[Topic 246841]

Kaspersky Anti Targeted Attack Platform Help

New functions

• What's new in the Kaspersky Anti Targeted Attack Platform
  
  

Hardware and software requirements

• Hardware and software requirements
• Compatibility of the Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Agent for Windows
• Compatibility of the Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Security for Windows, Linux, and Mac
  
  

Licensing

• Licensing the Kaspersky Anti Targeted Attack Platform
  
  

Getting started

• Distributed solution and multitenancy
• Sizing the Kaspersky Anti Targeted Attack Platform
• Installation and initial configuration of the Kaspersky Anti Targeted Attack Platform
• Configuring the integration of Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Agent component
  
  

Getting started in the Kaspersky Anti Targeted Attack Platform web interface

• Getting started with the application web interface — For administrators
• Getting started with the application web interface — For security officers
  
  

Additional features

• Managing the Sandbox component through the web interface
• Interaction with external systems via API
  
  

Update

• Updating the previous version of the Kaspersky Anti Targeted Attack Platform
  
  

Contacting the Technical Support Service

• How to obtain Technical Support
  
  

[Topic 246848]

Kaspersky Anti Targeted Attack Platform

Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as "the application") is a solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT"). The solution is developed for corporate users.

The Kaspersky Anti Targeted Attack Platform solution includes three functional blocks:

• Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA"), which provides perimeter security for the enterprise IT infrastructure.
• Kaspersky Endpoint Detection and Response (hereinafter also referred to as "KEDR"), which provides protection for the local area network of the organization.
• Network Detection and Response (hereinafter also referred to as "NDR"), which provides protection of the corporate LAN.

The solution can receive and process data in the following ways:

• Integrate into the local area network, receive and process mirrored
  SPAN, ERSPAN and RSPAN traffic

  A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.

  , and extract objects and metadata from the HTTP, HTTP2, FTP, SMTP, DNS, SMB, and NFS protocols.
• Connect to the proxy server via the ICAP protocol, receive and process data of HTTP, HTTP2, and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
• Connect to the mail server via the POP3 (S) and SMTP protocols, receive and process copies of e-mail messages.
• Integrate with Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, receive, and process copies of email messages.

  For detailed information on Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, please refer to the documentation of these applications.

• Integrate with Kaspersky Endpoint Agent and Kaspersky Endpoint Security and receive data (events) from individual computers running Microsoft Windows and Linux operating systems in the corporate IT infrastructure. These applications continuously monitor processes running on those computers, active network connections, and files that are modified.
• Integrate with external systems with the use of the REST API interface and scan files on these systems.

The solution uses the following means of Threat Intelligence:

• Infrastructure of Kaspersky Security Network (also referred to as "KSN") cloud services that provides access to the online Knowledge Base of Kaspersky, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky applications to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
• Integration with Kaspersky Private Security Network (KPSN) to access the reputation databases of Kaspersky Security Network and other statistical data without sending data from user computers to Kaspersky Security Network.
• Integration with the Kaspersky information system known as Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and URLs.
• The Kaspersky Threats database.

The solution can detect the following events that occur within the corporate IT infrastructure:

• A file has been downloaded or an attempt was made to download a file to a corporate LAN computer.
• A file has been sent to the email address of a user on the corporate LAN.
• A website link was opened on a corporate LAN computer.
• Network activity has occurred in which the IP address or domain name of a corporate LAN computer was detected.
• Processes have been started on a corporate LAN computer.

The application can provide the results of its operation and Threat Intelligence to the user in the following ways:

• Display the results of work done in the web interface of the Central Node, Primary Central Node (hereinafter also PCN) or Secondary Central Node (hereinafter also SCN) servers.
• Publish alerts to a SIEM system already being used in your organization via the Syslog protocol.
• Integrate with external systems via the REST API and send information on alerts generated by the solution to external systems on demand.
• Publish information on Sandbox component alerts in the local reputation database of Kaspersky Private Security Network.

Users with the Senior security officer or Security officer role can perform the following actions in the application:

• Monitor the components of the solution.
• View the table of detected signs of targeted attacks and intrusions into the corporate IT infrastructure, filter and search alerts, view and manage each alert, and follow recommendations for evaluating and investigating incidents.
• Look through the table of events occurring on computers and servers of the corporate IT infrastructure, search for threats, filter, view and manage each event, follow recommendations for evaluating and investigating incidents.
• Run tasks on computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security: run applications and stop processes, download and delete files, quarantine objects on computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security, place copies of files in Storage of Kaspersky Anti Targeted Attack Platform, and restore files from quarantine.
• Set up policies for preventing the running of files and processes that they consider to be unsafe on selected computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security.
• Isolate individual computers with Kaspersky Endpoint Agent and Kaspersky Endpoint Security from the network.
• Work with TAA (IOA) rules to classify and analyze events.
• Manage user-defined Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA rules — upload rules to be used for scanning events and creating alerts.
• Work with OpenIOC compliant files (IOC files) to search for signs of targeted attacks, infected and probably infected objects on hosts with the Endpoint Agent component and in the Alerts database.
• Exclude TAA (IOA) rules and IDS rules defined by Kaspersky from scanning.
• Manage objects in quarantine and copies of objects in Storage.
• Manage reports about application performance and alerts.
• Configure the sending of notifications about alerts and problems encountered by the application to email addresses of users.
• Manage the list of VIP alerts and the list of data excluded from the scan, and populate the local reputation database of KPSN.
• Store and download copies of raw network traffic for analysis in external systems.

Users with the Security auditor role can perform the following actions in the application:

• Monitor the components of the solution.
• View the table of detected signs of targeted attacks and intrusions into the enterprise IT infrastructure, filter and search alerts, and view the data of each alert.
• Look through the table of events occurring on the computers and servers of the enterprise IT infrastructure, search for threats, filter and view each event.
• View the list of hosts with the Endpoint Agent component and information about selected hosts.
• View user-defined rules for Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA.
• View the scan-excluded TAA (IOA) rules and IDS rules defined by Kaspersky experts.
• View reports about application performance and alerts.
• View the list of VIP alerts and the list of data excluded from the scan.
• View all settings made in the application web interface.
• Store and download copies of raw network traffic for analysis in external systems.

Users with the Local administrator or Administrator role can perform the following actions in the application:

• Edit application settings.
• Configure servers for the distributed solution and multitenancy mode.
• Set up the integration of the application with other applications and systems.
• Manage TLS certificates and set up trusted connections between the Central Node server and the Sandbox server, between Kaspersky Anti Targeted Attack Platform servers and the Endpoint Agent component, and with external systems.
• Manage accounts of application users.
• Monitor application health.

[Topic 247269]

What's new

Kaspersky Anti Targeted Attack Platform 6.0.4 now has the following new features:

1. Fixed vulnerabilities in the Suricata module.
2. The time zone for servers with Central Node and Sandbox components can only be selected from the drop-down list. Selecting the time zone on the map is no longer supported.
3. Selecting a country when setting the date and time for the Sandbox component is not supported.
4. Fixed an error that occurred when updating anti-virus databases.

Kaspersky Anti Targeted Attack Platform 6.0.2 now has the following new features:

Fixed vulnerabilities in the Intrusion Detection System (IDS) application module.

Kaspersky Anti Targeted Attack Platform 6.0 now has the following new features:

1. A distribution kit of the Kaspersky Anti Targeted Attack Platform application based on the Astra Linux operating system is now provided.
2. Added support for KVM virtualization for a limited number of hosts with the Endpoint Agent component.
3. Added ICAP integration with feedback. ICAP integration with feedback can work in two modes:
   • Standard scan. In standard scan mode, the object is scanned by all supported technologies. While being scanned by the Sandbox component, the object remains available. If a threat is detected, the object is blocked.
   • Advanced scan. In the advanced scan mode, objects are scanned by all supported technologies. While being scanned by the Sandbox component, the object is not available. If a threat is detected, the object is blocked.
4. Threats can now be detected in the SMB, NFS, HTTP2 protocols.
5. Scanning mirrored encrypted traffic is now possible thanks to integration with the ArtX TLSproxy 1.9.1 application.
6. Traffic capture and analysis at speeds up to 10 Gbps is now supported for the Sensor component.
7. Copies of raw network traffic can now be recorded, stored, and downloaded.
8. Now you can configure automatic removal of inactive hosts displayed in the Endpoint Agents list on the server with the Central Node component.
9. In the role of the Endpoint Agent component, you can now use the Kaspersky Endpoint Security for Mac application with built-in support for Kaspersky Anti Targeted Attack Platform.
10. Deploying on the VK Cloud platform is now possible.
11. Expanded functionality for hosts that have Kaspersky Endpoint Security for Linux 12 as the Endpoint Agent component:
    • Added the 'Delete file' task.
    • Added the 'Kill process' task.
    • Individual hosts can now be isolated from the network.
    • Added support for files conforming to the OpenIOC open standard for the description of indicators of compromise (IOC files).
12. The Sandbox component no longer supports the Windows XP SP3 operating system in preset form.

Changes in Kaspersky Endpoint Agent 3.16 for Windows:

You can view the list of changes in Kaspersky Endpoint Agent 3.16 for Windows in the Kaspersky Endpoint Agent for Windows Online Help.

Changes in Kaspersky Endpoint Security 12.5 for Windows:

You can view the list of changes in Kaspersky Endpoint Security 12.5 for Windows in the Kaspersky Endpoint Security for Windows Online Help.

Changes in Kaspersky Endpoint Security 12 for Linux:

You can view the list of changes in Kaspersky Endpoint Security 12 for Linux in the Kaspersky Endpoint Security for Linux Online Help.

[Topic 157533]

About Kaspersky Threat Intelligence Portal

For additional information about files that you consider to be suspicious, you can go to the website of the Kaspersky application Kaspersky Threat Intelligence Portal, which analyzes each file for malicious code and shows information about the reputation of the file.

Access to the Kaspersky Threat Intelligence application is provided for a fee. Authorization on the application website requires that an application access certificate is installed in the certificate storage on your computer. In addition, you must have a user name and password for access to the application.

For more details about the Kaspersky Threat Intelligence Portal, please visit the Kaspersky website.

[Topic 247444]

Distribution kit

The Kaspersky Anti Targeted Attack Platform distribution kit includes the following files:

1. Disk image (file with the iso extension) containing the installation files for the Ubuntu Server 22.04.2 operating system and for the Sensor and Central Node components.
2. Disk image (file with the iso extension) containing the installation files for the CentOS 7.9 operating system and for the Sandbox component.
3. Archive (.tar.gz file) of the Sensor, Central Node components for creating an iso image based on Astra Linux Special Edition 1.7.4. UU1 operating system.
4. Archive (.tar.gz file) of the Sandbox component for creating an iso image based on Astra Linux Special Edition 1.7.4. UU1 operating system.
5. Disk images (.iso files) of operating systems in which the Sandbox component runs files.
6. Utility (.tar file) for creating an iso image based on Astra Linux Special Edition 1.7.4. UU1 operating system.
7. Upgrade package (upgrade.tar.gz) for the Central Node component.
8. Upgrade package for the Central Node and Sensor components, kata-cn-upgrade-6.0.2-x86_64_en-ru.tar.gz.
9. Upgrade package for the Sandbox component, kata-sb-upgrade-6.0.2-x86_64_en-ru.tar.gz.
10. Upgrade package for the Central Node, Sensor, Sandbox components, upgrade-6.0.4.tar.gz.
11. File with information about third-party code used in Kaspersky Anti Targeted Attack Platform.

Kaspersky Endpoint Agent distribution kit includes the following files:

Kaspersky Endpoint Agent distribution kit

[Topic 247120]

Hardware and software requirements

Hardware and software requirements for servers for installing Kaspersky Anti Targeted Attack Platform

Deploying the application on a virtual platform requires installing the VMware ESXi hypervisor version 6.7.0 or 7.0.

For the application to work correctly in a virtual environment, you must install an up-to-date upgrade package for the hypervisor.

For the Central Node, Sensor and Sandbox hardware requirements see the Sizing Guide.

Hardware and software requirements for installing the Endpoint Agent component

The hardware and software requirements of the Endpoint Agent component reflect the hardware and software requirements of the applications that act as the Endpoint Agent component, and are described in the documentation of these applications:

• Kaspersky Endpoint Agent for Windows.
• Kaspersky Endpoint Security for Windows.
• Kaspersky Endpoint Security for Linux.
• Kaspersky Endpoint Security for Mac.

Hardware and software requirements for using the web interface of Kaspersky Anti Targeted Attack Platform

One of the following browsers must be installed on the computers in order to configure and manage the application using the web interface:

• Mozilla Firefox for Linux.
• Mozilla Firefox for Windows.
• Google Chrome for Windows.
• Google Chrome for Linux.
• Edge (Windows).
• Safari (Mac).

Minimum screen resolution to use web interface: 1366х768.

[Topic 247280]

Compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions

The Kaspersky Endpoint Agent application uses predefined settings that determine the impact that it has on the performance of the local computer under scenarios of information retrieval and interaction with the Central Node component.

If the version of Kaspersky Anti Targeted Attack Platform installed on Central Node servers is incompatible with the version of Kaspersky Endpoint Agent installed on computers on the corporate LAN, the functionality of Kaspersky Anti Targeted Attack Platform may be limited.

Information about the compatibility of Kaspersky Endpoint Agent component versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions

Limited compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions

• Integration of Kaspersky Endpoint Agent 3.12 with Kaspersky Anti Targeted Attack Platform 4.1.

  The amount of data sent by Kaspersky Endpoint Agent is limited:

  • Scanning autorun points using the Start YARA scan task is not supported.
  • The tasks Get NTFS metafiles, Get process memory dump, Get registry key are not supported.
• Integration of Kaspersky Endpoint Agent 3.12 with Kaspersky Anti Targeted Attack Platform 5.0–6.0.

  The amount of data sent by Kaspersky Endpoint Agent is limited:

  • Scanning autorun points using the Start YARA scan task is not supported.
  • The tasks Get NTFS metafiles, Get process memory dump, Get registry key, Get disk image, Get memory dump are not supported.
  • Event information is not transmitted for the Process terminated event.
• Integration of Kaspersky Endpoint Agent 3.13 with Kaspersky Anti Targeted Attack Platform 4.0.

  A server of this Kaspersky Anti Targeted Attack Platform version can receive a limited scope of data from the Kaspersky Endpoint Agent application: Get NTFS metafiles, Get process memory dump, Get registry key tasks cannot be created in the web interface of the application.

• Integration of Kaspersky Endpoint Agent 3.13 with Kaspersky Anti Targeted Attack Platform 4.1–6.0.

  Kaspersky Endpoint Agent does not support the creation of the following tasks: Get disk image, Get memory dump.

• Integration of Kaspersky Endpoint Agent 3.14 with Kaspersky Anti Targeted Attack Platform 4.0.

  The server of this Kaspersky Anti Targeted Attack Platform version can receive a limited scope of data from the Kaspersky Endpoint Agent application: creation of Get NTFS metafiles, Get process memory dump, Get registry key, Get disk image, Get memory dump tasks is not available in the web interface of the application.

• Integration of Kaspersky Endpoint Agent 3.14 with Kaspersky Anti Targeted Attack Platform 4.1.

  A server of this Kaspersky Anti Targeted Attack Platform version can receive a limited scope of data from the Kaspersky Endpoint Agent application: the tasks Get disk image and Get memory dump cannot be created in the web interface of the application.

[Topic 247216]

Compatibility of Kaspersky Endpoint Agent for Windows versions with EPP applications

If you want to use the Kaspersky Endpoint Agent application as the Endpoint Agent component, you can install just the Kaspersky Endpoint Agent, or configure the integration of Kaspersky Endpoint Agent with workstation protection applications (Endpoint Protection Platform, hereinafter also "EPP"), Kaspersky Endpoint Security for Windows, Kaspersky Security for Windows Server, and Kaspersky Security for Virtualization Light Agent. If the integration of applications is configured, Kaspersky Endpoint Agent also sends the information about threats detected by EPP applications and their processing results to the Central Node server.

The integration scenarios described above do not work when Kaspersky Endpoint Agent is installed on a virtual desktop in Virtual Desktop Infrastructure.

Integration of Kaspersky Endpoint Agent with Kaspersky Endpoint Security for Windows and Kaspersky Security for Windows Server requires installing Kaspersky Endpoint Agent as part of those applications.

Compatibility of Kaspersky Endpoint Agent for Windows with versions of Kaspersky Security for Windows Server

You can install the following versions of Kaspersky Endpoint Agent as part of Kaspersky Security for Windows Server:

• Kaspersky Endpoint Agent 3.9 as part of Kaspersky Security 11 for Windows Server.
• Kaspersky Endpoint Agent 3.10 as part of Kaspersky Security 11.0.1 for Windows Server.

When you install Kaspersky Endpoint Agent as part of Kaspersky Security for Windows Server, the standalone Kaspersky Endpoint Agent of the same or earlier version is removed. If Kaspersky Endpoint Agent installed as part of Kaspersky Security for Windows Server has an earlier version, it will not be installed. In this case, you must first remove the standalone Kaspersky Endpoint Agent application.

If necessary, you can upgrade the Kaspersky Endpoint Agent application that is already installed as part of Kaspersky Security for Windows Server. Integration between compatible versions of the applications is maintained both when Kaspersky Endpoint Agent is upgraded and when Kaspersky Security for Windows Server is upgraded.

Information about the compatibility of Kaspersky Endpoint Agent versions with Kaspersky Security for Windows Server versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent versions with Kaspersky Security for Windows Server versions

When integrating with Kaspersky Endpoint Agent 3.13–3.16, Kaspersky Security for Windows Server does not transmit event information of the AMSI scan event.

For more details about installing Kaspersky Security for Windows Server, see Kaspersky Security for Windows Server Help.

Compatibility of Kaspersky Endpoint Agent for Windows with versions of Kaspersky Endpoint Security for Windows

You can install the following versions of Kaspersky Endpoint Agent (Endpoint Sensors) as part of Kaspersky Endpoint Security for Windows:

• Kaspersky Endpoint Agent 3.7 or Kaspersky Endpoint Agent (Endpoint Sensors) 3.6.1 as part of Kaspersky Endpoint Security 11.2, 11.3 for Windows.

  Kaspersky Endpoint Agent (Endpoint Sensors) 3.6.1 is not compatible with Kaspersky Anti Targeted Attack Platform version 4.1 or higher.

  Kaspersky Endpoint Agent 3.7 is not compatible with all versions of Kaspersky Anti Targeted Attack Platform.

• Kaspersky Endpoint Agent 3.9 as part of Kaspersky Endpoint Security 11.4, 11.5.
• Kaspersky Endpoint Agent 3.10 as part of Kaspersky Endpoint Security 11.6.
• Kaspersky Endpoint Agent 3.11 as part of Kaspersky Endpoint Security 11.7, 11.8.

When you install Kaspersky Endpoint Agent 3.10 or later as part of Kaspersky Endpoint Security for Windows, the standalone Kaspersky Endpoint Agent application of the same or earlier version is removed. If the separately installed Kaspersky Endpoint Agent has a later version, the application bundled with Kaspersky Endpoint Security for Windows is not installed. In this case, you must first remove the standalone Kaspersky Endpoint Agent application.

If necessary, you can upgrade the Kaspersky Endpoint Agent application that is already installed as part of Kaspersky Endpoint Security for Windows. Integration between compatible versions of the applications is maintained both when Kaspersky Endpoint Agent is upgraded and when Kaspersky Endpoint Security for Windows is upgraded. You can upgrade a previous version of Kaspersky Endpoint Agent to version 3.14 only for Kaspersky Endpoint Agent version 3.7 or higher.

Information about the compatibility of Kaspersky Endpoint Agent versions with Kaspersky Endpoint Security for Windows versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent versions with Kaspersky Endpoint Security for Windows versions

For more details about installing Kaspersky Endpoint Security, see Kaspersky Endpoint Security for Windows Help.

Compatibility of Kaspersky Endpoint Agent with versions of Kaspersky Security for Virtualization Light Agent

You can configure the integration of separately installed Kaspersky Endpoint Agent and Kaspersky Security for Virtualization Light Agent.

Information about the compatibility of Kaspersky Endpoint Agent versions with Kaspersky Security for Virtualization Light Agent versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent versions and Kaspersky Security for Virtualization Light Agent versions

Kaspersky Endpoint Agent and Kaspersky Security for Virtualization Light Agent installed on a virtual machine generate the same load on the Central Node server as Kaspersky Endpoint Agent and Kaspersky Security for Virtualization Light Agent installed on the host.

For more details about enabling the integration of Kaspersky Endpoint Agent with Kaspersky Security for Virtualization Light Agent, see Kaspersky Security for Virtualization Light Agent Help.

Compatibility of Kaspersky Endpoint Agent with versions of Kaspersky Industrial CyberSecurity for Nodes

You can install Kaspersky Endpoint Agent on a device with Kaspersky Industrial CyberSecurity for Nodes installed. The applications are integrated automatically.

Compatibility of Kaspersky Endpoint Agent versions with versions of Kaspersky Industrial CyberSecurity for Nodes

To integrate with Kaspersky Industrial CyberSecurity for Nodes, the corresponding license key must be installed in the Kaspersky Endpoint Agent.

For detailed information, you can contact your account manager.

[Topic 246849]

Compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions

You can use Kaspersky Endpoint Security as the Endpoint Agent component.

Information about the compatibility of Kaspersky Endpoint Security versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions

To integrate Kaspersky Endpoint Security 12.1 or later with Kaspersky Anti Targeted Attack Platform, you do not need to install Kaspersky Endpoint Agent.

When integrating Kaspersky Endpoint Security 12.7, 12.8 with Kaspersky Anti Targeted Attack Platform 5.0-6.0, the Kaspersky Anti Targeted Attack Platform server receives a limited amount of data from Kaspersky Endpoint Security:

• Information about the following events is not processed: Named pipe, WMI, LDAP, DNS, Code injection.
• For the File modified event, information about the following subtypes is not processed: File read, Hard link created, Symbolic link created.
• For the Registry modified event, information about the following subtypes is not processed: Registry key renamed, Registry key saved.

[Topic 247128]

Compatibility of Kaspersky Endpoint Security for Linux versions with Kaspersky Anti Targeted Attack Platform versions

You can use Kaspersky Endpoint Security as the Endpoint Agent component.

Information about the compatibility of Kaspersky Endpoint Security versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Security for Linux versions with Kaspersky Anti Targeted Attack Platform versions

To integrate Kaspersky Endpoint Security with Kaspersky Anti Targeted Attack Platform, you do not need to install the Kaspersky Endpoint Agent.

Starting from version 12, Kaspersky Endpoint Security for Linux can be used as the Light Agent for Linux component for the Kaspersky Security for Virtualization application. For more details about the integration, see Kaspersky Security for Virtualization Light Agent Help.

When Kaspersky Endpoint Security for Linux is used as the Light Agent for Linux component, the integration of Kaspersky Endpoint Security for Linux with Kaspersky Anti Targeted Attack Platform is retained.

Limited compatibility of Kaspersky Endpoint Security for Linux versions with Kaspersky Anti Targeted Attack Platform versions

• Integration of Kaspersky Endpoint Security 11.4 with Kaspersky Anti Targeted Attack Platform 5.1, 6.0.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Creation of network isolation rules is not supported.
  • Creation of prevention rules is not supported.
  • Searching for indicators of compromise on computers using IOC files is not supported.
  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan.
  • Creation of the following tasks is not supported: Get forensics, Get registry key, Get NTFS metafiles, Get process memory dump, Get disk image, Get memory dump, Kill process, Start YARA scan, Service management, Delete file, Quarantine file, Restore file from quarantine, Delete file, Kill process.
• Integration of Kaspersky Endpoint Security 12 with Kaspersky Anti Targeted Attack Platform 5.0, 5.1.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Creation of network isolation rules is not supported.
  • Creation of prevention rules is not supported.
  • Searching for indicators of compromise on computers using IOC files is not supported.
  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan.
  • Creation of the following tasks is not supported: Get forensics, Get registry key, Get NTFS metafiles, Get process memory dump, Get disk image, Get memory dump, Kill process, Start YARA scan, Service management, Delete file, Quarantine file, Restore file from quarantine, Delete file, Kill process.
• Integration of Kaspersky Endpoint Security 12 with Kaspersky Endpoint Detection and Response Optimum 5.1.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Creation of prevention rules is not supported.
  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan.
  • Creation of the following tasks is not supported: Get forensics, Get registry key, Get NTFS metafiles, Get process memory dump, Get disk image, Get memory dump, Kill process, Start YARA scan, Service management, Quarantine file, Restore file from quarantine.
• Integration of Kaspersky Endpoint Security 12–12.1 with Kaspersky Anti Targeted Attack Platform 6.0.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Creation of prevention rules is not supported.
  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan.
  • Creation of the following tasks is not supported: Get forensics, Get registry key, Get NTFS metafiles, Get process memory dump, Get disk image, Get memory dump, Kill process, Start YARA scan, Service management, Quarantine file, Restore file from quarantine.
• Integration of Kaspersky Endpoint Security 12.2 with Kaspersky Anti Targeted Attack Platform 6.0.

  The scope of data sent by Kaspersky Endpoint Security is limited:

  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan.
  • Creation of the following tasks is not supported: Get forensics, Get registry key, Get NTFS metafiles, Get process memory dump, Get disk image, Get memory dump, Kill process, Start YARA scan, Service management, Restore file from quarantine.

[Topic 252759]

Compatibility of Kaspersky Endpoint Security for Mac with Kaspersky Anti Targeted Attack Platform versions

You can use Kaspersky Endpoint Security for Mac as the Endpoint Agent component.

Information about the compatibility of Kaspersky Endpoint Security for Mac versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Security for Mac with Kaspersky Anti Targeted Attack Platform versions

Limited compatibility of Kaspersky Endpoint Security for Mac versions with Kaspersky Anti Targeted Attack Platform versions

• Integration of Kaspersky Endpoint Security 12–12.1 with Kaspersky Anti Targeted Attack Platform 6.0.
  • Creation of network isolation rules is not supported.
  • Creation of prevention rules is not supported.
  • Searching for indicators of compromise on computers using IOC files is not supported.
  • Event information is not transmitted for the following events: Process terminated, Module loaded, Connection to remote host, Blocked application (prevention rule), Document blocked, Registry modified, Port listened, Driver loaded, Process: interpreted file run, Process: console interactive input, AMSI scan.
  • Creation of the following tasks is not supported: Kill process, Get forensics, Start YARA scan, Delete file, Quarantine file, Restore file from quarantine, Service management, Get disk image, Get memory dump.

[Topic 264169]

Compatibility of KUMA versions with versions of Kaspersky Anti Targeted Attack Platform

You can use KUMA as a SIEM system.

Information about the compatibility of KUMA versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of KUMA versions with versions of Kaspersky Anti Targeted Attack Platform

Page top

[Topic 264174]

Compatibility of XDR versions with versions of Kaspersky Anti Targeted Attack Platform

You can use XDR as a SIEM system.

Information about the compatibility of XDR versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of XDR versions with versions of Kaspersky Anti Targeted Attack Platform

Page top

[Topic 264175]

Compatibility of KPSN versions with versions of Kaspersky Anti Targeted Attack Platform

You can use Kaspersky Private Security Network (KPSN) instead of Kaspersky Security Network (KSN) to avoid sending your organization's data beyond the corporate LAN.

Information about the compatibility of KPSN versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of KPSN versions with versions of Kaspersky Anti Targeted Attack Platform

Page top

[Topic 264697]

Compatibility of Kaspersky Anti Targeted Attack Platform with VK Cloud

Kaspersky Anti Targeted Attack Platform supports deployment on the VK Cloud platform.

When deploying the application, you can connect Sandbox components to the Central Node component.

The following restrictions apply when deploying Kaspersky Anti Targeted Attack Platform for integration with VK Cloud:

• Only the KATA functional block is supported.
• Only the certified version of the application based on Astra Linux is supported.
• Only the non-high-availability version of the application is supported.
• You can configure integration only with an external KSMG system. For more details on integration, see KSMG Help.
• You can use the distributed solution mode only if you are using the KSMG integration.

For the Sandbox component to work, the following requirements must be met:

• Nested virtualization must be enabled for the virtual machine.
• The network interface settings must be correctly configured to provide Internet access to objects being processed.

  Windows images can only be activated if the network interface is configured correctly.

• The network interface used for Internet access of processed objects must be isolated from the local network of your organization.
• The network interface used by processed objects for Internet access must be connected to a subnet that is not the same as the subnet to which the control interface is connected.
• We do not recommend using a static public IP address for the network interface that handles Internet access of the objects being processed.

[Topic 247274]

Restrictions

Limitations that apply when deploying the Central Node component as a cluster:

1. A Central Node cluster must include at least 4 servers: 2 storage servers and 2 processing servers. You can scale the cluster to increase the amount of traffic handled or the number of connected hosts in accordance with the Sizing Guide.
2. It is recommended to add servers with the same hardware configuration to the cluster. Otherwise, a proportional increase in performance is not guaranteed.
3. Adding an extra server to the cluster does not speed up the processing of objects that are already in the scan queue.
4. The web interface of the application can be temporarily unavailable if the server on which it is hosted fails.
5. If the processing server fails, you may lose ICAP, POP3, and SMTP traffic data as well as the copies of emails that are waiting to be processed and the detections associated with them.
6. If the processing server is configured to receive mirrored traffic from SPAN ports, then SPAN traffic is not processed if this server fails.
7. If one of the cluster servers fails or the connection between the server and the Endpoint Agent component is temporarily lost, data in the event database can temporarily become desynchronized.
8. If the configuration of the cluster servers is changed, processing of traffic and events from computers with the Endpoint Agent component may be temporarily slowed down.

Limitations that apply to the Sensor component:

1. Only Sensor components installed on standalone servers can be used to capture network traffic at the maximum speed of 10 Gbps.
2. Capturing FTP traffic at the maximum speed of 10 Gbps can result in a high level of loss.
3. Real-time ICAP traffic scanning on standalone servers with the Sensor component can only be configured in Technical Support Mode.

Limitations that apply to the Sandbox component:

1. The following versions of operating systems are supported for custom images:
   • Windows XP SP3 or later
   • Windows 7
   • Windows 8.1 64-bit
   • Windows 10 64-bit (up to version 1909)
2. Only English and Russian localizations are fully supported for custom operating system images.
3. License keys for activating the operating systems and software are not provided.
4. If some of the operating systems selected in the set of operating systems on the Central Node server are not installed on the Sandbox server, Kaspersky Anti Targeted Attack Platform does not send objects to the Sandbox component for scanning. If multiple servers with the Sandbox component are connected to the server with the Central Node component, the application sends objects to those servers whose installed operating systems match the set selected on the Central Node.

Limitations that apply when integrating with Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows:

1. Tasks for getting RAM dumps and disk images can only be assigned to computers with Kaspersky Endpoint Agent 3.14 or later for Windows and Kaspersky Endpoint Security 12.1 or later for Windows.
2. Tasks for getting process memory dumps, NTFS metafiles, and registry keys can only be assigned to computers with Kaspersky Endpoint Agent 3.14 or later for Windows or Kaspersky Endpoint Security 12.1 or later for Windows.
3. The task of scanning hosts using YARA rules can only be assigned to computers with Kaspersky Endpoint Agent 3.14 or later for Windows and Kaspersky Endpoint Security 12.1 or later for Windows. If you simultaneously assign a task to computers with Kaspersky Endpoint Agent version 3.14 or later, and to computers with earlier versions of that application, the task runs only on computers with Kaspersky Endpoint Agent 3.14 or later.
4. If autorun points are selected as the scan scope, the task runs only on computers with Kaspersky Endpoint Agent 3.14 or later and Kaspersky Endpoint Security 12.1 or later for Windows.

Limitations that apply when integrating with Kaspersky Endpoint Security for Linux:

1. The following functionality is not available for computers running Kaspersky Endpoint Security for Linux 11.4:
   • Network isolation of a host.
   • Creating a prevention rule.

     No notifications are created about the unsuccessful application of a prevention rule on computers with Kaspersky Endpoint Security 11.4 for Linux applications.

   • Finding indicators of compromise on computers using IOC files.

     No notifications are created about the unsuccessful search of indicators of compromise on computers with Kaspersky Endpoint Security 11.4 for Linux applications.

2. The following functionality is not available for computers running Kaspersky Endpoint Security for Linux 12:
   • Creating a prevention rule.

     No notifications are created about the unsuccessful application of a prevention rule on computers with Kaspersky Endpoint Security 12 for Linux applications.

3. The list of events that Kaspersky Endpoint Security 11.4 or 12 for Linux logs in the event database is limited to the following types:
   • File modified
   • Process started
   • Process completed
   • System event log
   • Scan: detection
   • Scan: detection processing result
4. The list of tasks that you can create on computers running Kaspersky Endpoint Security 11.4 for Linux is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
5. The list of tasks that you can create on computers running Kaspersky Endpoint Security 12 for Linux is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
   • Delete file
   • Kill process
6. In information about events registered in the event database by Kaspersky Endpoint Security 11.4 or 12 for Linux, the Time created field displays file modification time.

Limitations that apply when integrating with Kaspersky Endpoint Security 12 for Mac:

1. The following functionality is not available for computers running Kaspersky Endpoint Security 12 for Mac:
   • Network isolation of a host.
   • Creating a prevention rule.

     No notifications are created about the unsuccessful application of a prevention rule on computers with Kaspersky Endpoint Security 12 for Mac applications.

   • Finding indicators of compromise on computers using IOC files.

     No notifications are created about the unsuccessful search of indicators of compromise on computers with Kaspersky Endpoint Security 12 for Mac applications.

2. The list of events that Kaspersky Endpoint Security 12 for Mac logs in the event database is limited to the following types:
   • File modified
   • Process started
   • Process completed
   • Scan: detection
   • Scan: detection processing result
3. The list of tasks that you can create on computers running Kaspersky Endpoint Security 12 for Mac is limited to the following types:
   • Get file

     When you create the task, the application does not attempt to verify the path to the executable file or the file that you want to retrieve.

   • Run application
4. In information about events registered in the event database by Kaspersky Endpoint Security 12 for Mac, the Time created field displays file modification time.

Limitations of Kaspersky Endpoint Agent 3.16 for Windows:

You can view the list of limitations of Kaspersky Endpoint Agent 3.16 for Windows in the Kaspersky Endpoint Agent for Windows Online Help.

Limitations of Kaspersky Endpoint Security 12.5 for Windows:

You can view the list of limitations of Kaspersky Endpoint Security 12.5 for Windows in the Kaspersky Endpoint Security for Windows Online Help.

Limitations of Kaspersky Endpoint Security 12 for Linux:

You can view the list of limitations of Kaspersky Endpoint Security 12 for Linux in the Kaspersky Endpoint Security for Linux Release Notes.

Limitations of Kaspersky Endpoint Security 12 for Mac:

You can view the list of limitations of Kaspersky Endpoint Security 12 for Mac in the Kaspersky Endpoint Security for Mac Online Help.

[Topic 159935]

Data provision

The operation of certain components of Kaspersky Anti Targeted Attack Platform requires data processing on the Kaspersky side. Components do not send data without the consent of the administrator of Kaspersky Anti Targeted Attack Platform.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

• In the End User License Agreement (for example, during installation of the application).

  According to the terms of the End User License Agreement, you agree to automatically send Kaspersky the information listed in the End User License Agreement under Data Provision. The End User License Agreement is included in the application distribution kit.

• In the KSN Statement (for example, during installation of the application or in the administrator menu after installation).

  When you participate in Kaspersky Security Network, information obtained as a result of Kaspersky Anti Targeted Attack Platform operation is automatically sent to Kaspersky. The list of transmitted data is specified in the KSN Statement. The Kaspersky Anti Targeted Attack Platform user independently decides on his/her participation in KSN. The KSN Statement is included in the application distribution kit.

  Before KSN statistics are sent to Kaspersky, they are accumulated in the cache on servers hosting Kaspersky Anti Targeted Attack Platform components.

Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is sent over encrypted communication channels.

When using Kaspersky Private Security Network, Kaspersky is not sent information about the operation of Kaspersky Anti Targeted Attack Platform. However, KSN statistical data is accumulated in the cache on servers hosting Kaspersky Anti Targeted Attack Platform components to the same extent as when using Kaspersky Security Network. This accumulated KSN statistical data may be transmitted beyond the perimeter of your organization if a server with the Kaspersky Private Security Network application is located outside of your organization.

The Kaspersky Private Security Network administrator must personally ensure the security of such data.

[Topic 242920]

Service data of the application

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Service data of Kaspersky Anti Targeted Attack Platform include:

• Data on user accounts.
• Information about computers connected to the Central Node component on which the Endpoint Agent component is installed.
• Data about presets and prevention rules.
• Information about tasks assigned to computers with the Endpoint Agent component.
• Data about TAA (IOA) user-defined rules.
• Data about user IDS user-defined rules.
• Data about IOC user-defined rules.
• Data on network isolation rules.
• Data about scan exclusions.
• Data on report templates.
• Information about Endpoint Agent component certificates.

  The above data is stored indefinitely on the server hosting the Central Node component in the / data directory if the Central Node component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• System event log

  OS log files are stored indefinitely in the /var/log directory on the server hosting the Central Node component.

• Log with information about the application operation.

  The log file is stored indefinitely in the /data directory on the server hosting the Central Node component, if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• File scan queue.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. The data is retained until the scan is completed.

• Files received from computers with the Endpoint Agent component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Files with YARA and IDS rules (user-defined and from Kaspersky).

  Files are stored indefinitely in the /data directory on the server hosting the Central Node component, if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• Files with data about alerts sent to external systems.

  Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• Artifacts of the Sandbox component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Files for which alerts were created by the Sandbox component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Certificate files used for the authentication of application components.

  Files are stored indefinitely in the /data directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with the Endpoint Agent component.

• Encryption keys that are transmitted between application components.

  Files are stored indefinitely in the /data directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with the Endpoint Agent component.

• Copies of raw network traffic.

  Files are stored in storage mounted on the server with the Sensor component. Data is deleted as disk space becomes full.

• ICAP exclusion filters

  Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

The application stores the following information about user accounts:

• Account ID.
• Account name.
• The hash and salt of the account password.
• Domain name of the user.
• Account role.
• Account status.
• Access rights to tenants in distributed solution and multitenancy mode.
• ID of the tenant in distributed solution and multitenancy mode.

The application stores the following information about computers connected to the Central Node component on which the Endpoint Agent component is installed:

• ID of the computer assigned by Kaspersky Security Center.
• Computer name.
• IP address of the computer.
• The operating system used on the computer.
• The version of the application that fills the role of the component.
• Self-Defense status.
• Date and time when the first and last telemetry packet were sent to the Central Node component.
• Date and time of the last IOC scan run.
• Result of the last IOC scan run.
• Status of the license on the host.

The application stores the following information about the prevention rules:

• MD5 or SHA256 hash of the file that is prevented from running.
• The account name of the user who created the prevention rule.
• The account name of the user who changed the prevention rule.
• List of computers on which the file is prevented from running.
• Prevention rules change log.
• Prevention rule creation date and time.
• Date and time of prevention rule modification.
• Name of the prevention rule.
• Attribute indicating whether the user must be notified about file start being blocked.

The application stores the following information about tasks assigned to computers with the Endpoint Agent component:

• Task type.
• Computer name.
• IP address of the computer.
• Task creation date and time.
• Task expiration date.
• Name of the user account that created the task.
• Task settings data.
• Task report data.
• Task comments.

The application stores the following information about TAA (IOA) user-defined rules:

• Rule name.
• Source code of the request being scanned.
• Rule ID.
• Rule status.
• Rule creation date and time.
• The importance that was specified when the rule was added.
• Level of confidence that depends on the likelihood of false alarms as defined by the user when the rule was added.

The application stores the following information about IDS user-defined rules:

• Account name of the user who uploaded the rules file.
• Date and time when the rule file was uploaded.
• Status of the rule.
• Importance specified in the rule file.

The application stores the following information about IOC user-defined rules:

• Account name of the user who uploaded the rules file.
• Name of the IOC file.
• Contents of the IOC file.
• Date and time when the IOC file was uploaded.
• Status of the IOC rule.
• Importance as specified in the IOC file.
• Description of the IOC rule.

The application stores the following information about YARA user-defined rules:

• Account name of the user who uploaded the rules file.
• Contents of the YARA file.
• Date and time when the YARA file was uploaded.
• Name of the file containing YARA rules.
• Importance.
• Status of the YARA rule.

The application stores the following information about network isolation rules:

• Account name of the user that enabled network isolation.
• ID of the isolated computer.
• Rule name.
• Rule status.
• List of resources excluded from network isolation.
• Date and time when the network isolation rule was modified.
• State of the rule.
• Expiration date of the network isolation rule.

The application stores the following information about scan exclusions:

• Account name of the user that added the exception.
• List of objects excluded from the scan.
• Rule exception ID.
• Name of the exclusion.
• Date and time when the exclusion was created.

The application stores the following information about report templates:

• ID of the user account that created or modified the template.
• Template creation date.
• Date of last modification of the template.
• Text of the template as HTML code.
• Name of the template.

The application stores the following information about Endpoint Agent component certificates:

• Account name of the user who uploaded the certificate file.
• Digest of the certificate.
• Serial number of the certificate.
• Public key.
• Expiration date of the certificate.

The application stores the following information about Sandbox scan rules:

• State of the rule
• Type of the rule
• Masks of included objects
• Masks of excluded objects
• Size of scanned files
• Rule creation date and time
• ID of the virtual machine where the rule is assigned

The application stores the following information about the virtual machine configuration:

• IP address of the server hosting the Sandbox component
• List of virtual machines

[Topic 176644]

Data of the Central Node and Sensor components

This section contains the following information about user data that is stored on the server with the Central Node component and on the server with the Sensor component:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

[Topic 197172]

Traffic data of the Sensor component

Traffic data of the Sensor component is stored on the server with the Sensor component or on the server with Sensor and Central Node components if Sensor and Central Node are installed on the same server or deployed as a cluster.

Traffic data is recorded and stored in sequentially created files. The application stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached (you can configure this setting)
• The configured time interval has elapsed (you can configure this setting)
• The traffic saving service or the entire Kaspersky Anti Targeted Attack Platform application is restarted

As traffic data accrues, Kaspersky Anti Targeted Attack Platform filters data and keeps only the following information:

• Information related to alerts generated by the Targeted Attack Analyzer technology
• PCAP files in which:
  • Source or destination IP address matches an IP address from the alert
  • Traffic data belongs to the time period within 15 minutes from the alert time

Filtered traffic data is moved to a separate section. The rest of the traffic data (that do not satisfy filtering criteria) is deleted.

Filtered traffic data is saved in sequentially created files. The application stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached
• The configured time interval has elapsed

Filtered data traffic is stored for the last 24 hours. Older data is deleted.

[Topic 247484]

Data in alerts

Alerts may contain user data. If Central Node is installed on a server, information about alerts and files that caused an alert when scanned is stored on the Central Node server in the /data directory. If Central Node is installed as a cluster, information about alerts and files that caused an alert when scanned is stored in ceph storage.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

The following information is stored in all alerts:

• Date and time of detection.
• Date and time of alert modification.
• Category of the detected object.
• Name of the detected file.
• Alert source.
• Detected URL.
• MD5 and SHA256 hash of the detected file.
• User comments added to the alert information.
• ID of the TAA (IOA) rule by which the alert was generated.
• IP address and name of the computer on which the alert was generated.
• ID of the computer on which the alert was generated.
• User agent.
• The user account to which the alert was assigned.
• List of files.

When an alert is changed, the following information is stored on the server:

• The user account that modified the alert.
• The user account to which the alert was assigned.
• Date and time of alert modification.
• Alert status.
• User comment.

If an email message was detected, the following information may be stored on the server:

• Email addresses of the sender and recipients of the message, including the recipients of copies and blind carbon copies of the message.
• Subject of the email message.
• Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
• All service headers of the message (as they appear in the message).

If the alert was generated by URL Reputation technology, the following information may be stored on the server:

• Name of the computer from which the data was sent.
• Name of the computer that received the data.
• The IP address of the computer from which the data was sent.
• The IP address of the computer that received the data.
• The URI of the transferred resource.
• Information about the proxy server.
• Unique ID of the email message.
• Email addresses of the sender and recipients of the message (including the recipients of copies and blind carbon copies of the message).
• Subject of the email message.
• Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
• List of detected objects.
• Time of network connection.
• URL of network connection.
• User agent.

If the alert was generated by Intrusion Detection System technology, the following information may be stored on the server:

• Name of the computer from which the data was sent.
• Name of the computer that received the data.
• The IP address of the computer from which the data was sent.
• The IP address of the computer that received the data.
• Transmitted data.
• Data transfer time.
• URL extracted from the file containing the traffic, User Agent, and method.
• File containing the traffic where the alert occurred.
• Object category based on the IDS database.
• Name of the custom IDS rule that was used to generate the alert.
• HTTP request body.
• List of alerts.

If the alert was generated using YARA rules, the following information can be stored on the server:

• Version of YARA rules that was used to generate the alert.
• Category of the detected object.
• Name of the detected object.
• MD5 hash of the detected object.
• Date and time when the object was detected.
• Additional information about the alert.

If the alert was generated using the Sandbox component, the following information may be stored on the server:

• Version of the application databases used to generate the alert.
• Category of the detected object.
• Names of detected objects.
• MD5 hashes of detected objects.
• Information about detected objects.

If the alert was generated by IOC or TAA (IOA) user rules, the following information can be stored on the server:

• Date and time of scan completion.
• IDs of the computers on which the alert was generated.
• Name of TAA (IOA) rule.
• Name of the IOC file.
• Information about detected objects.
• List of hosts with the Endpoint Agent component.

If the alert was generated by Anti-Malware Engine technology, the following information may be stored on the server:

• Versions of databases of Kaspersky Anti Targeted Attack Platform components that were used to generate the alert.
• Category of the detected object.
• List of detected objects.
• MD5 hash of detected objects.
• Additional information about the alert.

If the alert was generated as a result of a rescan, the following information may be stored on the server:

• File name.

If the alert was generated as a result of scanning a file, the following information may be stored on the server:

• Full name of the detected file.
• MD5 and SHA256 hash of the detected file.
• Size of the detected file.
• Information about the signature of the file.

If the alert was generated as a result of scanning FTP traffic, the following information may be stored on the server:

• URI of the FTP request.

If the alert was generated as a result of scanning HTTP traffic, the following information may be stored on the server:

• URI of the HTTP request.
• URI of the request source.
• User agent.
• Information about the proxy server.

[Topic 247485]

Data in events

Events may contain user data. If Central Node is installed on a server, information about occurred events is stored in the /data directory. If Central Node is installed as a cluster, the information is stored in ceph storage.

Data is rotated as the disk becomes full.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Event data can contain information related to the following:

• Name of the computer where the event occurred.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Name of the user account under which the event occurred.
• Name of the group that the user belongs to.
• Event type.
• Event time.
• Information about the file for which the event was logged: name, path, full name.
• MD5 and SHA256 hash of the file.
• File creation time.
• File modification time.
• File access rights.
• Environment variables of the process.
• Command-line parameters.
• Text of the command entered into the command line.
• Local IP address of the adapter.
• Local port.
• Remote host name.
• Remote host IP address.
• Port on the remote host.
• URLs and IP addresses of visited websites, and links from these websites.
• Network connection protocol.
• HTTP request method.
• HTTP request header.
• Information about Windows registry variables: path to the variable, variable name, variable value.
• Contents of a script or binary file sent for AMSI scanning.
• Information about the event in the Windows log: event type, event type ID, event ID, user account under which the event was logged, full text of the event from the Windows Event Log in XML format.

[Topic 247486]

Data in reports

Reports may contain user data. If the Central Node component is installed on a server, information about occurred events is stored in the /data directory indefinitely. If Central Node is installed as a cluster, the information is stored in ceph storage indefinitely.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Reports may contain the following information:

• Report creation date.
• Time period covered in the report.
• ID of the user account that generated the report.
• Report status.
• Text of the report as HTML code.
• Description.
• Name of the template that the report was generated from.

[Topic 247487]

Data on objects in Storage and Quarantine

Objects in Storage and quarantine may contain user data. If the Central Node component is installed on a server, information about objects in Storage and copies of objects quarantined on computers with Kaspersky Endpoint Agent, which were saved on the server using the Get file task, is stored in the /data directory. If the Central Node component is installed as a cluster, information about objects in Storage and copies of objects quarantined on computers with Kaspersky Endpoint Agent, which were saved on the server using the Get file task, is stored in ceph storage.

Data is rotated as the disk becomes full.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Data on objects in Storage and quarantine may contain the following information:

• Name of the object.
• Path to the object on the computer with Kaspersky Endpoint Agent.
• MD5 and SHA256 hash of the file.
• ID of the user who quarantined the object on the computer with Kaspersky Endpoint Agent.
• ID of the user who placed the object in Storage.
• IP address of the computer on which the quarantined object is stored.
• Name of the computer on which the quarantined object is stored.
• Unique ID of the computer on which the quarantined object is stored in Storage.
• ID of the TAA (IOA) rule by which the alert was generated.
• Category of the detected object.
• Results for the object scanned using individual modules and technologies of the application.
• File download time.
• Metadata of scanned files and their sources.
• Resulting status of the object in Storage.

[Topic 176763]

Sandbox component data

For the processing time, the body of the file sent by the Central Node component is saved in open form on the server hosting the Sandbox component. During processing, the server administrator can access the sent file in Technical Support Mode. The scanned file is deleted by a special script according to the schedule. Once every 60 minutes by default.

Information about the data stored on the server with the Sandbox component is provided in the table below.

Data stored on the server with the Sandbox component

[Topic 247488]

Data transmitted between application components

Central Node, Kaspersky Endpoint Agent for Windows, Kaspersky Endpoint Security for Windows

The Kaspersky Endpoint Agent for Windows and Kaspersky Endpoint Security for Windows applications send the following to the Central Node component: reports about running tasks, information about events and alerts that occurred on computers running these applications, and information about terminal sessions.

If there is no connection with the Central Node component, all data to be sent is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Agent for Windows or Kaspersky Endpoint Security for Windows is removed from the computer, but no longer than 21 days.

If an event occurred on the user's computer, the applications send the following data to the events database:

1. General information for all events:
   • Event type.
   • Event time.
   • User account for which the event was generated.
   • Name of the host where the event occurred.
   • IP address of the host.
   • Type of the operating system installed on the host.
2. File creation event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • File name.
   • Path to the file.
   • Full name of the file.
   • MD5- and SHA256 hash of the file.
   • Date of file creation and modification.
   • File size.
3. Registry monitoring event.
   • Details of the process that modified the registry: Process ID, process file name, and MD5- and SHA256 hash of the process file.
   • Path to the registry key.
   • Registry value name.
   • Registry value data.
   • Registry value type.
   • Previous path to the registry key.
   • Previous registry value data.
   • Previous registry value type.
4. Driver loading event.
   • File name.
   • Path to the file.
   • Full name of the file.
   • MD5- and SHA256 hash of the file.
   • File size.
   • Date of file creation and modification.
5. Listening port opening event.
   • Details of the process that opened the listening port: process file name, and MD5- and SHA256 hash of the process file.
   • Port number.
   • Adapter IP address.
6. Event in the operating system log.
   • Time of the event, host on which the event occurred, and user account name.
   • Event ID.
   • Channel/log name.
   • Event ID in the log.
   • Provider name.
   • Authentication event subtype.
   • Domain name.
   • Remote IP address.
   • Event header fields: ProviderName, EventId, Version, Level, Task, Opcode, Keywords, TimeCreatedSystemTime, EventRecordId, CorellationActivityId, ExecutionProcessID, ThreadID, Channel, Computer.
   • Event body fields: AccessList, AccessFiles mask, AccountExpires, AllowedToDelegateTo, Application, AuditPolicyChanges, AuthenticationPackageName, CategoryId, CommandLine, DisplayName, Dummy, ElevatedToken, EventCode, EventProcessingFailure, FailureReason, FilterRTID, HandleId, HomeDirectory, HomePath, ImpersonationLevel, IpAddress, IpPort, KeyLength, LayerName, LayerRTID, LmPackageName, LogonGuid, LogonHours, LogonProcessName, LogonType, MandatoryLabel, MemberName, MemberSid, NewProcessId, NewProcessName, NewUacValue, NewValue, NewValueType, ObjectName, ObjectServer, ObjectType, ObjectValueName, OldUacValue, OldValue, OldValueType, OperationType, PackageName, ParentProcessName, PasswordLastSet, PrimaryGroupId, PriviledgeList, ProcessId, ProcessName, ProfileChanged, ProfilePath, Protocol, PublisherId, ResourceAttributes, RestrictedAdminMode, SamAccountName, ScriptPath, ServiceAccount, ServiceFileName, ServiceName, ServiceStartType, ServiceType, SettingType, SettingValue, ShareLocalPath, ShareName, SidHistory, SourceAddress, SourcePort, Status, SubcategoryGuid, SubcategoryId, SubjectDomainName, SubjectLogonId, SubjectUserName, SubjectUserSid, SubStatus, TargetDomainName, TargetLinkedLogonId, TargetLogonId, TargetOutboundDomainName, TargetOutboundUserName, TargetUserName, TargetUserSid, TaskContent, TaskName, TokenElevationType, TransmittedServices, UserAccountControl, UserParameters, UserPrincipalName, UserWorkstations, VirtualAccount, Workstation, WorkstationName.
7. Process start event.
   • Information about the process file: file name, file path, MD5 or SHA256 hash of the file, file size, creation and modification date, name of the organization that issued the digital certificate of the file, digital signature verification result.
   • UniquePID.
   • Process start options.
   • Process start time.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
8. Process stop event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
   • UniquePID.
   • Process start options.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
9. Module loading event.
   • Details of the file that loaded the module: UniquePID, file name, file path, full name of the file, MD5- and SHA256 hash of the file, and file size.
   • DLL name.
   • Path to DLL.
   • DLL full name.
   • MD5 or SHA256 hash of the DLL.
   • DLL size.
   • Date of DLL creation and modification.
   • Name of the organization that issued the digital certificate of the DLL.
   • DLL digital signature verification result.
10. Process startup blocking event.
    • Details of the file that attempted to run: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Command-line parameters.
11. File startup blocking event.
    • Details of the file that attempted to open: file name, file path, full name of the file, MD5- and SHA256 hash of the file, type of checksum used for file size blocking (0 – MD5, !=0 – SHA256, not used for search).
    • Details of the executable file: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Details of the parent process: file name, file path, full name of the file, MD5- and SHA256 hash of the file, PID, and UniquePID.
12. Event of Kaspersky Endpoint Security for Windows.
    • Scan result.
    • Name of the detected object.
    • ID of the record in application databases.
    • Release time of the application databases with which the alert was generated.
    • Object processing mode.
    • Category of the detected object (for example, name of a virus).
    • MD5 hash of the detected object.
    • SHA256 hash of the detected object.
    • Unique ID of the process.
    • Process PID displayed in the Windows Task Manager.
    • Process start command line.
    • Reason for the error when processing the object.
    • Contents of the script scanned using AMSI.
13. AMSI scan event.
    • Contents of the script scanned using AMSI.

Central Node, Kaspersky Endpoint Security for Linux

Kaspersky Endpoint Security for Linux sends the following to the Central Node component: task completion reports, information on events and alerts that occurred on computers with this application, and information about terminal sessions.

If there is no connection with the Central Node component, all pending information is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Security for Linux is removed from the computer, but no longer than 21 days.

If an event occurs on the user's computer, Kaspersky Endpoint Security for Linux sends the following data to the events database:

1. General information for all events:
   • Event type.
   • Event time.
   • User account for which the event was generated.
   • Name of the host where the event occurred.
   • IP address of the host.
   • Type and version of the operating system that is installed on the host.
   • Name of the host that was used to remotely log in to the system.
   • Name of the user assigned when registering in the system.
   • Group to which the user belongs.
   • User name that was used to log in to the system.
   • Group of the user whose name was used to log in to the system.
   • Name of the user who created the file.
   • Name of the group whose users can modify or delete the file.
   • Permissions that can be used to gain access to the file.
   • Inherited privileges of the file.
2. Process start event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, and file size.
   • UniquePID.
   • Command that was used to start the process.
   • Process type.
   • Environment variables of the process.
   • Process start time.
   • Process end time.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
3. File creation event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • File name.
   • Path to the file.
   • Full name of the file.
   • File type.
   • MD5- and SHA256 hash of the file.
   • Date of file creation and modification.
   • File size.
4. Event in the operating system log.
   • Event time.
   • Event type.
   • Result of the operation.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
5. Process stop event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
   • UniquePID.
   • Process start options.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
6. Event of Kaspersky Endpoint Security for Linux.
   • Scan result.
   • Name of the detected object.
   • ID of the record in application databases.
   • Release time of the application databases with which the alert was generated.
   • Object processing mode.
   • Category of the detected object (for example, name of a virus).
   • MD5 hash of the detected object.
   • SHA256 hash of the detected object.
   • Unique ID of the process.
   • PID of the process.
   • Process start command line.
   • Reason for the error when processing the object.

Central Node, Kaspersky Endpoint Security for Mac

Kaspersky Endpoint Security for Mac sends the following to the Central Node component: task completion reports, information on events and alerts that occurred on computers with this application.

If there is no connection with the Central Node component, all pending information is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Security for Mac is removed from the computer, but no longer than 21 days.

If an event occurs on the user's computer, Kaspersky Endpoint Security for Mac sends the following data to the events database:

1. General information for all events:
   • Event type.
   • Event time.
   • User account for which the event was generated.
   • Name of the host where the event occurred.
   • IP address of the host.
   • Type and version of the operating system that is installed on the host.
   • Name of the host that was used to remotely log in to the system.
   • Name of the user assigned when registering in the system.
   • Group to which the user belongs.
   • User name that was used to log in to the system.
   • Group of the user whose name was used to log in to the system.
   • Name of the user who created the file.
   • Name of the group whose users can modify or delete the file.
   • Permissions that can be used to gain access to the file.
2. Process start event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, and file size.
   • UniquePID.
   • Command that was used to start the process.
   • Process type.
   • Environment variables of the process.
   • Process start time.
   • Process end time.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
3. File creation event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • File name.
   • Path to the file.
   • Full name of the file.
   • File type.
   • MD5- and SHA256 hash of the file.
   • Date of file creation and modification.
   • File size.
4. Process stop event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
   • UniquePID.
   • Process start options.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
5. Event of Kaspersky Endpoint Security for Mac.
   • Scan result.
   • Name of the detected object.
   • ID of the record in application databases.
   • Release time of the application databases with which the alert was generated.
   • Object processing mode.
   • Category of the detected object (for example, name of a virus).
   • MD5 hash of the detected object.
   • SHA256 hash of the detected object.
   • Unique ID of the process.
   • PID of the process.
   • Process start command line.
   • Reason for the error when processing the object.

Central Node and Sandbox

The Central Node component sends to the Sandbox component files and URLs extracted from the network and email traffic. The files are not changed in any way prior to sending. The Sandbox component sends scan results to the Central Node component.

Central Node and Sensor

The application may transmit the following data between Central Node and Sensor components:

• Files and email messages.
• Data on alerts generated by the Intrusion Detection System and URL Reputation technologies.
• License information.
• List of data excluded from the scan.
• Data of the Endpoint Sensors application, if integration with a proxy server has been configured.
• Application databases, if receiving database updates from the Central Node component is configured.

Servers with PCN and SCN roles

If the application is running in distributed solution mode, the following data is transmitted between the PCN and connected SCNs:

• Data on alerts.
• Data on events.
• Data on tasks.
• Data on policies.
• Data on scans using IOC, TAA (IOA), IDS, YARA user rules.
• Data on files in Storage.
• Data on user accounts.
• About the license.
• The list of computers with the Endpoint Agent component.
• Objects placed in Storage.
• Objects quarantined on computers with the Endpoint Agent component.
• Files attached to alerts.
• IOC and YARA files.

[Topic 242956]

Data contained in application trace files

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the application installed may be granted access to the personal data of other users.

Trace files can include any personal data of the user or confidential data of your organization. Files are stored in the /data/var/log/kaspersky directory indefinitely.

[Topic 247138]

Data of Kaspersky Endpoint Agent for Windows

You can view detailed information about Kaspersky Endpoint Agent data that is stored and processed locally in the Online Help of the application:

• Data in requests to the KATA Central Node component.
• Service data.
• Data contained in trace files and dumps.
• Information about acceptance of the KSN Statement.
• Windows Event Log event data.

[Topic 194532]

Data received from the Central Node component

Kaspersky Endpoint Agent saves the values of settings received from the Central Node component on the hard disk of the computer. Data is saved in open non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

The data is deleted when Kaspersky Endpoint Agent is removed.

Data received from the Central Node component may contain the following information:

• Data on network connections.
• Data on the operating system that is installed on the server with the Central Node component.
• Data on operating system user accounts.
• Data on user sessions in the operating system.
• Data on Windows event log.
• About a RT_VERSION resource.
• About the contents of a PE file.
• About operating system services.
• Certificate of the server with the Central Node component.
• URL- and IP addresses of visited websites.
• HTTP protocol headers.
• Computer name.
• MD5 hashes of files.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Names and values of Windows registry keys.
• Paths to Windows registry keys.
• Names of Windows registry variables.
• Name of the local DNS cache entry.
• Address from the local DNS cache entry in IPv4 format.
• IP address or name of the requested host from the local DNS cache.
• Host of the local DNS cache element.
• Domain name of the local DNS cache element.
• Address of the ARP cache element in IPv4 format.
• Physical address of the ARP cache element.
• Serial number of the logical drive.
• Home folder of the local user.
• Name of the user account that started the process.
• Path to the script that is run when the user logs in to the system.
• Name of the user account under which the event occurred.
• Name of the computer where the event occurred.
• Full paths to files on computers with Kaspersky Endpoint Agent.
• Names of files on computers with Kaspersky Endpoint Agent.
• Masks of files on computers with Kaspersky Endpoint Agent.
• Full names of folders on computers with Kaspersky Endpoint Agent.
• Comments of the file publisher.
• Mask of the process file image.
• Path to the process file image that opened the port.
• Name of the process that opened the port.
• Local IP address of the port.
• Trusted public key of the digital signature of executable modules.
• Process name.
• Process segment name.
• Command-line parameters.

[Topic 194534]

Data in alerts and events

Event data is saved in binary form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata in open non-encrypted form.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Event data can contain information related to the following:

• Data on executable modules.
• Data on network connections.
• About the operating system that is installed on the computer with Kaspersky Endpoint Agent.
• Data on user sessions in the operating system.
• Data on operating system user accounts.
• Data on Windows event log.
• About alerts of Kaspersky Endpoint Security for Windows.
• About organizational units (OU) of Active Directory.
• HTTP protocol headers.
• Fully qualified domain name of the computer.
• MD5- and SHA256 hash of files and their fragments.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Unique IDs of certificates.
• Certificate publisher.
• Certificate subject.
• Name of the algorithm used to generate the certificate fingerprint.
• Address and port of the local network interface.
• Address and port of the remote network interface.
• Application vendor.
• Application name.
• Name of the Windows registry variable.
• Path to the Windows registry key.
• Windows registry variable data.
• Name of the detected object.
• Kaspersky Security Center Network Agent ID.
• Contents of the hosts file.
• Process start command line.

[Topic 194535]

Data contained in task completion reports

Prior to being sent to the Central Node component, the reports and relevant files are temporarily saved on the hard disk of the computer with the Kaspersky Endpoint Agent application. The task completion reports are saved in archived non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\data_queue.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Task completion reports contain the following information:

• Data on task output.
• Data on executable modules.
• Data on operating system processes.
• Data on user accounts.
• Data on user sessions.
• Fully qualified domain name of the computer.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Files of the computer with Kaspersky Endpoint Agent.
• Names of
  alternate streams of NTFS

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  .
• Full paths to files on the computer with Kaspersky Endpoint Agent.
• Full names of folders on the computer with Kaspersky Endpoint Agent.
• Content of the process standard output.
• Content of the process standard error stream.

[Topic 194536]

Data contained in an install log

The administrator can enable the Kaspersky Endpoint Agent installation log (using the msiexec standard procedure) during installation using the command line. The administrator shows the path to the file where the install log will be saved.

The log records installation process steps and the msiexec command line containing the address of the server hosting the Central Node component and the path to the install log file.

[Topic 194537]

Data on files that are blocked from starting

Data on files that are blocked from starting is stored in open non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Data on files that are blocked from starting may contain the following information:

• Full path to the blocked file.
• MD5 hash of the file.
• SHA256 hash of the file.
• Process start command.

[Topic 194538]

Data related to the performance of tasks

When performing a task for placing a file in quarantine, the archive containing this file is temporarily saved in one of the following folders:

• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\temp for Kaspersky Endpoint Agent that is installed as part of Kaspersky Endpoint Security.
• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data\kata\temp for Kaspersky Endpoint Agent that is installed from the Kaspersky Anti Targeted Attack Platform distribution kit.

When performing an application run task on a host, Kaspersky Endpoint Agent locally stores the contents of standard output streams and errors of the running process in plain unencrypted form until the task completion report is sent to the Central Node component. Files are stored in one of the following folders:

• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\temp for Kaspersky Endpoint Agent that is installed as part of Kaspersky Endpoint Security.
• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data\kata\temp for Kaspersky Endpoint Agent that is installed from the Kaspersky Anti Targeted Attack Platform distribution kit.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

[Topic 247291]

Kaspersky Endpoint Security for Windows data

For detailed information about data transmitted by Kaspersky Endpoint Security, see the Online Help of the application:

• Provision of data under the End User License Agreement.
• Provision of data when Kaspersky Security Network is used.
• Compliance with European Union law (GDPR).

[Topic 247292]

Kaspersky Endpoint Security for Linux data

For detailed information about data transmitted by Kaspersky Endpoint Security, see the Online Help of the application.

[Topic 266400]

Kaspersky Endpoint Security for Mac data

For detailed information about data transmitted by Kaspersky Endpoint Security, see the Online Help of the application.

[Topic 226747]

Application licensing

This section covers the main aspects of Kaspersky Anti Targeted Attack Platform licensing.

[Topic 176696]

About the End User License Agreement

The End User License Agreement (EULA) is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the application.

Read through the terms of the End User License Agreement carefully before you start using the application.

You can view the terms of the End User License Agreement (EULA) in the following ways:

• During installation of Kaspersky Anti Targeted Attack Platform.
• By reading the text named /EULA/License.<language>.

  This file is included in the application distribution kit.

• In the application web interface, in the Settings section, License subsection, by clicking the License agreement button.
• In the web interface of the Sandbox component, in the menu, by clicking the End User License Agreement link.

By confirming that you agree with the End User License Agreement when installing the application, you signify your acceptance of the terms of the EULA. If you do not accept the terms of the End User License Agreement, you must abort application installation and must not use the application.

[Topic 174984]

About the license

A license is a limited-time right to use Kaspersky Anti Targeted Attack Platform granted under the terms and conditions of the End User License Agreement (EULA).

The list of available functionality and the period for which you can use the application depend on the license under which you are using the application.

Kaspersky Anti Targeted Attack Platform provides the following types of licenses:

• NFR (not for resale) is a free license for a set period, intended to familiarize the user with the application and to carry out test deployments.
• Commercial—Paid license that is provided when you buy the application.

When the license expires, the application continues to work but with limited functionality. To use the application full functionality, you must purchase a commercial license or renew a commercial license.

In the current version of Kaspersky Anti Targeted Attack Platform, the available functionality of the application also depends on the type of key installed.

The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may be unavailable in the territory of the USA.

[Topic 73976]

About the license certificate

The License Certificate is a document provided with the key file or activation code.

The License Certificate contains the following license information:

• License key or order number.
• Details of the license holder.
• Information about the application that can be activated using the license.
• Limitation on the number of licensing units (devices on which the application can be used under the license).
• License start date.
• License expiration date or license validity period.
• License type.

[Topic 195361]

About the key

A license key is a sequence of bits used to activate and use the application in accordance with the End User License Agreement. A license key is generated by Kaspersky.

To add a key to the application, upload the key file.

Kaspersky can block a key over violations of the End User License Agreement. If the key has been blocked, you have to add a different key to continue using the application.

In the current version of Kaspersky Anti Targeted Attack Platform, the available functionality of the application depends on the type of the added license key:

• KATA and KEDR keys. Full functionality of the application.
• KEDR key. Receiving and processing of data from network traffic and mail traffic is limited.
• KATA key. The web interface sections Threat Hunting, Tasks, Prevention, Custom rules, Storage, and Endpoint Agents have limited functionality.

Page top

[Topic 174986]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky. Key files are designed to activate the application by adding a license key.

After purchasing the application or ordering the trial version of the application, you receive a key file at the email address you specified.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.

You can recover a key file if it is accidentally deleted. You may need a key file to register with Kaspersky CompanyAccount.

To restore a key file, contact the vendor of the license.

[Topic 247489]

Viewing information about the license and added keys in the web interface of the Central Node

In

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).