Kaspersky Endpoint Detection and Response

All data that the application stores locally on the computer, is deleted from the computer when Kaspersky Endpoint Security is uninstalled.

Data received as a result of IOC Scan task execution (standard task)

Kaspersky Endpoint Security automatically submits data on the IOC Scan task execution results to Kaspersky Security Center.

The data in the IOC Scan task execution results may contain the following information:

• IP address from the ARP table
• Physical address from the ARP table
• DNS record type and name
• IP address of the protected computer
• Physical address (MAC-address) of the protected computer
• Identifier in the event log entry
• Data source name in the log
• Log name
• Event time
• MD5 and SHA256 hashes of the file
• Full name of the file (including path)
• File size
• Remote IP address and port to which connection was established during scan
• Local adapter IP address
• Port open on the local adapter
• Protocol as a number (in accordance with the IANA standard)
• Process name
• Process arguments
• Path to the process file
• Windows identifier (PID) of the process
• Windows identifier (PID) of the parent process
• User account that started the process
• Date and time when the process was started
• Service name
• Service description
• Path and name of the DLL service (for svchost)
• Path and name of the service executable file
• Windows identifier (PID) of the service
• Service type (for example, a kernel driver or adapter)
• Service status
• Service launch mode
• User account name
• Volume name
• Volume letter
• Volume type
• Windows registry value
• Registry hive value
• Registry key path (without hive and value name)
• Registry setting
• System (environment)
• Name and version of the operating system that is installed on the computer
• Network name of the protected computer
• Domain or group the protected computer belongs to
• Browser name
• Browser version
• Time when the web resource was last accessed
• URL from the HTTP request
• Name of the account used for the HTTP request
• File name of the process that made the HTTP request
• Full path to the file of the process that made the HTTP request
• Windows identifier (PID) of the process that made the HTTP request
• HTTP referer (HTTP request source URL)
• URI of the resource requested over HTTP
• Information about the HTTP user agent (the application that made the HTTP request)
• HTTP request execution time
• Unique identifier of the process that made the HTTP request

Data for creating a threat development chain

Data for creating a threat development chain is stored for seven days by default. The data is automatically sent to Kaspersky Security Center.

Data for creating a threat development chain may contain the following information:

• Incident date and time
• Detection name
• Scan mode
• Status of the last action related to the detection
• Reason why the detection processing failed
• Detected object type
• Detected object name
• Threat status after the object is processed
• Reason why execution of actions on the object failed
• Actions performed to roll back malicious actions
• Information about the processed object:
  • Unique identifier of the process
  • Unique identifier of the parent process
  • Unique identifier of the process file
  • Windows process identifier (PID)
  • Process command line
  • User account that started the process
  • Code of the logon session in which the process is running
  • Type of the session in which the process is running
  • Integrity level of the process being processed
  • Membership of the user account that started the process in the privileged local and domain groups
  • Identifier of the processed object
  • Full name of the processed object
  • Identifier of the protected device
  • Full name of the object (local file name or downloaded file web address)
  • MD5 or SHA256 hash of the processed object
  • Type of the processed object
  • Creation date of the processed object
  • Date when the processed object was last modified
  • Size of the processed object
  • Attributes of the processed object
  • Organization that signed the processed object
  • Result of the processed object digital certificate verification
  • Security identifier (SID) of the processed object
  • Time zone identifier of the processed object
  • Web address of the processed object download (only for files on disk)
  • Name of the application that downloaded the file
  • MD5 and SHA256 hashes of the application that downloaded the file
  • Name of the application that last modified the file
  • MD5 and SHA256 hashes of the application that last modified the file
  • Number of processed object starts
  • Date and time when the processed object was first started
  • Unique identifiers of the file
  • Full name of the file (local file name or downloaded file web address)
  • Path to the processed Windows registry variable
  • Name of the processed Windows registry variable
  • Value of the processed Windows registry variable
  • Type of the processed Windows registry variable
  • Indicator of the processed registry key membership in the autorun point
  • Web address of the processed web request
  • Link source of the processed web request
  • User agent of the processed web request
  • Type of the processed web request (GET or POST).
  • Local IP port of the processed web request
  • Remote IP port of the processed web request
  • Connection direction (inbound or outbound) of the processed web request
  • Identifier of the process into which the malicious code was embedded