Data transmitted between program components

Central Node and Kaspersky Endpoint Agent (previously known as Endpoint Sensors)

Kaspersky Endpoint Agent sends the following to the Central Node component: task completion reports, information on events and alerts that occurred on computers with Kaspersky Endpoint Agent, and information on terminal sessions.

If there is no connection with the Central Node component, all data to be sent is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Agent is removed from the computer, but no longer than 21 days.

If an event occurred on the user's computer, Kaspersky Endpoint Agent sends the following data to the events database:

1. File creation event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • File name.
   • Path to the file.
   • Full name of the file.
   • MD5- and SHA256 hash of the file.
   • Date of file creation and modification.
   • File size.
   • Event header fields: ProviderName, EventId, Version, Level, Task, Opcode, Keywords, TimeCreatedSystemTime, EventRecordId, CorellationActivityId, ExecutionProcessID, ThreadID, Channel, Computer.
   • Event body fields: AccessList, AccessMask, AccountExpires, AllowedToDelegateTo, Application, AuditPolicyChanges, AuthenticationPackageName, CategoryId, CommandLine, DisplayName, Dummy, ElevatedToken, EventCode, EventProcessingFailure, FailureReason, FilterRTID, HandleId, HomeDirectory, HomePath, ImpersonationLevel, IpAddress, IpPort, KeyLength, LayerName, LayerRTID, LmPackageName, LogonGuid, LogonHours, LogonProcessName, LogonType, MandatoryLabel, MemberName, MemberSid, NewProcessId, NewProcessName, NewUacValue, NewValue, NewValueType, ObjectName, ObjectServer, ObjectType, ObjectValueName, OldUacValue, OldValue, OldValueType, OperationType, PackageName, ParentProcessName, PasswordLastSet, PrimaryGroupId, PriviledgeList, ProcessId, ProcessName, ProfileChanged, ProfilePath, Protocol, PublisherId, ResourceAttributes, RestrictedAdminMode, SamAccountName, ScriptPath, ServiceAccount, ServiceFileName, ServiceName, ServiceStartType, ServiceType, SettingType, SettingValue, ShareLocalPath, ShareName, SidHistory, SourceAddress, SourcePort, Status, SubcategoryGuid, SubcategoryId, SubjectDomainName, SubjectLogonId, SubjectUserName, SubjectUserSid, SubStatus, TargetDomainName, TargetLinkedLogonId, TargetLogonId, TargetOutboundDomainName, TargetOutboundUserName, TargetUserName, TargetUserSid, TaskContent, TaskName, TokenElevationType, TransmittedServices, UserAccountControl, UserParameters, UserPrincipalName, UserWorkstations, VirtualAccount, Workstation, WorkstationName.
2. Registry monitoring event.
   • Details of the process that modified the registry: Process ID, process file name, and MD5- and SHA256 hash of the process file.
   • Path to the registry key.
   • Name of the registry variable.
   • Registry variable data.
3. Driver loading event.
   • File name.
   • Path to the file.
   • Full name of the file.
   • MD5- and SHA256 hash of the file.
   • File size.
   • Date of file creation and modification.
4. Listening port opening event.
   • Details of the process that opened the listening port: process file name, and MD5- and SHA256 hash of the process file.
   • Port number.
   • Adapter IP address.
5. Event in the Windows log.
   • Time of the event, host on which the event occurred, and user account name.
   • Event ID.
   • Channel/log name.
   • Event ID in the log.
   • Provider name.
   • Authentication event subtype.
   • Domain name.
   • Remote IP address.
6. Process start event.
   • Details of the file that started the process: file name, file path, full name of the file, MD5-, SHA256 hash of the file, file size, and date of file creation and modification.
   • UniquePID.
   • Command-line parameters.
   • Details of the parent process: UniquePID, Windows ID of the process, and MD5- and SHA256 hash of the process file.
   • Process termination time.
7. Module loading event.
   • Details of the file that loaded the module: UniquePID, file name, file path, full name of the file, MD5- and SHA256 hash of the file, and file size.
   • DLL file name.
   • Path to the DLL file.
   • Full name of the DLL file.
   • MD5- and SHA256 hash of the DLL file.
   • DLL file size.
   • Date of DLL file creation and modification.
8. Process startup blocking event.
   • Details of the file that attempted to run: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
   • Command-line parameters.
9. File startup blocking event.
   • Details of the file that attempted to open: file name, file path, full name of the file, MD5- and SHA256 hash of the file, type of checksum used for file size blocking ((0 – MD5, !=0 – SHA256, not used for search).
   • Details of the executable file: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
   • Details of the parent process: file name, file path, full name of the file, MD5- and SHA256 hash of the file, PID, and UniquePID.
10. Host name change event.
    • Event time.
    • Old host name.
    • New host name.
11. Hosts file contents modification event.
    • Contents of the hosts file.
12. Event of Kaspersky Endpoint Security for Windows that is saved in program databases.
    • Information about the Kaspersky Endpoint Security for Windows alert.
13. Event of Kaspersky Endpoint Security for Windows that is displayed to the user.
    • Scan result.
    • Name of the detected object.
    • ID of the record in program databases.
    • Release time of the program databases with which the alert was generated.
    • Object processing mode.
    • Category of the detected object (for example, name of a virus).
    • MD5 hash of the detected object.
    • SHA256 hash of the detected object.
    • Unique ID of the process.
    • Process PID displayed in the Windows Task Manager.
    • Process run command line.
    • Reason for the error when processing the object.
14. Active Directory organizational unit (OU) modification event.
    • Information about organizational units (OU) of Active Directory.

Central Node and Sandbox

The Central Node component sends to the Sandbox component files and URLs extracted from the network and email traffic. The files are not changed in any way prior to sending. The Sandbox component sends scan results to the Central Node component.

Central Node and Sensor

The program may transmit the following data between Central Node and Sensor components:

• Files and email messages.
• Data on alerts generated by the Intrusion Detection System and URL Reputation technologies.
• License information.
• White lists.
• Data of the Endpoint Sensors program, if integration with a proxy server has been configured.
• Program databases, if the receipt of database updates from the Central Node component is configured.

Servers with PCN and SCN roles

If the program is running in distributed solution mode, the following data is transmitted between the PCN and connected SCNs:

• Data on alerts.
• Data on events.
• Data on tasks.
• Data on policies.
• Data on scans using IOC, TAA (IOA), IDS, YARA user rules.
• Data on files in Storage.
• Data on user accounts.
• Data on the license.
• List of computers with Kaspersky Endpoint Agent installed
• Objects placed in Storage.
• Objects quarantined on computers with Kaspersky Endpoint Agent.
• Files attached to alerts.
• IOC files.

See also Data of the Central Node and Sensor components Sandbox component data Data of Kaspersky Endpoint Agent

Page top