Support

Support for business applications

Kaspersky Endpoint Security 11 for Windows

Contacting Technical Support

Contents and storage of trace files

Kaspersky Endpoint Security 11 for Windows
Нет результатов
Нет результатов
Knowledge Base Online Help
Advice & Solutions FAQ Download Buy Renew Forum Contact support Recovery tools Product videos

Contents and storage of trace files

April 25, 2024

ID 124710

Get as PDF

You are personally responsible for the security of the data that is stored on your computer, particularly for monitoring and restricting access to the data until it is submitted to Kaspersky.

Trace files are stored on the computer as long as the application is in use, and are deleted permanently when the application is removed.

Trace files, except trace files of Authentication Agent, are stored in the folder %ProgramData%\Kaspersky Lab\KES\Traces.

Trace files are named as follows: KES<service version number_dateXX.XX_timeXX.XX_pidXXX.><trace file type>.log.

You can view data saved in trace files.

All trace files contain the following common data:

  • Event time.
  • Number of the thread of execution.

    The Authentication Agent trace file does not contain this information.

  • Application component that caused the event.
  • Degree of event severity (informational event, warning, critical event, error).
  • A description of the event involving command execution by a component of the application and the result of execution of this command.

Kaspersky Endpoint Security saves user passwords to a trace file only in encrypted form.

Contents of SRV.log, GUI.log, and ALL.log trace files

SRV.log, GUI.log, and ALL.log trace files may store the following information in addition to general data:

  • Personal data, including the last name, first name, and middle name, if such data is included in the path to files on the local computer.
  • Data on the hardware installed on the computer (such as BIOS/UEFI firmware data). This data is written to trace files when performing Kaspersky Disk Encryption.
  • The user name and password if they were transmitted openly. This data can be recorded in trace files during Internet traffic scanning.
  • The user name and password if they are contained in HTTP headers.
  • The name of the Microsoft Windows account if the account name is included in a file name.
  • Your email address or a web address containing the name of your account and password if they are contained in the name of the object detected.
  • Websites that you visit and redirects from these websites. This data is written to trace files when the application scans websites.
  • Proxy server address, computer name, port, IP address, and user name used to sign in to the proxy server. This data is written to trace files if the application uses a proxy server.
  • Remote IP addresses to which your computer established connections.
  • Message subject, ID, sender's name and address of the message sender's web page on a social network. This data is written to trace files if the Web Control component is enabled.
  • Network traffic data. This data is written to trace files if traffic monitoring components are enabled (such as Web Control).
  • Data received from Kaspersky servers (such as the version of anti-virus databases).
  • Statuses of Kaspersky Endpoint Security components and their operating data.
  • Data on user activity in the application.
  • Operating system events.

Contents of HST.log, BL.log, Dumpwriter.log, WD.log, AVPCon.dll.log trace files

In addition to general data, the HST.log trace file contains information about the execution of a database and application module update task.

In addition to general data, the BL.log trace file contains information about events occurring during operation of the application, as well as data required to troubleshoot application errors. This file is created if the application is started with the avp.exe –bl parameter.

In addition to general data, the Dumpwriter.log trace file contains service information required for troubleshooting errors that occur when the application dump file is written.

In addition to general data, the WD.log trace file contains information about events occurring during operation of the avpsus service, including application module update events.

In addition to general data, the AVPCon.dll.log trace file contains information about events occurring during the operation of the Kaspersky Security Center connectivity module.

Contents of performance trace files

Performance trace files are named as follows: KES<version number_dateXX.XX_timeXX.XX_pidXXX.>PERF.HAND.etl.

In addition to general data, performance trace files contain information about the load on the processor, information about the loading time of the operating system and applications, and information about running processes.

Contents of the AMSI Protection component trace file

In addition to general data, the AMSI.log trace file contains information about the results of scans performed on requests from third-party applications.

Contents of trace files of the Mail Threat Protection component

The trace file mcou.OUTLOOK.EXE.log may contain parts of email messages, including email addresses, in addition to general data.

Contents of trace files of the Scan from Context Menu component

The shellex.dll.log trace file contains information about completion of the scan task and data required to debug the application, in addition to general information.

Contents of trace files of the application web plug-in

Trace files of the application web plug-in are stored on the computer on which Kaspersky Security Center Web Console is deployed, in the folder Program Files\Kaspersky Lab\Kaspersky Security Center Web Console\logs.

Trace files of the application web plug-in are named as follows: logs-kes_windows-<type of trace file>.DESKTOP-<date of file update>.log. Web Console begins writing data after installation and deletes the trace files after Web Console is removed.

Trace files of the application web plug-in contain the following information in addition to general data:

  • KLAdmin user password for unlocking the Kaspersky Endpoint Security interface (Password protection).
  • Temporary password for unlocking the Kaspersky Endpoint Security interface (Password protection).
  • User name and password for the SMTP mail server (Email notifications).
  • User name and password for the Internet proxy server (Proxy server).
  • User name and password for the Change application components task.
  • Account credentials and paths specified in Kaspersky Endpoint Security tasks and policy properties.

Contents of the Authentication Agent trace file

The Authentication Agent trace file is stored in the System Volume Information folder and is named as follows: KLFDE.{EB2A5993-DFC8-41a1-B050-F0824113A33A}.PBELOG.bin.

In addition to general data, the Authentication Agent trace file contains information about the operation of Authentication Agent and the actions performed by the user with Authentication Agent.

Kaspersky Endpoint Security for Windows: Detection of advanced threats
Control systems which prevent damage from the sensitive data theft. Management from a single console. Buy as part of Endpoint Security for Business Advanced.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.