About data provision

In the course of operation, the application uses data that requires the permission of the Kaspersky Web Traffic Security administrator to transmit or process.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is transmitted through encrypted data channels.

RAM of Kaspersky Web Traffic Security may contain any processed data of application users. The Kaspersky Web Traffic Security administrator must independently ensure the security of such data.

By default, only the root superuser account of operating systems, the Kaspersky Web Traffic Security Local Administrator account, and the kluser system account used to run application components have access to personal data of users. The application does not provide the tools to restrict the privileges of administrators and other users of operating systems in which the application is installed. The administrator is advised to use any system resources at their own discretion to control access to the personal data of other users.

The following table contains the complete list of user data that can be stored by Kaspersky Web Traffic Security.

User data that can be stored in Kaspersky Web Traffic Security

Data type

Where data is used

Storage location

Storage duration

Main functionality of the application

  • Names of administrator accounts and application user accounts.
  • Application accounts access permissions.
  • Hash of the local administrator password.
  • IP addresses of users.
  • User account name and password for connecting the application to the proxy server.
  • Keytab files used for connecting to the LDAP server.
  • Names of user accounts in LDAP and other LDAP attributes.

Application configuration

/var/opt/kaspersky

Indefinite.

  • Names of user accounts in LDAP and other LDAP attributes.
  • IP addresses of users.
  • Comments.

Traffic processing rules

/var/opt/kaspersky

Indefinite.

Information from requests to access web resources:

  • IP addresses of users.
  • User account names and domains of users.
  • URLs of requested web resources.

Application operation statistics

/var/opt/kaspersky

Indefinite.

Information from requests to access web resources:

  • User Agent and IP addresses of users.
  • User account names and domains of users.
  • URLs of requested web resources.
  • Names of downloaded files.

Information about the LDAP attributes of users:

  • Names of user accounts in LDAP and other LDAP attributes.

Traffic processing event log

  • /var/opt/kaspersky
  • Syslog event log (configured by the administrator)

According to the settings defined by the user of the application.

By default, the storage term is 3 days or the maximum size of the log is 1 GB.

When this limit is reached, the older records are deleted.

  • Name of the user account that initiated the event.
  • IP addresses used for downloading updates.
  • IP addresses of update sources.
  • Information about downloaded files and the download speed.

System events log

  • /var/opt/kaspersky
  • Syslog event log (configured by the administrator)

According to the settings defined by the user of the application.

100 thousand records are stored by default.

When this limit is reached, the older records are deleted.

Information from requests to access web resources:

  • IP addresses of users.
  • User account names and domains of users.
  • URLs of requested web resources.
  • Names of downloaded files.

Data on application updates:

  • IP addresses used for downloading updates.
  • IP addresses of update sources.
  • Information about downloaded files and the download speed.

Information about user accounts:

  • Names of user accounts that signed in to the application through the web interface.
  • Names of user accounts in LDAP and other LDAP attributes.

Trace files

/var/log/kaspersky

Indefinite.

When 150 GB is reached for each trace stream, the oldest records are deleted.

/var/log/kaspersky/extra

Indefinite.

When 400 GB is reached for each trace stream, the oldest records are deleted.

Information from requests to access web resources:

  • IP addresses of users.
  • User account names and domains of users.
  • URLs of requested web resources.
  • Bodies of HTTP messages containing cookies, and downloaded files.

Temporary files

/tmp/kwtstmp

Until the application is restarted.

Integration with Kaspersky Anti Targeted Attack Platform (KATA)

Users' files

Sending files to the KATA server

/tmp/kwtstmp

Until the application is restarted.

The maximum allowed size of the queue is 5 thousand files. When this limit is reached, files are no longer placed in queue.

Information from KATA alerts:

  • MD5- or SHA256 hash of the file.
  • URLs.

Receiving objects detected by KATA

/var/opt/kaspersky/kwts/detects.cache

According to the Cache storage period (hours) setting defined by the application user.

The default value is 48 hours.

Active Directory® integration

  • User DN record.
  • User CN record.
  • sAMAccountName.
  • UPN suffix.
  • objectSID.
  • Traffic processing rules.
  • Single Sign-On authentication.
  • Autocompletion of user accounts when managing the roles and privileges of users, and when configuring traffic processing rules.

/var/opt/kaspersky/kwts/ldap/cache.dbm

Indefinite.

Data is regularly updated.

When integration of the application with Active Directory is disabled, data is deleted.

Use of Kaspersky Security Network (KSN)

  • MD5- or SHA256 hash of the scanned file.
  • IDs of the type and format of the scanned file.
  • Name of the detected threat according to the Kaspersky classification.
  • IDs of anti-virus databases and records in anti-virus databases that were used to scan the file.
  • Anti-virus database release date and time.
  • URL from which the scanned file was downloaded.
  • Name of the process file that downloaded the scanned object, message, or link.
  • Normalized URLs of requested web resources containing the protocol type and port number.
  • Certificate fingerprint and SHA256 hash of the public certificate key for signed files.

Transmission of KSN requests

/var/opt/kaspersky

Indefinite.

The maximum number of stored records is 360 thousand. When this limit is reached, the records that have not been requested for the longest time are deleted.

  • User IP address.

Information about the application and the computer:

  • Unique ID of the computer on which the application is installed.
  • Unique application installation ID
  • Full version of the installed application.
  • ID of the application type.
  • Type, version, edition, bit rate, and operating mode settings of the operating system.
  • Information about the installed update packages.

Information about scans of URLs by the Anti-Virus and Anti-Phishing modules.

  • URL of the web resource in which a threat was detected.
  • URL of the original page or the page from which the user was redirected to the specific URL.
  • Application database release date and time.
  • Name of the organization and the web resource that was attacked.
  • Scan result (trust level, weight, and status of the decision).
  • Event time.

Information about scanned files:

  • Name, size, MD5- or SHA256 hash of the scanned file.
  • IDs of the file type and format.
  • Name of the detected threat according to the Kaspersky classification.
  • IDs of anti-virus databases and records in anti-virus databases that were used to scan the file.
  • Anti-virus database release date and time.
  • URL from which the scanned file was downloaded.
  • Name of the process file that downloaded the scanned object, message, or link.

Information about errors in application operation:

  • ID of the application component that experienced an error.
  • ID of the error type.
  • Excerpts from component operation reports.

Information about updates of application components and databases:

  • Version of the component whose databases are updated.
  • Database update error code, if an error occurs.
  • Application status after database update.
  • Number of unsuccessful attempts to update the databases.
  • Number of crashes of the component that is updated.

Information on the Updater component:

  • Version of the Updater component.
  • Result of the update for the Updater component.
  • Type and ID of the error when updating the Updater component, if an error occurs.
  • Update task completion code for the Updater component.
  • Number of crashes of the Updater component during update tasks.
  • Number of unsuccessful attempts to update the Updater component.

KSN statistics

/var/opt/kaspersky

Until the statistics are sent to KSN.

After the transmission of KSN statistics is disabled in the application settings, data is deleted during the next transmission attempt.

Functionality available only when the application ISO image is deployed

Decryption of TLS/SSL connections:

  • SSL Bumping certificates.
  • Common name and Organization fields from a Certificate Signing Request (CSR).
  • SHA1- or SHA256 fingerprints of trusted certificates.
  • Files of private certificate keys.

Kerberos authentication settings:

  • Keytab files.
  • Tokens (hash strings) of users.
  • Domain identifiers (SID) of users.
  • Names of user accounts.

NTLM authentication settings:

  • Active Directory server address.
  • Active Directory server certificate.

Built-in proxy server settings.

/etc/squid/

/var/opt/kaspersky/

Indefinite.

Data is deleted when the corresponding settings are deleted in the web interface of the application.

Certificate files may be overwritten when the certificate is replaced.

Information from requests to access web resources:

  • URLs of requested web resources.
  • IP addresses and DNS names of web servers.
  • IP addresses of trusted load balancers.
  • IP address of the ICAP server.
  • IP addresses of users.
  • HTTP headers of processed HTTP messages.

Proxy server event log

/var/log/squid/icap.log

/var/log/squid/ssl.log

/var/log/squid/squid.out

/var/log/squid/access.log

/var/log/squid/cache.log

Indefinite.

When 3 GB is reached for each trace stream, the oldest records are deleted.

Kerberos authentication settings:

  • Keytab files.
  • Tokens (hash strings) of users.
  • Domain identifiers (SID) of users.
  • Names of user accounts.

Proxy server event log

/var/log/squid/cache.log

Indefinite.

When 10 GB is reached for each trace stream, the oldest records are deleted.

NTLM authentication settings:

  • Domain identifiers (SID) of users.
  • Names of user accounts.
  • Bodies of NTLM messages in Base64 encoding.
  • Encoded LDAP messages.

Proxy server event log

/var/log/squid/cache.log

Indefinite.

When 10 GB is reached for each trace stream, the oldest records are deleted.

Connection over the SSH protocol:

  • User IP address.
  • User account name.
  • SSH key fingerprint.

Connection through the web interface:

  • User IP address.
  • User account name.

Authorization event log

/var/log/secure

No more than 5 weeks.

Files are rotated once a week.

Information from requests to access web resources:

  • User Agent and IP addresses of users.
  • User account names and domains of users.
  • URLs of requested web resources.
  • Names of downloaded files.

Information about the LDAP attributes of users:

  • Names of user accounts in LDAP and other LDAP attributes.

Information about system events:

  • Name of the user account that initiated the event.
  • IP addresses used for downloading updates.
  • IP addresses of update sources.
  • Information about downloaded files and the download speed.

System events and traffic processing events log

/var/log/kwts-messages

No more than 5 weeks.

Files are rotated once a week.

You can manage the dump settings if you use the superuser account to manage the application from the management console of the server on which the application is installed. A dump is generated during application crashes and may be needed to analyze the causes of the crash. The dump may include any data, including fragments of analyzed files.

By default, dump generation in Kaspersky Web Traffic Security is disabled.

This data can be accessed under the superuser account from the management console of the server on which the application is installed.

When sending diagnostic information to Kaspersky Technical Support, the Kaspersky Web Traffic Security administrator must independently ensure the security of dump files and trace files.

The administrator of Kaspersky Web Traffic Security is responsible for access to this information.

Page top