The Endpoint Sensors component can record the component debugging data and the component drivers according to the preset parameters to trace files. By default, the Endpoint Sensors component records no debugging data. Trace files are never automatically sent outside the confines of the host on which the files were generated. The contents of trace files can be viewed using the standard tools for viewing text files. Trace files are completely deleted when the Endpoint Sensors component is removed.
Trace files are saved in open non-encrypted form in the following folders:
Trace files of the service portion and drivers of the Endpoint Sensors component are saved in the folder C:\ProgramData\Kaspersky Lab\Endpoint Sensor 3.6\logs\system.
Users with the permissions of the System and Administrator accounts of the operating system can delete the files, modify their contents, and modify access rights to them.
Trace files of the Shell and graphical interface of the Endpoint Sensors component are saved in the folder C:\ProgramData\Kaspersky Lab\Endpoint Sensor 3.6\logs\user.
Users with the permissions of the User, System and Administrator account of the operating system can delete the files and modify their contents. Users with the permissions of the System and Administrator accounts of the operating system can also modify access rights to the files.
The Endpoint Sensors component does not manage access rights to these folders and to their files. By default, only users with System and Administrator permissions have read-access to files.
Data in trace files may contain the following information:
Event time.
Number of thread of execution.
Program component that caused an alert.
Event importance.
Data on executable modules.
Data on open ports.
Data on network connections.
About the operating system that is installed on the computer with the Endpoint Sensors component.
Data on operating system user accounts.
Data on user sessions in the operating system.
Data on Windows event log.
About alerts of Kaspersky Endpoint Security for Windows.
About organizational units (OU) of Active Directory®.
Unique ID of the computer with the Endpoint Sensors component.
Fully qualified domain name of the computer.
Serial number of the logical drive.
HTTP protocol headers.
Full paths to files on computers with the Endpoint Sensors component.
Names of files on computers with the Endpoint Sensors component.
Full names of folders on computers with the Endpoint Sensors component.
Home folder of the local user.
Name of the user account that started the process.
Path to the script that is run when the user logs in to the system.
Name of the user account under which the event occurred.
URLs and IP addresses of visited websites, and links from these websites.
When using a proxy server: Proxy server IP address, computer name, port, proxy server user name.
External IP addresses, with which a connection was established from a local computer.
Process start commands.
Command-line parameters.
Kaspersky Security Center Network Agent ID.
Path to keys in the Windows registry.
Names of Windows registry variables.
Values of Windows registry variables.
Windows registry hives.
Names of detected objects.
Name of the local DNS cache entry.
IP address from the local DNS cache entry in IPv4 format.
IP address or name of the requested host from the local DNS cache.
Host of the local DNS cache element.
Domain name of the local DNS cache element.
IP address of the ARP cache element in IPv4 format.
Physical address of the ARP cache element.
Name of the user account that started the operating system service.
Settings with which the operating system service was started.
Original name of the file (OriginalFileName) for the RT_VERSION resource.