Data transmitted between application components
Central Node, Kaspersky Endpoint Agent for Windows, Kaspersky Endpoint Security for Windows
The Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows applications send the following to the Central Node component: reports about running tasks, information about events and alerts that occurred on computers running these applications, and information about terminal sessions.
If there is no connection with the Central Node component, all data to be sent is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Agent for Windows or Kaspersky Endpoint Security for Windows is removed from the computer, but no longer than 21 days.
If an event occurred on the user's computer, the applications send the following data to the events database:
- General information for all events:
- Event type.
- Event time.
- User account for which the event was generated.
- Name of the host where the event occurred.
- IP address of the host.
- Type of the operating system installed on the host.
- File creation event.
- Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
- File name.
- Path to the file.
- Full name of the file.
- MD5 and SHA256 hash of the file.
- Date of file creation and modification.
- File size.
- Registry monitoring event.
- Details of the process that modified the registry: Process ID, process file name, and MD5- and SHA256 hash of the process file.
- Path to the registry key.
- Registry value name.
- Registry value data.
- Registry value type.
- Previous path to the registry key.
- Previous registry value data.
- Previous registry value type.
- Driver loading event.
- File name.
- Path to the file.
- Full name of the file.
- MD5 and SHA256 hash of the file.
- File size.
- Date of file creation and modification.
- Listening port opening event.
- Details of the process that opened the listening port: process file name, and MD5- and SHA256 hash of the process file.
- Port number.
- Adapter IP address.
- Event in the operating system log.
- Time of the event, host on which the event occurred, and user account name.
- Event ID.
- Channel/log name.
- Event ID in the log.
- Provider name.
- Authentication event subtype.
- Domain name.
- Remote IP address.
- Event header fields: ProviderName, EventId, Version, Level, Task, Opcode, Keywords, TimeCreatedSystemTime, EventRecordId, CorellationActivityId, ExecutionProcessID, ThreadID, Channel, Computer.
- Event body fields: AccessList, AccessFiles mask, AccountExpires, AllowedToDelegateTo, Application, AuditPolicyChanges, AuthenticationPackageName, CategoryId, CommandLine, DisplayName, Dummy, ElevatedToken, EventCode, EventProcessingFailure, FailureReason, FilterRTID, HandleId, HomeDirectory, HomePath, ImpersonationLevel, IpAddress, IpPort, KeyLength, LayerName, LayerRTID, LmPackageName, LogonGuid, LogonHours, LogonProcessName, LogonType, MandatoryLabel, MemberName, MemberSid, NewProcessId, NewProcessName, NewUacValue, NewValue, NewValueType, ObjectName, ObjectServer, ObjectType, ObjectValueName, OldUacValue, OldValue, OldValueType, OperationType, PackageName, ParentProcessName, PasswordLastSet, PrimaryGroupId, PriviledgeList, ProcessId, ProcessName, ProfileChanged, ProfilePath, Protocol, PublisherId, ResourceAttributes, RestrictedAdminMode, SamAccountName, ScriptPath, ServiceAccount, ServiceFileName, ServiceName, ServiceStartType, ServiceType, SettingType, SettingValue, ShareLocalPath, ShareName, SidHistory, SourceAddress, SourcePort, Status, SubcategoryGuid, SubcategoryId, SubjectDomainName, SubjectLogonId, SubjectUserName, SubjectUserSid, SubStatus, TargetDomainName, TargetLinkedLogonId, TargetLogonId, TargetOutboundDomainName, TargetOutboundUserName, TargetUserName, TargetUserSid, TaskContent, TaskName, TokenElevationType, TransmittedServices, UserAccountControl, UserParameters, UserPrincipalName, UserWorkstations, VirtualAccount, Workstation, WorkstationName.
- Process start event.
- Information about the process file: file name, file path, MD5 or SHA256 hash of the file, file size, creation and modification date, name of the organization that issued the digital certificate of the file, digital signature verification result.
- UniquePID.
- Process start options.
- Process start time.
- Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
- Process stop event.
- Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
- UniquePID.
- Process start options.
- Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
- Module loading event.
- Details of the file that loaded the module: UniquePID, file name, file path, full name of the file, MD5- and SHA256 hash of the file, and file size.
- DLL name.
- Path to DLL.
- DLL full name.
- MD5 or SHA256 hash of the DLL.
- DLL size.
- Date of DLL creation and modification.
- Name of the organization that issued the digital certificate of the DLL.
- DLL digital signature verification result.
- Process startup blocking event.
- Details of the file that attempted to run: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
- Command-line parameters.
- File startup blocking event.
- Details of the file that attempted to open: file name, file path, full name of the file, MD5- and SHA256 hash of the file, type of checksum used for file size blocking (0 – MD5, !=0 – SHA256, not used for search).
- Details of the executable file: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
- Details of the parent process: file name, file path, full name of the file, MD5- and SHA256 hash of the file, PID, and UniquePID.
- Event of Kaspersky Endpoint Security for Windows.
- Scan result.
- Name of the detected object.
- ID of the record in application databases.
- Release time of the application databases with which the alert was generated.
- Object processing mode.
- Category of the detected object (for example, name of a virus).
- MD5 hash of the detected object.
- SHA256 hash of the detected object.
- Unique ID of the process.
- Process PID displayed in the Windows Task Manager.
- Process run command line.
- Reason for the error when processing the object.
- Contents of the script scanned using AMSI.
- AMSI scan event.
- Contents of the script scanned using AMSI.
Central Node, Kaspersky Endpoint Agent for Linux, Kaspersky Endpoint Security for Linux
The Kaspersky Endpoint Agent for Linux and Kaspersky Endpoint Security for Linux applications send the following to the Central Node component: reports about running tasks, information about events and alerts that occurred on computers running these applications, and information about terminal sessions.
If there is no connection with the Central Node component, all data to be sent is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Agent for Linux or Kaspersky Endpoint Security for Linux is removed from the computer, but no longer than 21 days.
If an event occurred on the user's computer, the applications send the following data to the events database:
- General information for all events:
- Event type.
- Event time.
- User account for which the event was generated.
- Name of the host where the event occurred.
- IP address of the host.
- Type and version of the operating system that is installed on the host.
- Name of the host that was used to remotely log in to the system.
- Name of the user assigned when registering in the system.
- Group to which the user belongs.
- User name that was used to log in to the system.
- Group of the user whose name was used to log in to the system.
- Name of the user who created the file.
- Name of the group whose users can modify or delete the file.
- Permissions that can be used to gain access to the file.
- Inherited privileges of the file.
- Process start event.
- Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, and file size.
- UniquePID.
- Command that was used to start the process.
- Process type.
- Environment variables of the process.
- Process start time.
- Process end time.
- Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
- File creation event.
- Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
- File name.
- Path to the file.
- Full name of the file.
- File type.
- MD5 and SHA256 hash of the file.
- Date of file creation and modification.
- File size.
- Event in the operating system log.
- Event time.
- Event type.
- Result of the operation.
- Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
Central Node and Sandbox
The Central Node component sends to the Sandbox component files and URLs extracted from the network and email traffic. The files are not changed in any way prior to sending. The Sandbox component sends scan results to the Central Node component.
Central Node and Sensor
The application may transmit the following data between Central Node and Sensor components:
- Files and email messages.
- Data on alerts generated by the Intrusion Detection System and URL Reputation technologies.
- License information.
- List of data excluded from the scan.
- Data of the Endpoint Sensors application, if integration with a proxy server has been configured.
- Application databases, if receiving database updates from the Central Node component is configured.
Servers with PCN and SCN roles
If the application is running in distributed solution mode, the following data is transmitted between the PCN and connected SCNs:
- Data on alerts.
- Data on events.
- Data on tasks.
- Data on policies.
- Data on scans using IOC, TAA (IOA), IDS, YARA user rules.
- Data on files in Storage.
- Data on user accounts.
- About the license.
- The list of computers with the Endpoint Agent component.
- Objects placed in Storage.
- Objects quarantined on computers with the Endpoint Agent component.
- Files attached to alerts.
- IOC and YARA files.
Page top