Data on events in Windows Event Log

Data on the events in Windows Event Log is stored in the %SystemRoot%\System32\Winevt\Logs\Kaspersky-Security-Soyuz%4Product.evtx file in a plain and non-encrypted form. The data is stored until Kaspersky Endpoint Agent is uninstalled.

The data can be automatically sent to Kaspersky Security Center.

By default, only users with System and Administrator permissions have read access to the files. Kaspersky Endpoint Agent does not manage access permissions to this folder and the files in this folder. The access is managed by the system administrator.

Event data can contain information about:

• User sessions in the operating system.
• User accounts in the operating system (userID).
• Errors occurred during object scan tasks execution.
• Object scan tasks.
• Kaspersky Sandbox detections.
• Kaspersky Sandbox events.
• Kaspersky Endpoint Agent IOC files generated during automatic response.
• Object scan results.
• Kaspersky Sandbox server certificates.
• The object scan queue.
• Changes of Kaspersky Endpoint Agent.
• Changes of Kaspersky Security Center policies.
• Changes of object scan task status.
• Kaspersky Security Center policies.
• Quarantined objects.
• Automatic Threat Response actions.
• Errors while interacting with application servers.
• Objects blocked by Execution prevention rules.
• Results of the Delete file tasks.
• Results of the Terminate process tasks.
• Results of the Run application tasks.
• Results of the Get file tasks.
• Current Kaspersky Endpoint Detection and Response Optimum license.
• Application activation status.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.