Telemetry exclusions

To improve performance and optimize data transmission to the Telemetry server, you can configure telemetry exclusions. For example, you can choose not to send network communications data for individual applications.

How to create a telemetry exclusion in the Administration Console (MMC)

How to create a telemetry exclusion in the Web Console and Cloud Console

Telemetry exclusion parameters

Parameter

Description

Excluded processes

Optimize the telemetry size to send. Kaspersky Endpoint Security allows optimizing the amount of transmitted data and excluding events with certain codes from telemetry: code 102 (basic communications) and 8 (network activity of the process) for the Microsoft SMB protocol, the WinRM service, and the klnagent.exe process of the Network Agent, as well as extended information about the types of network packets for all types of network protocols.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Process details and Parent process details.

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Specify rule triggering criteria and the event types to use this rule for. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.

You can also select a file manually, and the application will automatically fill out the fields from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plug-in displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

Use for the following event types

  • File modification.
  • Network events.
  • Process: console interactive input.
  • Module loaded.
  • Registry modified.
  • DNS logs.
  • Process access.
  • Code injection.
  • WMI query.
  • Pipe.
  • LDAP.
  • AMSI.

Excluded network communications

Rule name.

Direction.

Protocol.

Raw socket.

Protocol number.

TLS certificate.

Local port or range.

Remote port or range.

Local address. The network address of the computer for which Kaspersky Endpoint Security is excluding telemetry from network traffic.

Remote address. The network address of the computer for which Kaspersky Endpoint Security is excluding telemetry from network traffic.

Only the IPv4 format is supported for IP addresses.

Applications. List of executable files of applications for which Kaspersky Endpoint Security is excluding EDR telemetry from network traffic.

Excluded file operations

Rule name.

File name or mask. Name or mask of a file or folder; Kaspersky Endpoint Security applies the exclusion rule when this file or folder is accessed. Kaspersky Endpoint Security supports the * and ? characters when entering a mask.

Operation type.

Previous path.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Process details and Parent process details.

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Specify rule triggering criteria and the event types to use this rule for. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.

You can also select a file manually, and the application will automatically fill out the fields from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plug-in displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

Excluded DNS operations

Rule name.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Process details and Parent process details.

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Specify rule triggering criteria and the event types to use this rule for. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.

You can also select a file manually, and the application will automatically fill out the fields from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plug-in displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

DNS.

  • DNS server IP address.
  • Query options.
  • Status.
  • Domain name.
  • Settings type ID.
  • Response data.

Excluded LDAP operations

Rule name.

LDAP search scope.

Filter.

Search for a distinguished name for LDAP operations search.

Object attributes.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Process details and Parent process details.

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Specify rule triggering criteria and the event types to use this rule for. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.

You can also select a file manually, and the application will automatically fill out the fields from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plug-in displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

Excluded process access queries

Rule name.

Operation type.

Requested access to the process.

Call stack trace.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Process details, Parent process details, Target process, File of a source process and File of a target process.

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Specify rule triggering criteria and the event types to use this rule for. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.

You can also select a file manually, and the application will automatically fill out the fields from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plug-in displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

Excluded code injections

Rule name.

Access method.

Call stack.

Modified command line.

Injection address.

Injected DLL name.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Process details and Parent process details.

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Specify rule triggering criteria and the event types to use this rule for. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.

You can also select a file manually, and the application will automatically fill out the fields from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plug-in displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

Excluded WMI queries

Rule name.

WMI operation type.

Remote query.

Name of a computer that executed a WMI command.

WMI user account.

Executed WMI command.

WMI namespace.

WMI event consumer filter.

Name of the created WMI event consumer.

Source code of a WMI event consumer.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Process details and Parent process details.

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Specify rule triggering criteria and the event types to use this rule for. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.

You can also select a file manually, and the application will automatically fill out the fields from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plug-in displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

Excluded pipe operations

Rule name.

Pipe name.

Operation type.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Process details and Parent process details.

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Specify rule triggering criteria and the event types to use this rule for. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.

You can also select a file manually, and the application will automatically fill out the fields from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plug-in displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

Excluded registry changes

Rule name.

Operation type.

Path.

Value name.

Value.

Full name of a registry file.

Kaspersky Endpoint Security combines rule triggering criteria with a logical AND.

Process details and Parent process details.

  • Full path. Full path to the file including its name and extension. Kaspersky Endpoint Security supports environment variables and the * and ? characters when entering a mask.
  • Command line text. Command used to run the file.
  • Specify rule triggering criteria and the event types to use this rule for. Value of the FileDescription parameter from a RT_VERSION (VersionInfo) resource.
  • Original file name. Value of the OriginalFilename parameter from a RT_VERSION (VersionInfo) resource.
  • Version. Value of the FileVersion parameter from a RT_VERSION (VersionInfo) resource.
  • File checksums. MD5 and SHA256.

You can also select a file manually, and the application will automatically fill out the fields from the selected file.

In 64-bit operating systems, you must manually enter the parameters of the 64-bit version of the executable file of a process from the C:\windows\system32 folder because the application populates the executable file parameter fields with data from the properties of the 32-bit version of the same executable file in the C:\windows\syswow64 folder. For example, if you select C:\windows\system32\cmd.exe, the plug-in displays the parameters of C:\windows\syswow64\cmd.exe. Such behavior is dictated by peculiarities of the operating system.

Page top