You can get lists of files, processes, and autorun points from selected Endpoint Agent hosts. To do so, you must create a forensic collection task.
To create a forensic collection task:
Select the Tasks section in the application web interface window.
This opens the task table.
Click the Add button and select Forensics in the Get data drop-down list.
This opens the task creation window.
Configure the following settings:
Information type is the type of collected data. Select the check box next to one, multiple, or all settings:
Processes list if you want to get a list of processes running on the host at the time of the task execution.
Autorun points list if you want to get a list of autorun points.
The autorun points list includes information about applications added to the startup folder or registered in the Run keys of the registry, as well as applications that are automatically run at startup of a host with the Endpoint Agent component and when a user logs in to the operating system on the specified hosts.
Kaspersky Endpoint Agent supports gathering data for the following autorun points:
Logon.
Run.
Explorer.
Shell.
Office.
Internet Explorer®.
Tasks.
Services.
Drivers.
Telephony.
Cryptography.
Debuggers.
COM.
Session Manager.
Network.
LSA.
Applications.
Codecs.
Shellex.
WMI.
Unspecified.
Kaspersky Endpoint Security supports collecting the aforementioned autorun points as well as the following:
BootLog
Browsers
DriverLog
EfiLoader
GroupPolicy
Logon
OsLoader
OsUpdate
Printer
Process
Scheduler
File list if you want to get a list of files stored in the selected folder or in all host folders at the time of the task execution.
If you have selected the File list check box, in the Source type group of settings, select one of the following options:
All local disks if you want the list of files to include files stored in all folders on local disks at the time of the task execution.
Directory if you want the file list to include files stored in the specified folder and its subfolders at the time when the task is run.
If you selected Directory, in the Start directory field, specify the path to the folder from which the file search should start.
You can use the following prefixes:
System environment variables.
User-defined environment variables.
When using user-defined environment variables, the list of files includes information about files in folders of all users who have set the specified environment variables. If user-defined environment variables override system environment variables, the list of files includes information about files in folders based on the values of system environment variables.
In the Hosts field, enter the IP address or name of the host to which you want to assign the task.
You can specify multiple hosts.
If you are using Kaspersky Endpoint Agent in the role of the Endpoint Agent component, the forensics collection task can be assigned only to hosts running Kaspersky Endpoint Agent for Windows version 3.10 and later. Getting a list of autorun points is only supported on hosts with Kaspersky Endpoint Agent for Windows 3.12 and higher.
If necessary, you can specify the following search criteria for files in folders:
Mask is the mask of files to be included in the list of files.
Alternative data streams is the check box that enables recording information about alternate data streams in the file list.
If the requested file is linked to other NTFS data streams, running the task yields all files of NTFS data streams that the requested file is linked to.
The check box is selected by default.
Maximum nesting level is the maximum nesting level of folders in which the application searches for files.
Exclusions is the path to the folders in which you want to prohibit the search for information about files.
Description is the task description.
Click Add.
The forensic collection task is created. The task runs automatically after it is created.
As a result of the task, the application places a ZIP archive in Storage; the archive contains a file with the selected data. If the task completed successfully, you can download the archive to your local computer.
Users with the Security auditor role cannot create forensic collection tasks.
Users with the Security officer role do not have access to tasks.