Alerts may contain user data. Information about alerts generated using Targeted Attack Analyzer technology is stored indefinitely on the server with the Central Node component in the directory /data/var/lib/kaspersky/storage/fastsearch/detector/data/. Files whose scan results generated an alert are accumulated on the server hosting the Central Node component and rotated as disk space is filled up.
Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.
If the alert was generated by Targeted Attack Analyzer, Backup may contain the following information:
Host name.
User name.
Time of alert generation.
Name of the detected object.
Full name and path to the file in which the object was detected.
MD5- and SHA256 hash of the file.
VHS of the file.
File description.
File creation time.
File modification time.
Company that released the program associated with the file.
File version.
File author.
Command-line parameters.
Name, owner of the domain, date of domain registration, and name of the organization that registered the domain.
Popularity of the domain throughout the world.
Date and time of host detection.
Number of queries to the host.
Volume of data downloaded from the LAN computer to this host.
IP address, host name, and port from which data was sent.
Local IP address and port of the network adapter.
Version of the program databases used to generate the alert.
URLs of visited websites.
Alert type and description.
Details of the process file: path to the process file, company that released the program linked to the process; program version; file size and version, MD5- and SHA256 hash of the file; author of the certificate containing the digital signature for the detected file, and the validity of the signature.
Date and time when the process was detected in the local network.
Number of times the process was detected in the local network.
Number of computers on which a similar process was detected.
Global popularity of the file that started the process.
Global popularity of the path by which the process was loaded.
Names of DLL libraries that Kaspersky Anti Targeted Attack Platform users are advised to direct their attention, and the DLL activity log.
Account type, type of login to the computer; date and time when the account was first detected in the local area network; date and time when the account was first detected on the computer; number of computers on which the account was detected.
Log of HTTP requests and responses for detected processes and domains: every hour, data on each process-domain pair (time, remote host, process file path, number of requests, volume of requests, volume of responses); for each hour, a precise log (individual HTTP requests and responses, IP address and port of the source; IP address, port, and name of the recipient, length of the body and header of the request, length of the body and header of the response, time of the request, URI, remote host name, User Agent, and method); header and body of the request and response for the specific request-response pair.
Process Activity log for processes involved in the alert: every hour, data on the number of starts per hour for each of the processes listed in the Processes section; for each hour, information about the time of each start and the associated command; for each start, the path to the file, MD5- and SHA256 hash of the file; path to the parent file, MD5- and SHA256 hash of the parent file, name, role and domain of the account, type of login to the computer, command, and the process start and termination time.
Information about the alert.
VIP group affiliation.
Unique ID of the computer on which the alert was generated.