Kaspersky Sandbox
All data that the application stores locally on the computer, is deleted from the computer when Kaspersky Endpoint Security is uninstalled.
Service data
Kaspersky Endpoint Security stores the following data processed during automatic response:
- Processed files and data entered by the user during configuration of the built-in agent of Kaspersky Endpoint Security:
- Quarantined files
- Public key of the certificate used for integration with Kaspersky Sandbox
- Cache of the built-in agent of Kaspersky Endpoint Security:
- Time when scan results were written to the cache
- MD5 hash of the scan task
- Scan task identifier
- Scan result for the object
- Queue of object scan requests:
- ID of the object in the queue
- Time when the object was placed in the queue
- Processing status of the object in the queue
- ID of the user session in the operating system where the object scan task was created
- System identifier (SID) of the operating system user whose account was used to create the task
- MD5 hash of the object scan task
- Information about the tasks for which the built-in agent of Kaspersky Endpoint Security is awaiting scan results from Kaspersky Sandbox:
- Time when the object scan task was received
- Object processing status
- ID of the user session in the operating system where the object scan task was created
- Identifier of the object scan task
- MD5 hash of the object scan task
- System identifier (SID) of the operating system user whose account was used to create the task
- XML schema of the automatically created IOC
- MD5 or SHA256 hash of the scanned object
- Processing errors
- Names of the objects for which the task was created
- Scan result for the object
Data in requests to Kaspersky Sandbox
The following data from requests from the built-in agent of Kaspersky Endpoint Security to Kaspersky Sandbox is stored locally on the computer:
- MD5 hash of the scan task
- Scan task identifier
- Scanned object and all related files
Data received as a result of IOC Scan task execution (stand-alone task)
Kaspersky Endpoint Security automatically submits data on the IOC Scan task execution results to Kaspersky Security Center.
The data in the IOC Scan task execution results may contain the following information:
- IP address from the ARP table
- Physical address from the ARP table
- DNS record type and name
- IP address of the protected computer
- Physical address (MAC-address) of the protected computer
- Identifier in the event log entry
- Data source name in the log
- Log name
- Event time
- MD5 and SHA256 hashes of the file
- Full name of the file (including path)
- File size
- Remote IP address and port to which connection was established during scan
- Local adapter IP address
- Port open on the local adapter
- Protocol as a number (in accordance with the IANA standard)
- Process name
- Process arguments
- Path to the process file
- Windows identifier (PID) of the process
- Windows identifier (PID) of the parent process
- User account that started the process
- Date and time when the process was started
- Service name
- Service description
- Path and name of the DLL service (for svchost)
- Path and name of the service executable file
- Windows identifier (PID) of the service
- Service type (for example, a kernel driver or adapter)
- Service status
- Service launch mode
- User account name
- Volume name
- Volume letter
- Volume type
- Windows registry value
- Registry hive value
- Registry key path (without hive and value name)
- Registry setting
- System (environment)
- Name and version of the operating system that is installed on the computer
- Network name of the protected computer
- Domain or group the protected computer belongs to
- Browser name
- Browser version
- Time when the web resource was last accessed
- URL from the HTTP request
- Name of the account used for the HTTP request
- File name of the process that made the HTTP request
- Full path to the file of the process that made the HTTP request
- Windows identifier (PID) of the process that made the HTTP request
- HTTP referer (HTTP request source URL)
- URI of the resource requested over HTTP
- Information about the HTTP user agent (the application that made the HTTP request)
- HTTP request execution time
- Unique identifier of the process that made the HTTP request