You can read the End User License Agreement when installing KSMG or in the /opt/kaspersky/ksmg-appliance-addon/share/htdocs/<language code>/assets/eula directory in Technical Support Mode.
In the Privacy Policy.
In the Kaspersky Security Network Statement and the Supplementary Kaspersky Security Network Statement.
In the course of participation in the Kaspersky Security Network and submission of KSN statistics to Kaspersky, information can be transmitted that was obtained as a result of the application operation. The list of data that is transmitted is provided in the Kaspersky Security Network Statement and the Supplementary Kaspersky Security Network Statement. You can read these Statements in the web interface in the Settings → External services → KSN/KPSN → KSN/KPSN settings section.

Memory contents and access of user accounts to personal data of users

Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is transmitted over encrypted data links.

KSMG RAM may contain any application user data that is being processed. The KSMG administrator must take steps to ensure the security of such data.

By default, the following user accounts have access to personal data of users:

Operating system user accounts:
- A user with root privileges.
- kluser.
- Users that start application processes:
  - Postfix (hereinafter referred to as the Postfix user)
  - Nginx (hereinafter referred to as the Nginx user)
  - OpenDKIM (hereinafter referred to as the OpenDKIM user)
- User accounts in one of the following groups:
  - klusers
  - kl_web_users
  - kl_var_users
User accounts of privileged KSMG users.

Restricting user account permissions

The application does not provide any functionality to restrict the rights of user accounts of the operating system on which the application is installed. Access to the storage location of the data is restricted by the file system. The administrator is advised to control the access to personal data of other users using any system functionality except for editing application settings over SSH.

A privileged user of the application that has permission to create and edit user accounts and roles, can grant access to the web interface. Access to personal data is provided in accordance with access rights configured for the role of the account.

The 'Administrator' user can grant SSH access to the administrator account of the operating system (root). Access to personal data over SSH is restricted by SSH settings; it is disabled by default.

Transferring data between cluster nodes, connecting to AD, delivering mail, managing the application

Data is sent between cluster nodes through an encrypted connection (over HTTPS with authorization using a security certificate). Data is sent to the web interface through an encrypted connection over HTTPS. Privileged users with a local user account are authorized with a password; other users of the web interface are authorized over Kerberos or NTLM protocol.

Connection to Active Directory is established through an encrypted channel (SASL) with Kerberos authorization.

Email delivery supports SMTPS encryption.

Managing the application using the management console of the server on which the application is installed using the superuser account lets you manage dump settings. A dump is generated whenever the application crashes and can be useful for analyzing the causes of the crash. The dump may include any data, including fragments of analyzed files. By default, dump generation in KSMG is disabled.

Access to such data can be gained from the command line of the server on which the application is installed, using a user account with superuser privileges.

When sending diagnostic information to Kaspersky Technical Support, the KSMG administrator must take steps to ensure the security of dumps and trace files. The KSMG administrator is responsible for managing access to this information.

Scanning files with the kavscanner and klms_eml_scanner utilities

KSMG 2.1.1 includes the following utilities:

The 'kavscanner' utility allows the Anti-Virus module to scan file system objects to which the 'kluser' user has access.
The utility can only be managed on the command line of the server. The utility must be run as root or kluser. After completion, the utility outputs the scan result for each file to stdout. Modifying or deleting files based on the results of the scan by the utility may damage the application and the operating system or make them inoperable.

The utility is located in the /opt/kaspersky/ksmg/bin directory.
The 'klms_eml_scanner' utility allows scanning messages in EML format by the Anti-Phishing, Anti-Virus, Anti-Spam, and Link Scanning modules (if a current license for the corresponding scan technology is available). You can scan only those messages that are available to the 'kluser' user.
The utility can only be managed on the command line of the server. The utility must be run as root or kluser. After completion, the utility outputs the message scan result to stdout. Modifying the message based on the scan results may damage the message.

The utility is located in the /opt/kaspersky/ksmg/libexec directory.

Getting diagnostic information using the collect_diag_info.py utility

KSMG 2.1.1 includes the collect_diag_info.py utility, which you can use to get diagnostic information about the state of KSMG if the application web interface is not available. The utility is located in the /opt/kaspersky/ksmg/bin directory. The utility must be run as root.

The utility creates an archive with diagnostic information. The archive is located at the path that the administrator specifies when running the utility. The archive created by the utility gets the following permissions:

For root: only reading and writing is allowed.
For other users: reading, writing, and execution are prohibited.

The archive with diagnostic information may contain the following data:

Information from email messages:
- IP addresses of message senders.
- Email addresses of message senders and recipients.
- Message subject.
- Message body and size.
- Message control headers.
- Names, size, and bodies of email attachments.
Data on application updates:
- IP addresses used for downloading updates.
- IP addresses of update sources.
- Information about downloaded files and download speed.
Information about user accounts:
- Names of administrator accounts and application web interface user accounts.
- Names of user accounts in LDAP and other LDAP attributes.

After providing the diagnostic information to Kaspersky Technical Support staff, the administrator must take steps to delete the archive that the utility created.

Scope of data that can be stored by the application

The following table contains the complete list of user data that can be stored in KSMG.

User data that can be stored in KSMG

Data type	Where data is used	Storage location	Storage duration	Access

Basic functionality of the application
Account names of application administrator and users. Access permissions of user accounts of the application. User account name and password that the application uses to connect to the proxy server. Keytab files and settings for connecting to the LDAP server. Keytab files for connecting via SSO Kerberos and settings for connecting to the NTLM server. Comments. Activation code or activation key (used to activate the cluster nodes being added; the code or key is sent to the activation server). Public certificates of the web servers of the cluster nodes.	Application configuration	/var/opt/kaspersky/ksmg	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have rights to view application settings and rights to view user accounts.
Private certificates for establishing TLS connections	Application configuration	/var/opt/kaspersky/ksmg/certs/	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed.
A hash of the password of a local privileged user account. MTA filter settings. KATA integration settings.	Application configuration	/var/opt/kaspersky/ksmg	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is being transmitted between nodes.
Names of user accounts and contacts in LDAP and other LDAP attributes. Email addresses of message senders and recipients. IP addresses of message senders.	Configuration of the application (exported file with application settings)	/var/opt/kaspersky/ ksmg/export_settings/	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has read access. Users of the application web interface that have permissions to manage settings.
Names of user accounts and contacts in LDAP and other LDAP attributes. Email addresses of message senders and recipients. IP addresses of message senders. Comments.	Message processing rules and custom lists.	/var/opt/kaspersky/ksmg	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view message processing rules.
Names of user accounts and contacts in LDAP and other LDAP attributes. Email addresses of message senders and recipients.	Configuring the Backup digest and notifications	/var/opt/kaspersky/ksmg	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to manage settings.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients.	Application statistics	/var/opt/kaspersky/ksmg	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view reports and the Monitoring section. If the SNMP protocol is enabled in the KSMG settings, the snmpd service and the user that starts the snmpd service have access to the application performance statistics.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Names and size of email attachments. Message subject. Names of user accounts and contacts in LDAP and other LDAP attributes.	Message processing event log	/var/opt/kaspersky/ksmg	In accordance with settings specified by the user of the application. By default, the storage duration is 3 days and the maximum size of the log is 1 GB. When this limit is reached, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have the View mail traffic events permission.
		/var/log/ ksmg-messages	Indefinite. When the size reaches 23 GB, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have the View mail traffic events permission.
		/var/log/ ksmg-important	Indefinite. When the size reaches 500 MB, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permission to receive diagnostic information.
		/var/log/ ksmg-cef-messages	Indefinite. When the size reaches 5 GB, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permission to receive diagnostic information.
The name of the user account that initiated the event. IP address and port of the node on which the event occurred. Event parameters.	Application event log	/var/opt/ kaspersky/ksmg	In accordance with settings specified by the user of the application. By default, the storage duration is 1100 days, or the maximum size of the log is 1 GB. When this limit is reached, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have the View application events permission.
		/var/log/ ksmg-messages	Indefinite. When the size reaches 23 GB, older records are deleted.	The root user has access to the storage location of the information. The 'kluser' user has access to the data. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permission to receive diagnostic information.
		/var/log/ ksmg-important	Indefinite. When the size reaches 500 MB, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to receive diagnostic information.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body and size. Message control headers. Names, size, and bodies of email attachments. Data on application updates: IP addresses used for downloading updates. IP addresses of update sources. Information about downloaded files and download speed. Information about user accounts: Names of administrator accounts and application web interface user accounts. Names of user accounts in LDAP and other LDAP attributes.	Trace files	/var/log/ kaspersky/ksmg	Indefinite. When the size reaches 150 MB per trace stream, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data when receiving diagnostic information. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to receive diagnostic information.
		/var/log/ksmg-traces	Indefinite. When the size reaches 23 GB per trace stream, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permission to receive diagnostic information.
		/var/log/kaspersky/extra	Indefinite. When the size reaches 400 MB per trace file, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to receive diagnostic information.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body and size. Message control headers. Names, size, and bodies of email attachments.	Backup	/var/opt/kaspersky/ksmg	Until the message storage duration in Backup expires. The storage duration is configured in the web interface. When the size reaches 7 GB, older records are deleted. The administrator can change this value.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. The Postfix user has access to messages while they are being delivered from Backup. Users of the application web interface that have permissions to view Backup. The OpenDKIM user has access to messages while they are being delivered from Backup.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body and size. Message control headers. Names, size, and bodies of email attachments.	Anti-Spam Quarantine	/var/opt/ kaspersky/ksmg	Until the message is released from quarantine. When a message is released from quarantine, some data is used for routing the message. When the 1 GB or 5000 message limit is reached (the values can be configured by the administrator), new messages are not placed in Anti-Spam Quarantine.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view the message queue.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body and size. Message control headers. Names, size, and bodies of email attachments. URLs contained in the message. LDAP user DN records of users looked up by message recipient email addresses.	KATA Quarantine	/var/opt/ kaspersky/ksmg	Until the message is released from quarantine. When a message is released from quarantine, some data is used for routing the message. When the 1 GB or 5000 message limit is reached (the values can be configured by the administrator), new messages are not placed in the KATA quarantine.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view the message queue.
Connecting over the web interface: IP address of the user. Name of the user account.	Authorization event log	/var/log/secure	Not longer than 5 weeks. A weekly file rotation is maintained.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to receive diagnostic information.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body. Message control headers. Names and bodies of email attachments.	Temporary files	/tmp /tmp/ksmgtmp /tmp/ksmg_filter	Until application restart.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Postfix user has access to processed messages while they are being delivered. The OpenDKIM user has access to processed messages while they are being delivered.
IP address of the computer from which the event was initiated. Login and roles of the user. Type of the user account. IP address and port of the node on which the event occurred. Settings of mail traffic processing rules (including email addresses or IP addresses of senders and recipients of messages, LDAP:DN of senders or recipients of messages). Protection settings of the application. App ID of the message, SMTP Message-ID. IP address and port of the node in whose Backup the event involving the message occurred.	Audit Log	/var/log/ksmg-messages	Indefinite. When the size reaches 23 GB, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permission to receive diagnostic information.
		/var/log/ksmg-important	Indefinite. When the size reaches 500 MB, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permission to receive diagnostic information.
		/var/log/ksmg-cef-messages	Indefinite. When the size reaches 5 GB, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information and can also have access to data when receiving diagnostic information and logging events. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permission to receive diagnostic information.
		/var/opt/kaspersky/ksmg/ postgresql/	Configured by the administrator in the web interface.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have the View audit events permission.
Integration with Active Directory
User Object attributes: distinguishedName sAMAccountName msDS-PrincipalName userPrincipalName canonicalName displayName cn primaryGroupID proxyAddresses mail memberOf msExchDelegateListLink Active Directory custom attribute Contacts Object attributes: distinguishedName displayName cn proxyAddresses mail memberOf Group Object attributes: distinguishedName canonicalName objectSid proxyAddresses mail memberOf	Message processing rules. Authentication using the single sign-on technology. Autocompletion of user accounts when managing user roles and permissions, or when configuring message and custom list processing rules.	/var/opt/kaspersky/ ksmg/ldap/cache.dbm /var/opt/kaspersky/ ksmg/ldap/storage	Indefinite. The data is regularly updated. When integration with Active Directory is disabled, the data is deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view sections of the application that include an account autocompletion field.
Integration with Kaspersky Anti Targeted Attack Platform (KATA)
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body. Message control headers. Names and bodies of email attachments. URLs contained in the message.	Forwarding of objects to be scanned on the KATA server	Data is not saved.	Data is not saved.	No access.
Integration with a SIEM system
Certificate for establishing TLS connections. IP address or hostname of the SIEM system server.	Sending log records	/var/opt/kaspersky/ksmg/ postgresql/ /etc/rsyslog.d/	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. User of the application web interface that has permissions to manage application settings.
Interaction between the web interface and the server side
Certificates for establishing TLS connections. Certificate private key files.	Secure communication with the server side.	/var/opt/kaspersky/ksmg/ postgresql/ /var/opt/kaspersky/ksmg/ certs/	Indefinite.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. User of the application web interface that has permissions to manage application settings, has access to data, except for private keys.
Built-in mail server functionality
Certificates for establishing TLS connections. Certificate private key files. Access to files is possible only over SSH after uploading an SSH public key using the program web interface. Private keys for DKIM signatures. Email addresses of users. IP addresses of message senders.	Built-in mail server settings	/etc/postfix/ /var/opt/kaspersky/	Indefinite. Data is deleted when the corresponding settings are removed in the application web interface. Certificate files can be overwritten when a certificate is replaced.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. The Postfix and OpenDKIM users have access to the storage location of the information and the data when it is being processed. Users of the application web interface that have permissions to view settings of the built-in mail server have access to data except private keys.
Information from email messages: Email addresses of message senders and recipients. Message subject. Message body. Message control headers.	Message queues of the built-in mail server	/var/spool/postfix	Indefinite. Messages are deleted when they are delivered to recipients.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while managing message queues of the built-in mail server. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. The Postfix user has access to the data when the data is being processed. Users of the application web interface that have permissions to view message queues.
Information from email messages: IP addresses of message senders. Email addresses of message senders and recipients. Message subject. Message body. Message control headers.	Event log of the mail server	/var/log/maillog	Indefinite. When the size reaches 23 GB, older records are deleted.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. The Postfix and OpenDKIM users have access to the storage location of the information and the data when it is being processed.
SSH functionality
Connecting over SSH: IP address of the user. Name of the user account. SSH key fingerprint.	Authorization event log	/var/log/secure	Not longer than 5 weeks. A weekly file rotation is maintained.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data while it is being processed. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to receive diagnostic information.
Public SSH keys of application administrators.	Built-in SSH server settings	/etc/ssh/ authorized_keys	Indefinite. Data is deleted when the corresponding settings are removed in the application web interface.	The root user has access to the storage location of the information. The kluser user has access to the storage location of the information as well as the data when managing the built-in SSH server settings. The Nginx user has access to the data while it is transmitted between nodes or to the web interface. Users of the application web interface that have permissions to view the settings of the built-in SSH server.

Scope of data transmitted to the Kaspersky Security Network service

Data is sent to KSN servers in an encrypted form. By default, data can be accessed by Kaspersky staff, the root user account, and the 'kluser' user account used by application components.

For a full enumeration of user data transmitted to the KSN service, see the following table.

The enumerated data is transmitted only if consent has been given to participate in Kaspersky Security Network.

Data transmitted to the Kaspersky Security Network service

Data type	Where data is used	Storage location	Storage duration
Checksums (MD5, SHA2-256) of the object being scanned URL address for which reputation is being queried Connection protocol ID and port number Anti-Virus database ID and entry ID of the Anti-Virus databases that were used to scan the object Information about the certificate of the signed file (certificate fingerprint and SHA256 checksum of the public key of the certificate) ID and full version of the installed software ID of the KSN service accessed by the software Date and time when the object was submitted for scanning ID of software component ID of the scenario in which the object was submitted for scanning	Sending KSN requests	/var/opt/kaspersky/ksmg/	Indefinite. The maximum number of stored entries is 360,000. When this limit is reached, those entries are deleted that have not been accessed for the longest time.
Information about the operating system installed on the computer (type, version, bitness). Information about the installed application and computer (unique ID of the computer where the application is installed; unique ID of the application installation on the computer; name, localization, ID and full version of the installed application; date and time of software installation). Information about scanned objects (application database ID and application database entry ID; name of the detected threat in accordance with the Kaspersky classification system; checksum (MD5, SHA256); size, name, and type of the scanned object; full path to the scanned object; date and time when the object was scanned; IP address of the user; results of file and URL scanning; metadata of scanned objects; scanned URL; Referrer header; checksum of the scanned URL; checksum and size of the packer and container of the scanned object; date and time of the last database update installation; flag indicating whether the detection is from debugging). Information about scanned email messages (message ID; time when the message was received; target of the attack (name of the organization, website); weight level of the attack; value of the trust level; IP address of the sender from the SMTP session; information from message headers; IP addresses of intermediate mail transfer agents; data from the SMTP session; employed detection methods; fragment of the DKIM signature of the message; information about Mail Sender Authentication results; information about connections to the DNS server; information from the message for spam detection; size of the message in bytes; size of the attachment in bytes; checksum and type of attachment; size of the subject in bytes; name of the message encoding; information about whether the message has been in Anti-Spam Quarantine; information about HTML markup of the message; checksum and size of MIME parts; list of names of rules that caused the message to end up in Anti-Spam quarantine). Information about the operation of the Updater component (version of the Updater component; completion status of the Updater component update task; type and ID of Updater component update error if there is an error; exit code of the Update component update task; the number of times the Updater component has crashed while executing update tasks over the operation period of this component). Information about errors occurring during the operation of application components (information about application components that encountered an error; error type ID; fragments of component operation reports). Information about the version of the statistics packet, date and time when statistics gathering began, date and time when statistics gathering ended. Information about the application usage license (license ID, ID of the partner from which the license was acquired, serial number of the license key, date and time when the license key was added, indicator that the KSN Statement was accepted).	Sending KSN statistics	KSN servers	Before sending statistics to KSN. After disabling the sending of KSN statistics in application settings, the data is deleted when the next attempt to send them occurs.

Data type

Where data is used

Storage location

Storage duration

Checksums (MD5, SHA2-256) of the object being scanned
URL address for which reputation is being queried
Connection protocol ID and port number
Anti-Virus database ID and entry ID of the Anti-Virus databases that were used to scan the object
Information about the certificate of the signed file (certificate fingerprint and SHA256 checksum of the public key of the certificate)
ID and full version of the installed software
ID of the KSN service accessed by the software
Date and time when the object was submitted for scanning
ID of software component
ID of the scenario in which the object was submitted for scanning

Sending KSN requests

/var/opt/kaspersky/ksmg/

Indefinite.

The maximum number of stored entries is 360,000. When this limit is reached, those entries are deleted that have not been accessed for the longest time.

Information about the operating system installed on the computer (type, version, bitness).
Information about the installed application and computer (unique ID of the computer where the application is installed; unique ID of the application installation on the computer; name, localization, ID and full version of the installed application; date and time of software installation).
Information about scanned objects (application database ID and application database entry ID; name of the detected threat in accordance with the Kaspersky classification system; checksum (MD5, SHA256); size, name, and type of the scanned object; full path to the scanned object; date and time when the object was scanned; IP address of the user; results of file and URL scanning; metadata of scanned objects; scanned URL; Referrer header; checksum of the scanned URL; checksum and size of the packer and container of the scanned object; date and time of the last database update installation; flag indicating whether the detection is from debugging).
Information about scanned email messages (message ID; time when the message was received; target of the attack (name of the organization, website); weight level of the attack; value of the trust level; IP address of the sender from the SMTP session; information from message headers; IP addresses of intermediate mail transfer agents; data from the SMTP session; employed detection methods; fragment of the DKIM signature of the message; information about Mail Sender Authentication results; information about connections to the DNS server; information from the message for spam detection; size of the message in bytes; size of the attachment in bytes; checksum and type of attachment; size of the subject in bytes; name of the message encoding; information about whether the message has been in Anti-Spam Quarantine; information about HTML markup of the message; checksum and size of MIME parts; list of names of rules that caused the message to end up in Anti-Spam quarantine).
Information about the operation of the Updater component (version of the Updater component; completion status of the Updater component update task; type and ID of Updater component update error if there is an error; exit code of the Update component update task; the number of times the Updater component has crashed while executing update tasks over the operation period of this component).
Information about errors occurring during the operation of application components (information about application components that encountered an error; error type ID; fragments of component operation reports).
Information about the version of the statistics packet, date and time when statistics gathering began, date and time when statistics gathering ended.
Information about the application usage license (license ID, ID of the partner from which the license was acquired, serial number of the license key, date and time when the license key was added, indicator that the KSN Statement was accepted).

Sending KSN statistics

KSN servers

Before sending statistics to KSN.

After disabling the sending of KSN statistics in application settings, the data is deleted when the next attempt to send them occurs.

Updating application databases from Kaspersky servers

When the application databases are updated from Kaspersky servers, the following information is transmitted:

Application version and type
Unique ID of the current license key
Unique application installation ID
Update session ID