Changes in the system after Kaspersky Endpoint Agent installation

Windows Installer service performs the following changes on the protected device during Kaspersky Endpoint Agent installation:

• Creates Kaspersky Endpoint Agent folders.
• Registers Kaspersky Endpoint Agent keys in the system registry.
• Registers Kaspersky Endpoint Agent services and drivers.

Kaspersky Endpoint Agent folders on the protected device

When Kaspersky Endpoint Agent is installed, the following folders are created on the device:

• The default Kaspersky Endpoint Agent installation folder that contains Kaspersky Endpoint Agent executable files:
  • In 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Endpoint Agent\
  • In 64-bit version of Microsoft Windows: %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\
• Folder containing Kaspersky Endpoint Agent (x86) drivers:
  • In 32-bit version of Microsoft Windows: %ProgramFiles%\Kaspersky Lab\Endpoint Agent\drivers\<OS version>\<driver name>
  • In 64-bit version of Microsoft Windows: %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\drivers\x64\<OS version>\<driver name>
• Folders containing IOC files:
  • In 32-bit version of Microsoft Windows:
    • %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc
    • %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc\1.0
    • %ProgramFiles%\Kaspersky Lab\Endpoint Agent\openioc\1.1
  • In 64-bit version of Microsoft Windows:
    • %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc
    • %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc\1.0
    • %ProgramFiles (x86)%\Kaspersky Lab\Endpoint Agent\openioc\1.1
• Folders containing Kaspersky Endpoint Agent system files:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Images
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Kata
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Kmp
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Cache\Queue\Syslog
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\Hunts
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Data\killchain
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Settings
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Tasks
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\DSKM
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Temp
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Temp\Tasks
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Bases
• Folder containing system files for Kaspersky Security Network operation.
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Ksn
• Folder containing quarantined files:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Quarantine
• Folder containing files restored from the quarantine:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Restored
• Folder containing Kaspersky Security Center policy configuration files:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Policy
• Folders containing system files for Kaspersky Sandbox operation:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Sandbox
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Sandbox\Queue
• Folder containing files of updatable components:
  • %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0\Update
• Folder containing shortcut files for the Start menu:
  • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Kaspersky Endpoint Agent

Kaspersky Endpoint Agent services and drivers

The following Kaspersky Endpoint Agent services are registered and started under the system account (SYSTEM):

• SOYUZ.exe is the main Kaspersky Endpoint Agent service that manages its tasks and operation processes.
• VOSTOK.dll (executed in proton.exe) is a service that provides interaction between Kaspersky Endpoint Agent and the Central Node component.
• ANGARA.dll (executed in proton.exe) is a service that provides interaction between Kaspersky Endpoint Agent and EPP in scenarios of Kaspersky Sandbox integration.

The following Kaspersky Endpoint Agent drivers are registered on the device:

• klsnsr.sys is Event Tracing for Windows (ETW) driver.
• klncap.sys is ETW network packet analyzer.

  When installed on a device running Microsoft Windows XP, the klncapxp.sys driver is registered instead of klncap.sys.

System registry keys

As a result of Kaspersky Endpoint Agent installation, the following registry keys are created:

Registry keys are listed in the 32-bit application view.

• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ProdDisplayName]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ProdVersion]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorVersion]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorFlags]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\NagentMinVer]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\SOYUZ\4.0.0.0\ConnectorPath]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\UninstallString3]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\UninstallString3KPD]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\SOYUZ\4.0.0.0\Installer\ProductCode]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\NoPPL]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\BFESDDL]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Enable]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Folder]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Enable(Example)]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\CrashDump\Folder(Example)]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\EnableKillChain]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\SvmUpdateMode]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\MsiPath]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\AgentPath]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Environment\EventsExpirationTimeout]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallID]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallTime]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallLCID]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallLocalization]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\InstallPlatformType]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Install\Version]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Trace\Configuration]
• [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SOYUZ\4.0\Trace\Configuration(Example)]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\StartMenu]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\UninstallShortcut2]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\RelNotes]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\License]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\Ksn]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\Kmp]
• [HKEY_CURRENT_USER\Software\KasperskyLab\SOYUZ\ProductUrl]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\angara]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klelaml]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klncap]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klncapxp]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klsnsr]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vostok]
• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soyuz]