Data that is stored in configuration files as a result of configuring the settings by an administrator.
Data processed as part of automatic Threat Response.
Data processed during integration with Kaspersky Sandbox.
Data processed during integration with the Central Node component.
Service data are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<product version> file. Data in the Settings subfolder are encrypted using the Encrypting File System (EFS). The data is stored until Kaspersky Endpoint Agent is uninstalled.
The data can be sent to Kaspersky Security Center automatically, but is not sent to Kaspersky Sandbox.
By default, only users with System and Administrator permissions have access to the files (full access for System, read and execute for Administrator). The %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<product version> folder and the Restored subfolder are also accessible to users with User (read only) permissions.
All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the application is uninstalled.
Kaspersky Endpoint Agent stores the following data that are processed during automatic response and integration with Kaspersky Sandbox:
Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
Kaspersky Endpoint Agent access password.
Quarantined files.
Kaspersky Endpoint Agent settings.
Credentials of operating system users for starting tasks with certain user permissions.
Authentication credentials for Kaspersky Security Center Administration Server.
Authorization credentials for the proxy server.
Addresses of custom update sources.
Public key of the certificate used for integration with Kaspersky Sandbox.
Kaspersky Endpoint Agent cache:
Time when scan results were written to the cache.
MD5 hash of the scan task.
Scan task identifier.
Object scan result.
Queue of the object scan requests:
ID of the object in the queue.
Time when the object was queued.
Processing status of the queued object.
ID of the user session in the operating system where the object scan task was created.
System identifier (SID) of the operating system user whose user account permissions were used to create the object scan task.
MD5 hash of the object scan task.
Information about the tasks for which Kaspersky Endpoint Agent awaits scan results from Kaspersky Sandbox:
Time when the object scan task was received.
Object processing status.
ID of the user session in the operating system where the object scan task was created.
ID of the object scan task.
MD5 hash of the object scan task.
System identifier (SID) of the operating system user whose user account was used to create the task.
XML schema of the automatically created IOC.
MD5 or SHA256 hash of the scanned object.
Processing errors.
Names of the objects that the scanning task was created for.
Object scan result.
When integrated with the Central Node component, Kaspersky Endpoint Agent stores the following data locally:
Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
Quarantined files.
Kaspersky Endpoint Agent settings:
Kaspersky Endpoint Agent access password.
Credentials of operating system users for starting tasks with certain user permissions.
Authentication credentials for Kaspersky Security Center Administration Server.
Authorization credentials for the proxy server.
Addresses of custom update sources.
Public key of the certificate used for integration with KATA Central Node.
Public key of the certificate used for integration with Kaspersky Sandbox.
License data.
Data required for integration with the Central Node component:
Updatable telemetry filtering schemes.
Telemetry event packet queue.
Cache of IOC file identifiers received from the Central Node component.
Objects to be passed to the server within the Get file task.
Reports about the results of the "Get a list of files, processes" task.