Kaspersky Security Network Statement

A. INTRODUCTION

Please read this document thoroughly. It provides important information that you should be acquainted with before continuing to use our services or software. We reserve the right to modify this Statement at any time by making changes to this page.

AO Kaspersky Lab (further Kaspersky Lab) has created this Statement in order to inform about and disclose its data gathering and dissemination practices for Kaspersky Anti-Virus, Kaspersky Internet Security, Kaspersky Small Office Security, Kaspersky Total Security and Kaspersky Free.

Kaspersky Lab has a strong commitment to providing superior service to all of our customers and particularly respecting your concerns about Data Processing.

This Statement contains numerous general and technical details describing the steps we take to respect your Data Processing concerns. Meeting your needs and expectations forms the foundation of everything we do – including protecting your Data.

The Kaspersky Security Network service allows users of Kaspersky Lab security products from around the world to help facilitate identification and reduce the time it takes to provide protection against new ("in the wild") security risks targeting your computer, which helps to identify new threats and their sources and improve a user’s security level. Such information contains no personally identifiable information about the user and is utilized by Kaspersky Lab for no other purpose than to enhance its security products and to further advance solutions against malicious threats and viruses.

By participating in Kaspersky Security Network, you and the other users of Kaspersky Lab security products from around the world contribute significantly to a safer Internet environment.

Legal Issues (if applicable)

Kaspersky Security Network may be subject to the laws of several jurisdictions because its services may be used in different jurisdictions, including the United States of America. Kaspersky Lab shall disclose information without your permission when required by law, or in good-faith belief that such action is necessary to investigate or protect against harmful activities to Kaspersky Lab guests, visitors, associates, property or to others. As mentioned above, laws related to data and information processed by Kaspersky Security Network may vary by country.

Kaspersky Security Network shall duly inform the users concerned when initially processing the above-mentioned information of any sharing of such information and shall allow these Internet users to opt in (in the EU Member States and other countries requiring opt-in procedures) or opt out (for all other countries) online from the commercial use of this data and/or the transmission of this data to third parties.

Kaspersky Lab may be required by law enforcement or judicial authorities to provide some information to appropriate governmental authorities. If requested by law enforcement or judicial authorities, we shall provide this information upon receipt of the appropriate documentation. Kaspersky Lab may also provide information to law enforcement to protect its property and the health and safety of individuals as permitted by statute.

B. RECEIVED INFORMATION

In order to identify new and challenging data security threats and their sources, as well as threats of intrusion, and to take prompt measures to increase the protection of the data stored and processed by the User with a computer, the User agrees to automatically provide the following information:

Information about the software installed on the computer, including the version of the operating system and installed updates, kernel objects, drivers, services, Microsoft Internet Explorer extensions, printing system extension, Windows Explorer extensions, downloaded objects, Active Setup elements, control panel applets, entries in the hosts file and system registry, computer network name (local name and domain name), regional settings of the operating system (including information about time zone, default keyboard layout, interface language), UAC settings, firewall settings, parental control settings, settings and data of the operating system services.
Information about all installed applications, including the name and version of the installed application, the versions of installed updates, the publisher's name, the installation date, and the full installation path on the computer.
Information about the Right Holder's installed software and the anti-virus protection status, including the version of the Software, information about downloaded modules files, their names, sizes, paths, checksums (MD5, SHA2-256, SHA1), vendors, signatures, and files integrity, processes identifiers, which downloaded modules, the order in which modules were downloaded, the version and the timestamp of the anti-virus databases being used, statistics about updates and connections with the right holder's servers, the unique software identifiers on the computer, the computer's unique identifier, and information about the software's run mode.
Information about the computer's wireless network connection, including checksums (MD5) of the client's IP address, the MAC address of the access point, and the name of the wireless network, the user's identifier, information about network's type and security, the type of the connected device, a counter for the duration of the device's connection to the wireless network, DNS flag, flag indicating whether the device is running on battery power or a stationary power supply.
Information about the activity of the User's computer, including information about processes running on the system (process ID (PID), process name, information about the account the process was started from, the application and command that started the process, the full path to the process's files, and the starting command line, an indication whether the process's file has autorun status, a description of the product that the process belongs to (including the name of the product and information about the publisher), as well as digital certificates being used and information needed to verify their authenticity or information about the absence of a file's digital signature), URL DNS and IP addresses (IPv4 or IPv6) of visited websites, the date of visits and the number of DNS requests, search queries, HTTP request parameters, the time passed since the last user action on the computer, and information about the modules loaded into the processes, including their names, size, type, checksum (MD5, SHA2-256, SHA1), and the paths to them.
Information about all scanned objects and actions, including the name of the scanned object, the date and time of the scan, the names and size of scanned files and the paths to them, the date and time of file creation, the name of the packer (if the file was packed), the file's entropy, the file's type identifier and format, the URL- and IP-addresses from which the object is downloaded, the connection’s protocol identifier and the number of the port being used, the checksum (MD5, SHA256, SHA1) of process that is executing the object download, the object's checksum (MD5, SHA2-256, SHA1), the type and value of the object's supplementary checksum, data about the object's digital signature (certificate) (including the signature's date and time, the name of the certificate owner, the certificate's serial number, and the checksum algorithm, information about the certificate's public key, including the checksum (SHA2-256) of the public key, the certificate's database identifier, the name of the certificate issuer, and the result of certificate validation), the task identifier of the software that performed the scan, the date and time of the scan, the result of the scan, and the user's and the product's decision relative to the scan result, information about changes to trust groups, information about executable file emulation, including an array of logical blocks properties and functions within logical blocks, obtained during the emulation, emulation depth, data from the executable file's PE headers, the version of the emulation component, and the number of times the file has been run.
If threats or vulnerabilities are detected, in addition to information about the detected object, information is provided about the identifier, version, and type of the record in the anti-virus database, the name of the threat based on the Right Holder's classification, the checksum (MD5, SHA2-256, SHA1) of the application file that requested the URL where the threat was detected, the IP address (IPv4 or IPv6) of the detected threat, the identifier of the type of traffic on which the threat was detected, the vulnerability identifier and its threat level, the URL of the web page where the vulnerability was detected, the number of the script on the page, the identifier of the danger, type, and status of the detected vulnerability, the intermediate results of object analysis.
Information about network attacks, including the IP address of the attacking computer and the user's computer's port number at which the network attack is directed, the identifier of the protocol used to carry out the attack, and the name and type of attack.
The URL and IP address of the web page where harmful or suspicious content was detected, the name, size, and checksum of the file that requested the URL, the identifier and weight of the rule used to reach a verdict, the objective of the attack.
Information about links blocked by Parental Control, including the reason for the blocking, the version of the Parental Control component, and the URL and IP address of the blocked link.
Information about URL Advisor, including user-made decisions about the quality/danger of domains, the checksums (MD5) of the scanned domain's URL and Referrer, the URL Advisor component's identifier.
Results of Anti-Spam's scan of emails, including the version of the Anti-Spam component, the identifiers and weights of active scan rules, the sender's IP address, the most likely IP address for a source of spam, the status of an email after scanning.
Information about changes made by the user in the list of web sites protected by the Safe Money component, including the URL of the web site, a flag indicating a web site has been added, modified, or deleted, the mode in which Safe Money runs for the web site.
Information about the Trusted Applications mode, including its settings version identifier, a flag indicating its mode, the result of checking a file's status, and the source of the trust status, aggregated data about the number of trusted, untrusted, and unknown objects.
Aggregated data from the results of scanning using the local and cloud KSN databases, including the number of unique unknown objects, the number of unique trusted objects, the number unique untrusted objects; the total number of verdicts «unknown object», «trusted object» and «untrusted objects», the number of objects trusted based on validation of a certificate, designated as trusted based on a trusted URL, recognized as trusted based on the transfer of trust from a trusted process; the number of unknown objects for which no decision regarding trust has been made, the number of objects that the user has designated as trusted. Version of the local KSN database on the computer at the time the statistics are sent, the software's database settings identifier, information about successful/unsuccessful requests to KSN, the duration of sessions with KSN, the amount of data sent and received, the times at which the collection of information to be sent to KSN was started and stopped.
Information about the Private Browsing component, including the Referrer from the http tracking request, the name of the service or organization which provides tracking services, the category of the tracking service in accordance with the Rightholder’s categorization, ID and the version of the browser, which opened the URL.
If a potentially malicious object is detected, information is provided about data in the processes’ memory, elements of the system object hierarchy (ObjectManager), data in UEFI BIOS memory, names of registry keys and their values.
Information about events in the systems logs, including the event’s timestamp, the name of the log in which the event was found, type and category of the event, name of the event’s source and the event’s description.
Information about network connections, including version and checksums (MD5, SHA2-256, SHA1) of the file from which process was started that opened the port, the path to the process’s file and its digital signature, local and remote IP-addresses, numbers of local and remote connection ports, connection state, timestamp of the port’s opening.

In the case of software suspension data listed in sections 5, 6, 7 won’t be transmitted, but stored in a limited storage on the user's computer. This data cannot be restored after uninstall. After resuming the Software this data will be sent to Kaspersky Lab for the above purposes.

Objects that could be exploited by intruders to harm the User’s computer can be sent to Kaspersky Lab to be additionally scanned, including:

Files/parts of files.
The name, size and version of the file being sent, its description and checksums (MD5, SHA2-256, SHA1), its path, ID of the format, the name of the file’s vendor, the product name to which the file belogs.
Start and end date/time of the validity period of the certificate (if the file has a digital signature), the date and the time of the signature, the name of the issuer of the certificate, information about the certificate holder, the fingerprint, public key certificate and appropriate algorithms, and the certificate serial number.
Information about date and time of the creation and modification of the file, a flag indicating the usage of date and time of the file signing while the file signature is being verified, result of the file integrity check.
Objects detected through malicious links.

Such objects may be temporarily stored on the User’s computer until they are forwarded.

Additionally, to prevent incidents and to investigate those that do occur, executable and non-executable trusted files could be sent, as well as portions of the computer's RAM, the operating system's boot sectors and application activity reports, which contain:

Information about running processes and services, including checksums (MD5 SHA2-256, SHA1) of the process or service file, file name and size, the path, the names and paths of the files that were accessed by the process, names of registry keys and their values that were accessed by the process, portions of the computer's RAM, URL and IP-addresses that were accessed by the process or from which the running file was downloaded.
The name of the account under which the process is operating and appropriate computer name, the headers of the process windows, ID for the anti-virus databases, name of the detected threat according to Kaspersky Lab's classification, the unique ID of the license, license expiration date and its type, information about the version of the operating system and service packs installed on the computer, local time.

To improve the quality of the product, the User agrees to provide Kaspersky Lab with the following information:

Information about the Right Holder's software installed on the computer, including the installation date and time, the name and version of the software, versions of installed updates, data about the installed license (including its identifier and type), the unique software installation identifier, and a unique computer identifier, the interface's locale, the date and time set on the computer when the data is sent to KSN.
Information about the versions of the operating system and installed updates, current and default OS language settings, version and checksums (MD5, SHA2-256, SHA1) of the OS kernel file, parameters of the OS run mode, information about operating in the Device Guard mode.
Information about the software installed on the computer, including the name of the software and the name of its publisher, information about registry keys and their values, information about software components files, including checksums (MD5, SHA2-256, SHA1), name of a file, its path on the computer, size, version and digital signature.
Information about hardware installed on the computer, including RAM capacity, CPU brand and number of cores, HDD brand, type, name, model name, firmware version, parameters of built-in and connected devices.
Information about the use of the product's user interface, including information about the opening of the interface's windows (including identifiers and names of windows and used control elements) and switching between windows, information that determines the reason for opening a window, the date and time the interface was started and the stages of interface's startup, the time and type of the user's interaction with the interface, information about changes to settings and product parameters (including the name of the setting or parameter, and the old and new values).
Information about errors that have occurred in the operation of the product, including the type and time of the error, as well as the identifier of the product component and task in which the error occurred.
Information about scanning of protected connections, including the certificate used when making the connection and its checksum (MD5, SHA2-256, SHA1), the DNS- and IP-address (IPv4 or IPv6) of the network resource, the remote port number, the name and version of the running application that established the protected connection, as well as the path to this application, the error code from scanning the protected connection (if an error occurred).
Information about incompatible third-party software detected during installation of the product, including the time and method of detecting the incompatible software, its name and type, the locale of the product being installed, the release date of the component responsible for detecting the incompatible third-party software, information about the user's decision regarding the detected third-party software.
Information about updates of the installed product and anti-virus databases, including the IP address (IPv4 or IPv6) of the update source being used, the type of the update task, the number and total size of files downloaded during an update, the average download speed for the update files, the average speed for network operations during the update, the completion status of the update task, the type of an error that may occur during an update, the number of unsuccessful updates, the identifier of the product component that performs updates, value of the TARGET filter.
Information about the resources used by the product components when scanning objects, including actual and average scan times by various product components; the total, minimum, and maximum scan time, capture network traffic, the number of requests for scanning, the identifier of the scan operation, the start time and stop time of the service process and KL product interface, the duration of the receipt of data about the third-party software, and the number of events that occurred during this time.
Information about the interaction of the product and My Kaspersky services, including the identifier and domain name of the service to which a request has been made, the number of requests and successful/unsuccessful connections with each service, the number of reports from each service, the number of errors and timeouts during requests, the times at which the collection of information about the number of requests and connections was started and stopped.
Information about the process executing the attack on the software's Self-Defense: the name and size of the process file, its checksums (MD5, SHA2-256, SHA1), the full path to the process file and the template code of the file path, the creation/build timestamps, executable file flag, attributes of the process file, information about the certificate used to sign the process file, code of the account used to launch the process, ID of operations performed to access the process, type of resource with which the operation is performed (process, file, registry object, FindWindow search function), name of resource with which the operation is performed, success of the operation.
ID of the Rightholder’s software process that was attacked.
ID of abnormal termination of software or application installed on the computer.
Information about Software operation, including data on the use of the processor (CPU) and memory usage (Private Bytes, Non-Paged Pool, Paged Pool), the number of the product’s active threads and pending threads, the duration of the Software operation before the error occurred.
Information about the system at the time of BSOD: name and version of the driver that caused BSOD to occur, bugcheck code and its parameters, driver crash stack, ID of type of detected memory dump created during the crash, tag indicating whether the OS Windows session lasted more than 10 minutes before BSOD or Unexpected Power off, unique ID of the OS dump, date and time of BSOD, logs of software drivers from the minidump (error code, module name, name of source file and line where the error occurred), full number of OS kernel build, name, localization and version of the application in which the crash was detected, error number and description of the error from the system log of application for which the crash was detected, information about exceptions in applications, address of the application crash as an offset in the module, name and version of the application module in which the bug occurred, tag indicating whether the application crash occurred in a software plugin, crash stack, duration of application session before the crash, method for determining the crash (driver interceptions, processing of traffic, number of waiting threads), name of the process that initiated the interception or exchange of traffic that led to the software crash.
The name of the root index database file, its date and time, secondary index files and appropriate date and time for certain categories of updates, the names of certain files from the updated categories and their checksums for downloading and the downloaded database.
Information about the NativeImage file: type, name, checksums (MD5, SHA2-256, SHA1) of the file, full path to the file on the computer, template code of the file path, ID of the file module version, SHA256 hash sum of the digital signature of the build from where the scanned file was created and ID of the method for determining the build, IDs of the results of scanning the integrity of the file.
Information about the Private Browsing component, including URL-address that is added to the user’s exception list or removed from it, ID of the action with the URL, ID of the component settings.
Information about the System Watcher component: full number of the component version, build number, ID of the current event in System Watcher whose processing time lasted longer than the set period and the event processing time, total number of such events, name and checksums (MD5, SHA2-256, SHA1) of file of the process of the initiator of the current event and name and code of the directory of the file location on the computer, maximum allowed event processing time, code of the event that overflowed the event queue and total number of such events, name of the file and directory, code of the directory of the file location on the drive of the process of the initiator of the current event that overflowed the event queue, checksums (MD5, SHA2-256, SHA1) of the file, ID of the event whose processing was interrupted due to a timeout, interception filter IDs and type of interception event, size of System Watcher event queue at the time of sending statistics, difference between the first and current events in the queue at the time of sending statistics, probability of sending statistics.
When detecting a change in the setting being monitored the following information is provided: category ID of the variable setting, type ID of the setting change, web-browser name, to which the setting belongs.
Information about the Installation Assistant component, including the filename of the installer of the third-party software, the checksums (MD5, SHA2-256, SHA1), size and type of the installer file, full path to the installer file on the computer, template code of the file path, additional information about the installer file (description and version of the file, name and version of the software being installed, the name of the file’s vendor, the internal and original filenames, copyright notices that apply to the file, the file’s language, information about the presence of the file's digital signature, names of the subject and the organization that signed the file), timestamp of the anti-virus databases being used, name of the category of the installer file according to Kaspersky Lab’s classification, the identifier, version, and type of record in the anti-virus database, flag for the silent detection of the installer file, information about the pattern of the installer’s user interface, including the type, version and checksum (MD5, SHA2-256, SHA1) of the pattern, information about use of the installer’s user interface, including the ID of the user’s interaction with the interface element, the name, position and text of the interface element, flag for the presence of the command line parameters when the installer file is run, ID of the component’s script that initiated the sending of the statistics, the full version of the component.
When detecting an URL-address used by the installer to download content, which may contain advertising or offers to install additional software, the following information is provided: the detected URL-address (domain name of the URL-address in case of secure protocol), name of the category of the URL-address according to Kaspersky Lab’s classification, referrer and IP-address (IPv4 or IPv6) of the detected URL-address.
Information about the last unsuccessful OS restart, including the number of unsuccessful restarts.

Kaspersky Lab protects the information received in accordance with the law and Kaspersky Lab's rules.

Kaspersky Lab uses the information received only in an anonymized form as part of aggregated statistics. These aggregated statistics are generated automatically from the original information received and do not contain personal information or any other confidential information. Initial information received is destroyed upon accumulation (once a year). General statistics are kept indefinitely.

Securing the Transmission and Storage of Data

Kaspersky Lab is committed to protecting the security of the information it processes. The information processed is stored on computer servers with limited and controlled access. Kaspersky Lab operates secure data networks protected by industry-standard firewall and password protection systems. Kaspersky Lab uses a wide range of security technologies and procedures to protect information from threats such as unauthorized access, use, or disclosure. Our security policies are periodically reviewed and enhanced as necessary, and only authorized individuals have access to the data that we process. Kaspersky Lab takes steps to ensure that your information is treated securely and in accordance with this Statement. Unfortunately, no data transmission can be guaranteed secure. As a result, while we strive to protect your data, we cannot guarantee the security of any data you transmit to us or from our products or services, including without limitation Kaspersky Security Network, and you use all these services at your own risk.

We treat the data we process as confidential information; it is, accordingly, subject to our security procedures and corporate policies regarding protection and use of confidential information. All Kaspersky Lab employees are aware of our security policies. Your data is only accessible to those employees who need it in order to perform their jobs. Any stored data will not be associated with any personally identifiable information. Kaspersky Lab does not combine the data stored by Kaspersky Security Network with any data, contact lists, or subscription information that is processed by Kaspersky Lab for promotional or other purposes.

C. USE OF THE PROCESSED DATA

Kaspersky Lab processes the data in order to analyze and identify the source of potential security risks, and to improve the ability of Kaspersky Lab’s products to detect malicious behavior, fraudulent websites, crimeware, and other types of Internet security threats to provide the best possible level of protection to Kaspersky Lab customers in the future.

Disclosure of Information to Third Parties

Kaspersky Lab may disclose any of the information processed if asked to do so by a law enforcement official as required or permitted by law, in response to a subpoena or other legal process or if we believe in good faith that we are required to do so in order to comply with applicable law, regulation, subpoena, or other legal process or enforceable government request. Kaspersky Lab may also disclose information when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating this Statement, the terms of your agreements with the Kaspersky Lab or to protect the safety of our users and the public or under confidentiality and licensing agreements with certain third parties which assist us in developing, operating and maintaining the Kaspersky Security Network. In order to promote awareness, detection and prevention of Internet security risks, Kaspersky Lab may share certain information with research organizations and other security software vendors. Kaspersky Lab may also make use of statistics derived from the information processed to track and publish reports on security risk trends.

D. DATA PROCESSING – RELATED INQUIRIES AND COMPLAINTS

Kaspersky Lab takes and addresses its users’ Data Processing concerns with utmost respect and attention. If you believe that there was an instance of non-compliance with this Statement with regard to your information or data, or you have other related inquiries or concerns, you may write or contact Kaspersky Lab by email: support@kaspersky.com.

In your message, please describe in as much detail as possible the nature of your inquiry. We will investigate your inquiry or complaint promptly.

CHOICES AVAILABLE TO YOU

Participation in Kaspersky Security Network is optional. You can activate and deactivate the Kaspersky Security Network service at any time by altering the Feedback settings on your Kaspersky Lab product’s option’s tab. Please note, however, if you choose to deactivate the Kaspersky Security Network service, we may not be able to provide you with some of the services dependent upon the processing of this data.

We also reserve the right to send infrequent alert messages to users to inform them of specific changes that may impact their ability to use our services that they have previously signed up for. We also reserve the right to contact you if compelled to do so as part of a legal proceeding or if there has been a violation of any applicable licensing, warranty or purchase agreements.

Kaspersky Lab is retaining these rights because in limited cases we feel that we may need the right to contact you as a matter of law or regarding matters that may be important to you. These rights do not allow us to contact you to market new or existing services if you have asked us not to do so, and issuance of these types of communications is rare.

Page top