When executing a query for providing process dumps, the Endpoint Sensors component locally stores the contents of process dumps in open non-encrypted form in the following folders:
Dump files of the service portion and drivers of the Endpoint Sensors component are saved in the folder C:\ProgramData\Kaspersky Lab\Endpoint Sensor 3.6\logs\system.
Users with the permissions of the System and Administrator accounts of the operating system can delete the files, modify their contents, and modify access rights to them.
Dump files and Shell files of the Endpoint Sensors component are saved in the folder C:\ProgramData\Kaspersky Lab\Endpoint Sensor 3.6\logs\user.
Users with the permissions of the User, System and Administrator account of the operating system can delete the files and modify their contents. Users with the permissions of the System and Administrator accounts of the operating system can also modify access rights to the files.
Data is stored until a query execution report is sent to the Central Node component. The Endpoint Sensors component does not manage access rights to this folder and its files. It is the system administrator who determines access permissions. By default, only users with System and Administrator permissions have read-access to files.
Dump files of the Endpoint Sensors component are generated by the operating system during program failures, are stored in the folder specified by operating system settings, and are rewritten upon each failure. Dump files may include any personal data of the user or confidential data of your organization.
Do not use the Endpoint Sensors component on those computers from which data transfer is forbidden by your corporate policy.
Data in dump files may contain the following information:
Event time.
Number of thread of execution.
Program component that caused an alert.
Event importance.
Data on executable modules.
Data on open ports.
Data on network connections.
About the operating system that is installed on the computer with the Endpoint Sensors component.
Data on operating system user accounts.
Data on user sessions in the operating system.
Data on Windows event log.
About alerts of Kaspersky Endpoint Security for Windows.
About organizational units (OU) of Active Directory.
Unique ID of the computer with the Endpoint Sensors component.
Fully qualified domain name of the computer.
Serial number of the logical drive.
HTTP protocol headers.
Full paths to files on the computer with the Endpoint Sensors component.
Names of files on the computer with the Endpoint Sensors component.
Full names of folders on the computer with the Endpoint Sensors component.
Home folder of the local user.
Name of the user account that started the process.
Path to the script that is run when the user logs in to the system.
Name of the user account under which the event occurred.
URLs and IP addresses of visited websites, and links from these websites.
When using a proxy server: Proxy server IP address, computer name, port, proxy server user name.
External IP addresses, with which a connection was established from a local computer.
Process start commands.
Command-line parameters.
Kaspersky Security Center Network Agent ID.
Path to keys in the Windows registry.
Names of Windows registry variables.
Values of Windows registry variables.
Windows registry hives.
Names of detected objects.
Name of the local DNS cache entry.
Address from the local DNS cache entry in IPv4 format.
IP address or name of the requested host from the local DNS cache.
Host of the local DNS cache element.
Domain name of the local DNS cache element.
Address of the ARP cache element in IPv4 format.
Physical address of the ARP cache element.
Name of the user account that started the operating system service.
Settings with which the operating system service was started.
Original name of the file (OriginalFileName) for the RT_VERSION resource.