Kaspersky Anti Targeted Attack Platform (EDR)
All data that the application stores locally on the computer, is deleted from the computer when Kaspersky Endpoint Security is uninstalled.
Service data
The built-in agent of Kaspersky Endpoint Security stores the following data locally:
- Processed files and data entered by the user during configuration of the built-in agent of Kaspersky Endpoint Security:
- Quarantined files
- Settings of the built-in agent of Kaspersky Endpoint Security:
- Public key of the certificate used for integration with Central Node
- License data
- Data required for integration with Central Node:
- Telemetry event packet queue
- Cache of IOC file identifiers received from Central Node
- Objects to be passed to the server within the Get file task
- The Get forensic task results reports
Data in requests to KATA (EDR)
When integrating with Kaspersky Anti Targeted Attack Platform, the following data is stored locally on the computer:
Data from the built-in agent of Kaspersky Endpoint Security requests to the Central Node component:
- In synchronization requests:
- Unique ID
- Basic part of the server web address
- Computer name
- Computer IP address
- Computer MAC address
- Local time on the computer
- Self-defense status of Kaspersky Endpoint Security
- Name and version of the operating system that is installed on the computer
- Version of Kaspersky Endpoint Security
- Versions of the application settings and task settings
- Task statuses: identifiers of tasks, execution statuses, error codes
- In requests for obtaining files from the server:
- Unique identifiers of files
- Unique Kaspersky Endpoint Security identifier
- Unique identifiers of certificates
- Basic part of the web address of the server with the Central Node component installed
- Host IP address
- In the reports on task execution results:
- Host IP address
- Information about the objects detected during an IOC scan or YARA scan
- Flags of the additional actions performed upon completion of tasks
- Task execution errors and return codes
- Task completion statuses
- Task completion time
- Versions of the settings used for execution of the tasks
- Information about the objects submitted to the server, quarantined objects, and objects restored from quarantine: paths to objects, MD5 and SHA256 hashes, identifiers of quarantined objects
- Information about the processes started or stopped on a computer at the server's request: PID and UniquePID, error code, MD5 and SHA256 hashes of the objects
- Information about the services started or stopped on a computer at the server's request: service name, startup type, error code, MD5 and SHA256 hashes of file images of the services
- Information about the objects for which a memory dump was made for a YARA scan (paths, dump file identifier)
- Files requested by the server
- Telemetry packets
- Data on running processes:
- Executable file name, including full path and extension
- Process autorun parameters
- Process ID
- Login session ID
- Login session name
- Date and time when the process was started
- MD5 and SHA256 hashes of the object
- Data on files:
- File path
- File name
- File size
- File attributes
- Date and time when the file was created
- Date and time when the file was last modified
- File description
- Company name
- MD5 and SHA256 hashes of the object
- Registry key (for autorun points)
- Data in errors that occur when information about objects was retrieved:
- Full name of the object that was processed when an error occurred
- Error code
- Telemetry data:
- Host IP address
- Data type in the registry prior to the committed update operation
- Data in the registry key prior to the committed change operation
- The text of the processed script or a part of it
- Type of the processed object
- Way of passing a command to the command interpreter
Data from requests of the Central Node component to the built-in agent of Kaspersky Endpoint Security:
- Task settings:
- Task type
- Task schedule settings
- Names and passwords of the accounts under which the tasks can be run
- Versions of settings
- Identifiers of quarantined objects
- Paths to the objects
- MD5 and SHA256 hashes of the objects
- Command line to start the process with the arguments
- Flags of the additional actions performed upon completion of tasks
- IOC file identifiers to be retrieved from the server
- IOC files
- Service name
- Service startup type
- Folders for which the results of the Get forensic task must be received
- Masks of the object names and extensions for the Get forensic task
- Network isolation settings:
- Types of settings
- Versions of settings
- Lists of network isolation exclusions and exclusion settings: traffic direction, IP addresses, ports, protocols, and full paths to executable files
- Flags of the additional actions
- Time of automatic isolation disabling
- Execution prevention settings
- Types of settings
- Versions of settings
- Lists of execution prevention rules and rule settings: paths to objects, types of objects, MD5 and SHA256 hashes of objects
- Flags of the additional actions
- Event filtering settings:
- Module names
- Full paths to objects
- MD5 and SHA256 hashes of the objects
- Identifiers of the entries in Windows event log
- Digital certificate settings
- Traffic direction, IP addresses, ports, protocols, full paths to executable files
- User names
- User logon types
- Types of telemetry events for which filters are applied
Data in YARA scan results
The built-in agent of Kaspersky Endpoint Security automatically transfers YARA scan results to Kaspersky Anti Targeted Attack Platform to build a threat development chain.
The data is temporarily stored locally in the queue for sending task execution results to the Kaspersky Anti Targeted Attack Platform server. The data is deleted from the temporary storage once it has been sent.
YARA scan results contain the following data:
- MD5 and SHA256 hashes of the file
- Full name of the file
- File path
- File size
- Process name
- Process arguments
- Path to the process file
- Windows identifier (PID) of the process
- Windows identifier (PID) of the parent process
- User account that started the process
- Date and time when the process was started