In order for some components of Kaspersky Managed Detection and Response to work, it's necessary for Kaspersky to process the user's data. Components do not send data without the permission of the Kaspersky Managed Detection and Response administrator.
Kaspersky protects any information received in accordance with law and applicable Kaspersky rules. Data is transmitted over a secure channel.
List of information provided during Kaspersky Endpoint Security for Windows monitoring
In order to identify new and challenging data security threats and their sources, as well as threats of intrusion, and to take prompt measures to increase the protection of the data stored and processed with a computer by Customer, the Customer agrees to automatically provide the following information in order to receive the Service:
Date of software installation and activation, the full name and version of the software, including information on installed updates and language localization of the software.
Information about the software installed on the computer, including the operating system version and installed updates, kernel objects, drivers, services, Autostart entries, programs that are automatically launched in the event of various system events (for example, operating system startup, user login) and their configurations, browser extensions, Microsoft Internet Explorer extensions, print system extension, Windows Explorer extensions, operating system shell extensions, loaded objects checksums (MD5), Active Setup elements, control panel applications, browsers and mail client versions.
Information about the computer's name, IP addresses, default gateways, MAC addresses and hardware, including a checksum of the HDD's serial number.
Data about software tools used to fix problems in the software installed on the Customer's computer, or to change its functionality, and the return codes received after the installation of each piece of software.
Information about the state of the computer's anti-virus protection, including the versions and release dates and times of the anti-virus databases being used, statistics about updates and connections with Kaspersky services, job identifier, and the identifier of the software component performing scanning.
License ID and serial number of Kaspersky products, names and versions of such products. Identifiers of installations of Kaspersky products.
Information about user accounts: account name, user name, operating system ID, logon information, privileges, groups memberships.
Full content of operating system logs.
Information about Kaspersky Endpoint Security detects.
Information about received emails, including: sender and recipient email addresses, subject, attachment information: attachment file name, size, hash (MD5), file format analysis results.
Network connections information, including source and destination IP addresses and ports.
HTTP connections information, including visited URL, referrer, and User-Agent.
Information about files processed in operating system: name and path, size, filesystem attributes, results of file format analysis, checksum (MD5), URL from which file has been downloaded, email address of sender from whom the file has been received and email subject, contents of VERSIONINFO structure from the metadata of the file, information about the publisher if the file is signed.
Information about a process: PID, call trace of the process, information about the executable file of the process and its command line, information about the parent process, information about the logon session, command line, command line arguments for the process.
List of information provided during Kaspersky network monitoring
In order to identify new and challenging data security events and their sources, as well as threats of intrusion, and to take prompt measures to increase the protection of the data stored and processed with a computer by Customer, Customer agrees to automatically provide the following information in order to receive the Service:
Information about the identifier, version, type, and timestamp of the record in the anti-virus database used to detect an information security event, the name of the threat based on the Right Holder's classification, timestamp of the anti-virus databases being used, file type code, file format identifier, the task identifier of the software that detected the event, flag of the reputation verification or file signature verification.
Information to determine the reputation of files and web resources, including IP address and the domain name of the URL address at which the reputation is being requested, the name of the file that was executed at the time the event was detected, the file path and checksums (MD5) of the file and its path.
Information about emulation of the executable file, including file size and its checksums (MD5, SHA2-256, SHA1), the version of the emulation component, emulation depth, an array of properties of logical blocks and functions within logical blocks obtained during the emulation, data from the executable file's PE headers.
Information about all detected objects, including the name and size of the object, the full path to the object on the computer, checksums (MD5, SHA2-256) of the files being processed, the name of the event associated with the object, detection date and time, flag of the presence of the file's digital signature, the name of the organization that signed the file, the trust status and threat level of the file, the identifier and priority of the rule used for detection, and the type of detection technology.
The type of source from which the object was downloaded, the source's IP address (or checksum (MD5) of the IP address, when it is local), the source's URL address, as well as the referrer URL address, the name, the domain's name and checksum (MD5) of the name of the host that sent the downloading request, the service information about the web browser, that sent the downloading request.
Checksums (MD5) of the local and domain parts of the sender's and the receiver's email addresses, as well as checksum (MD5) of the email's subject.
Local and remote IP addresses of the network connection (or checksum (MD5) of the IP address, when it is local), the numbers of the local and remote ports and the connection's protocol identifier.
URL address and name of the target host, and the host's IP addresses.
The identifier of the operating system, that is installed on a virtual machine, which is used by the software to analyze objects.
Additional information about events, including the frequency index of the file in Customer's local network, the date of the file's intrusion in the local network and on Customer's computer, the identifiers of the accounts the process was started from, checksums of their user names, as well as the names of their domains or workgroups, information about the privileges of the user accounts.
Information about the network activity of the process, including the domain names of the network resources that were used to establish a connection, and IP addresses of the domains, the frequency of the connection to the selected network resource, the size and type of the transferred data.
Information about the usage of the domain of the network resource, including the frequency index of the requests to the domain from the local network, the time stamp of the first request to the domain from the local network, the duration of the requests from different users and checksums of their names, the names of the computers that initiated the requests to the domain, additional information about detection reasons.
Service information about the statistics processing component, including the date and time of the beginning and the end of the term that was used to analyze the statistics data, the volume of the free and used disk memory, the time of the last event processing, the operating time of different detection algorithms, messages about the component's errors, messages about the successful start of different detection algorithms.
Data provision while using Kaspersky Endpoint Agent