[Topic 194458]

Kaspersky Anti Targeted Attack Platform Help

New functions

• What's new in the Kaspersky Anti Targeted Attack Platform
  
  

Hardware and software requirements

• Hardware and software requirements for computers to work with the program through the web interface
• Compatibility of the Kaspersky Anti Targeted Attack Platform with the Kaspersky Endpoint Agent for Windows and Linux
  
  

Licensing

• Licensing the Kaspersky Anti Targeted Attack Platform
  
  

Getting started

• Distributed solution and multitenancy
• Sizing the Kaspersky Anti Targeted Attack Platform
• Installation and initial configuration of the Kaspersky Anti Targeted Attack Platform
• Configuring the integration of Kaspersky Anti Targeted Attack Platform with Kaspersky Endpoint Agent
  
  

Getting started in the Kaspersky Anti Targeted Attack Platform web interface

• Getting started in the web interface of the program - For an administrator
• Getting started in the web interface of the program - For a security officer
  
  

Additional features

• Managing the Sandbox component through the web interface
• Managing Kaspersky Endpoint Agent for Windows
• Managing Kaspersky Endpoint Agent for Linux
• Interaction with external systems via API
  
  

Update

• Updating the previous version of the Kaspersky Anti Targeted Attack Platform
  
  

Contacting the Technical Support Service

• How to obtain Technical Support
  
  

[Topic 194459]

Kaspersky Anti Targeted Attack Platform

Kaspersky Anti Targeted Attack Platform (hereinafter also referred to as "the program") is a solution designed for the protection of a corporate IT infrastructure and timely detection of threats such as zero-day attacks, targeted attacks, and complex targeted attacks known as advanced persistent threats (hereinafter also referred to as "APT"). The program is developed for corporate users.

Kaspersky Anti Targeted Attack Platform includes two functional blocks:

• Kaspersky Anti Targeted Attack (hereinafter also referred to as "KATA"), which provides perimeter security for the enterprise IT infrastructure.
• Kaspersky Endpoint Detection and Response (hereinafter also referred to as "KEDR"), which provides protection for the local area network of the organization.

The program can receive and process data in the following ways:

• Integrate into the local area network, receive and process mirrored
  SPAN, ERSPAN and RSPAN traffic

  A copy of traffic redirected from one switch port to another port of the same switch (local mirroring) or to a remote switch (remote mirroring). The network administrator can configure which part of traffic should be mirrored for transmission to Kaspersky Anti Targeted Attack Platform.

  , and extract objects and metadata from the HTTP, FTP, SMTP, and DNS protocols.
• Connect to the proxy server via the ICAP protocol, receive and process data of HTTP and FTP traffic, as well as HTTPS traffic if the administrator has configured SSL certificate replacement on the proxy server.
• Connect to the mail server via the POP3 (S) and SMTP protocols, receive and process copies of e-mail messages.
• Integrate with Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, receive, and process copies of email messages.

  For detailed information on Kaspersky Secure Mail Gateway and Kaspersky Security for Linux Mail Server, please refer to the documentation on these programs.

• Integrate with Kaspersky Endpoint Agent and receive data from individual computers running Microsoft Windows and Linux operating systems in the corporate IT infrastructure. Kaspersky Endpoint Agent continuously monitors processes running, active network connections, and files that are being modified on those computers.
• Integrate with external systems with the use of the REST API interface and scan files on these systems.

The program uses the following means of Threat Intelligence:

• Infrastructure of Kaspersky Security Network (also referred to as "KSN") cloud services that provides access to the online Knowledge Base of Kaspersky, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by Kaspersky programs to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
• Integration with Kaspersky Private Security Network (KPSN) to access the reputation databases of Kaspersky Security Network and other statistical data without sending data from user computers to Kaspersky Security Network.
• Integration with the Kaspersky information system known as Kaspersky Threat Intelligence Portal, which contains and displays information about the reputation of files and URLs.
• The Kaspersky Threats database.

The program can provide the user with the results of its performance and Threat Intelligence in the following ways:

• Display the results of work done in the web interface of the Central Node, Primary Central Node (hereinafter also PCN) or Secondary Central Node (hereinafter also SCN) servers.
• Publish alerts to a SIEM system already being used in your organization via the Syslog protocol.
• Integrate with external systems via the REST API and send information on detects to external systems on demand.
• Publish information on Sandbox component alerts in the
  local reputation database of Kaspersky Private Security Network

  Database of the reputations of objects (files or URLs) that is stored on the Kaspersky Private Security Network server but not on Kaspersky Security Network servers. Local reputation databases are managed by the KPSN administrator.

  .

Users with the Senior security officer or Security officer role can perform the following actions in the program:

• Monitor program performance.
• View the table of detected signs of targeted attacks and intrusions into the corporate IT infrastructure, filter and search alerts, view and manage each alert, and follow recommendations for evaluating and investigating incidents.
• Look through the table of events occurring on computers and servers of the corporate IT infrastructure, search for threats, filter, view and manage each event, follow recommendations for evaluating and investigating incidents.
• Run tasks on hosts with Kaspersky Endpoint Agent: run programs and stop processes, download and delete files, quarantine objects on Kaspersky Endpoint Agent workstations, place copies of files in Storage, and restore files from quarantine.
• Set up policies for preventing the running of files that they consider to be unsafe on selected hosts with Kaspersky Endpoint Agent.
• Isolate separate hosts with Kaspersky Endpoint Agent from the network.
• Work with TAA (IOA) rules to classify and analyze events.
• Manage user-defined Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA rules — upload rules to be used for scanning events and creating alerts.
• Work with OpenIOC compliant files (IOC files) to search for signs of targeted attacks, infected and probably infected objects on hosts with the Endpoint Agent component and in the Alerts database.
• Exclude TAA (IOA) rules and IDS rules defined by Kaspersky from scanning.
• Manage objects in quarantine and copies of objects in Storage.
• Manage reports on the program performance and on detects.
• Configure forwarding of notifications about alerts and about program operation problems to one or multiple email addresses.
• Manage the list of VIP alerts and the list of data excluded from the scan, and populate the local reputation database of KPSN.

Users with the Security auditor role can perform the following actions in the program:

• Monitor program performance.
• View the table of detected signs of targeted attacks and intrusions into the enterprise IT infrastructure, filter and search alerts, and view the data of each alert.
• Look through the table of events occurring on the computers and servers of the enterprise IT infrastructure, search for threats, filter and view each event.
• View the list of hosts with the Endpoint Agent component and information about selected hosts.
• View the custom rules for Targeted Attack Analyzer TAA (IOA), Intrusion Detection System (IDS), and YARA.
• View the scan-excluded TAA (IOA) rules and IDS rules defined by Kaspersky experts.
• View reports on program performance and reports on alerts.
• View the list of VIP alerts and the list of data excluded from the scan.
• Monitor program performance.
• View all settings made in the program web interface.

Users with the Local administrator or Administrator role can perform the following actions in the program:

• Configure program operation settings.
• Configure servers for the distributed solution and multitenancy mode.
• Administer integration of the program with other programs and systems.
• Manage TLS certificates and set up trusted connections between Central Node and Sandbox servers and between Kaspersky Anti Targeted Attack Platform servers and Kaspersky Endpoint Agent as well as external systems.
• Manage accounts of program users.
• Monitor program performance.

The program detects the following events occurring within the corporate IT infrastructure and notifies the user accordingly:

• A file has been downloaded or an attempt was made to download a file to a corporate LAN computer.
• A file has been sent to the email address of a user on the corporate LAN.
• A website link was opened on a corporate LAN computer.
• Network activity has occurred in which the IP address or domain name of a corporate LAN computer was detected.
• Processes have been started on a corporate LAN computer.

Kaspersky Anti Targeted Attack Platform evaluates events and advises the user to direct attention to each detected event (alert) according to the impact that this alert may have on computer or corporate LAN security based on Kaspersky experience.

The Kaspersky Anti Targeted Attack Platform user independently makes a decision about further actions in response to alerts.

[Topic 194460]

What's new

Kaspersky Anti Targeted Attack Platform now includes the following new functionality and fixes:

1. The Central Node component can be deployed as a fault-tolerant cluster that consists of 2 server roles: storage servers and processing servers. Fault tolerance is achieved through duplication of data between the storage servers and the redundancy of computing resources: if one server fails, its functions are performed by another server with the same role. Meanwhile, the program continues to work.
2. The ability to configure the sizing settings of the program was added. You can specify the planned volume of SPAN traffic, mail traffic, the number of hosts with Kaspersky Endpoint Agent, as well as the planned size of the Storage and event database. The program configures the servers with the Central Node component in accordance with the specified settings.

   A separate web interface is used to configure the sizing settings, called the web interface for sizing management. If the Central Node component is deployed as a cluster, you can also view the list of servers and shut down the cluster using the web interface for sizing management.

3. For the Sandbox component, installation of the Astra Linux 1.7 operating system and running objects in this operating system is supported.

   Using an operating system is optional: you can select a set of operating systems that will be used to generate object scan tasks for the Sandbox component: Windows XP, Windows 7, Windows 10; Windows XP, Windows 7, Windows 10, CentOS 7.8 or Windows XP, Windows 7, Windows 10, Astra Linux 1.7.

   The program can run the following objects in Astra Linux 1.7:

   • Files from Kaspersky Endpoint Agent hosts sent to be scanned by the Sandbox component in accordance with Kaspersky TAA (IOA) rules.
   • Files uploaded to Storage manually or by the Get file task (if that specific object was sent to be scanned).
   • Files received from mail or network traffic.
4. New task functionality for hosts with the Kaspersky Endpoint Agent for Windows component:
   • The task Get disk image was added.

     This task lets you get a disk image of the selected host.

   • The task Get memory dump was added.

     This task lets you get a RAM dump of the selected host.

     The files resulting from the tasks are saved to a shared network resource.

   Adding new task types resulted in the following changes in the program:

   • Data collection tasks are now grouped in the Get data submenu.
   • Renamed task types:
     • Get file → File.
     • Collect data → Forensics.
     • Get registry key → Registry key.
     • NTFS metafiles → NTFS metafiles.
     • Get process memory dump → Process memory dump.
5. New event type added: Process terminated.
6. The program web interface is changed in the following ways:
   • In the network interface settings window, the option to choose how to configure this interface has been added: manually or import settings from a DHCP server.
   • The option to disable synchronization with an NTP-server was removed from the Settings section, subsection Date and time.
   • The option to enter the maximum allowed hard disk space usage for Central Node and Sensor servers was removed.

Kaspersky Endpoint Agent for Windows 3.14 now includes the following new functionality and fixes:

1. Now you can interact with the fault-tolerant clusters of Kaspersky Anti Targeted Attack Platform servers.
2. Now you can create a full memory and a full disk dump of a protected device through the command line interface for further use of Kaspersky Anti Targeted Attack Platform.
3. Introduced Kaspersky Endpoint Agent operation mode in which the program is compatible with Azure WVD.
4. An error related to the possible blocking of files processed by Kaspersky Endpoint Agent is fixed.

Kaspersky Endpoint Agent 3.12 for Linux has the following changes:

Managing the Kaspersky Managed Detection and Response solution is no longer supported. It is not recommended to use Kaspersky Endpoint Agent for Linux to work with this solution. To work with Kaspersky Managed Detection and Response, use Kaspersky Endpoint Security for Linux.

[Topic 157533]

About Kaspersky Threat Intelligence Portal

For additional information about files that you consider to be suspicious, you can go to the website of the Kaspersky application Kaspersky Threat Intelligence Portal, which analyzes each file for malicious code and shows information about the reputation of the file.

Access to the Kaspersky Threat Intelligence application is provided based on a fee. Authorization on the program website requires that a program access certificate is installed in the certificate storage on your computer. In addition, you must have a user name and password for accessing the program.

For more details about the Kaspersky Threat Intelligence Portal, please visit the Kaspersky website.

[Topic 198687]

Distribution kit

The Kaspersky Anti Targeted Attack Platform distribution kit includes the following files:

1. Disk image (file with the iso extension) containing the installation files for the Ubuntu Server 20.04.5 operating system and for the Sensor and Central Node components.
2. Disk image (file with the iso extension) containing the installation files for the CentOS 7.9 operating system and for the Sandbox component.
3. Disk images (files with the .iso extension) of the Windows XP SP3, Windows 7 (64-bit), Windows 10 (64-bit), and CentOS 7.8 operating systems that the Sandbox component will use for running files.

   For Russian users, a disk image with the Astra Linux 1.7 operating system is also supplied.

4. The kata-upgrade-preparation script for updating the Central Node component.
5. File with information about third-party code used in Kaspersky Anti Targeted Attack Platform.

Kaspersky Endpoint Agent distribution kit includes the following files:

Kaspersky Endpoint Agent distribution kit

[Topic 194528]

Hardware and software requirements

One of the following browsers must be installed on the computers in order to configure and work with the application over the web interface:

• Mozilla Firefox for Linux.
• Mozilla Firefox for Windows.
• Google Chrome for Windows.
• Google Chrome for Linux.
• Edge (Windows).
• Safari (Mac).

Minimum screen resolution to use web interface: 1366x768.

Deploying the application on a virtual platform requires installing the VMware ESXi hypervisor version 6.7.0 or 7.0.

For the application to work correctly in a virtual environment, you must install an up-to-date patch for the hypervisor.

The configuration of the servers hosting the Central Node, Sandbox and Sensor components depends on the volume of data processed by the application and the bandwidth of the communication channel.

For the Central Node, Sensor and Sandbox hardware requirements see the Sizing Guide.

[Topic 194529]

Requirements for Kaspersky Endpoint Agent for Windows

This section describes hardware and software requirements of Kaspersky Endpoint Agent 3.14 for Windows.

If the version of Kaspersky Anti Targeted Attack Platform on the Central Node servers is incompatible with the version of Kaspersky Endpoint Agent 3.14 for Windows that is installed on the computers of the corporate LAN, the functionality of Kaspersky Anti Targeted Attack Platform may be limited.

Kaspersky Endpoint Agent for Windows has predefined settings that determine the impact that the application has on the performance of the local computer in scenarios of information retrieval and interaction with the Central Node component.

Software requirements for installing Kaspersky Endpoint Agent 3.14 for Windows

Supported operating systems for workstations:

• Windows 7 SP1 Home / Professional / Enterprise / Ultimate 32-bit / 64-bit
• Windows 8.1.1 Professional / Enterprise 32-bit / 64-bit
• Windows 10 RS3 (version 1703) Home / Professional / Education / Enterprise 32-bit / 64-bit
• Windows 10 RS4 (version 1803) Home / Professional / Education / Enterprise 32-bit / 64-bit
• Windows 10 RS5 (version 1809) Home / Professional / Education / Enterprise 32-bit / 64-bit
• Windows 10 19H1 (version 1903) Home / Professional / Education / Enterprise 32-bit / 64-bit
• Windows 10 19H2 (version 1909) Home / Professional / Education / Enterprise 32-bit / 64-bit
• Windows 10 20H1 (version 2004) Home / Professional / Education / Enterprise 32-bit / 64-bit
• Windows 10 20H2 (version 2009) Home / Professional / Education / Enterprise 32-bit / 64-bit
• Windows 10 21H1 (version 21H1) Home / Professional / Education / Enterprise 32-bit / 64-bit
• Windows 10 21H2 (version 21H2) Home / Professional / Education / Enterprise 32-bit / 64-bit
• Windows 11 21H2 (version 21H2) Home / Professional / Education / Enterprise 32-bit / 64-bit

Supported server operating systems:

• Windows Server 2008 SP2 Standard / Enterprise 64-bit
• Windows Server 2008 R2 SP1 Foundation / Standard / Enterprise 64-bit
• Windows Server 2012 Foundation / Standard / Enterprise / Datacenter 64-bit
• Windows Server 2012 R2 Foundation / Standard / Enterprise / Datacenter 64-bit
• Windows Server 2016 Essentials / Standard / Datacenter 64-bit
• Windows Server 2019 Essentials / Standard / Datacenter 64-bit
• Windows Server 20H2 Standard Core / Datacenter Core 64-bit
• Windows Server 2022 Standard / Datacenter 64-bit

Supported embedded operating systems:

• Windows Embedded Standard 7 SP1 32-bit / 64-bit.

Software requirements for installing Kaspersky Endpoint Agent 3.14 for Windows when integrating with Kaspersky Industrial CyberSecurity for Nodes

Supported operating systems for workstations:

• Windows XP Professional SP2 32-bit / 64-bit.
• Windows XP Professional SP3 32-bit.
• Windows Vista SP2 32-bit / 64-bit.
• Windows 7 SP1 Home / Pro / Enterprise / Ultimate 32-bit / 64-bit.
• Windows 8 Pro / Enterprise 32-bit / 64-bit.
• Windows 8.1 Pro / Enterprise 32-bit / 64-bit.
• Windows 10 LTSC 2015 (1507) 32-bit / 64-bit.
• Windows 10 LTSC 2016 (1607) 32-bit / 64-bit.
• Windows 10 LTSC 2019 (1809) 32-bit / 64-bit.
• Windows 10 LTSC 2021 (21H2) 32-bit / 64-bit.
• Windows 10 Home / Pro / Education / Enterprise 1703 RS2 32-bit / 64-bit.
• Windows 10 Home / Pro / Education / Enterprise 1803 RS4 32-bit / 64-bit.
• Windows 10 Home / Pro / Education / Enterprise 1809 RS5 32-bit / 64-bit.
• Windows 10 Home / Pro / Education / Enterprise 1903 19H1 32-bit / 64-bit.
• Windows 10 Home / Pro / Education / Enterprise 1909 19H2 32-bit / 64-bit.
• Windows 10 Home / Pro / Education / Enterprise 2004 20H1 32-bit / 64-bit.
• Windows 10 Home / Pro / Education / Enterprise 2009 20H2 32-bit / 64-bit.
• Windows 10 Home / Pro / Education / Enterprise 21H1 32-bit / 64-bit.
• Windows 10 Home / Pro / Education / Enterprise 21H2 32-bit / 64-bit.

Supported server operating systems:

• Windows Server 2003 SP1 Standard / Enterprise / Datacenter 32-bit / 64-bit.
• Windows Server 2003 SP2 Standard / Enterprise / Datacenter 32-bit / 64-bit.
• Windows Server 2008 SP2 Standard / Enterprise / Datacenter 32-bit / 64-bit.
• Windows Server 2003 R2 Standard / Enterprise / Datacenter 32-bit / 64-bit.
• Windows Server 2008 R2 SP1 Standard / Enterprise / Datacenter 32-bit / 64-bit.
• Windows Server 2012 Foundation / Standard / Essentials / Datacenter 64-bit.
• Windows Server 2012 R2 Foundation / Standard / Enterprise / Datacenter 64-bit.
• Windows Server 2016 Essentials / Standard / Datacenter 64-bit, versions 1709 and 1803.
• Windows Server 2019 Standard Core / Datacenter Core 64-bit, versions 1903, 1909, 2004, 20H2, and 21H2.

Supported embedded operating systems:

• Windows XP Embedded SP2 (WEPOS) 32-bit / 64-bit.
• Windows XP Embedded SP3 (POSReady 2009) 32-bit.
• Windows 7 SP1 Embedded (POSReady 7) 32-bit / 64-bit.
• Windows Embedded 8.1 Industry Pro 32-bit / 64-bit.
• Windows 10 IoT Enterprise 32-bit / 64-bit versions 1703, 1803, 1809, 1903, 1909, 2004, 2009, 21H1, and 21H2.

When creating an installation package in Kaspersky Security Center version 12 or later to install Kaspersky Endpoint Agent on Windows XP devices, you must use the installer file (setup.exe) from the installation package created in Kaspersky Security Center version 10.5.

Hardware requirements for installing Kaspersky Endpoint Agent 3.14 for Windows

Minimum configuration:

• CPU: 1.4 GHz (single core) or higher.
• RAM: 256 MB (512 MB for a 64-bit operating system).
• Available disk space: 500 MB.
• One network adapter with a data transfer speed of 1 Gbit/s.

When integrated with Kaspersky Endpoint Security, the Kaspersky Anti Targeted Attack Platform has limited functionality if the Windows Server 2008 SP2 64-bit operating system is installed on the Kaspersky Endpoint Security server.

To manage Kaspersky Endpoint Agent using the Kaspersky Security Center Web Console, you need Google Chrome for Windows.

[Topic 198583]

Compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions

Kaspersky Endpoint Agent uses predefined settings that determine the impact that it has on the performance of the local computer under scenarios of information retrieval and interaction with the Central Node component.

If the version of Kaspersky Anti Targeted Attack Platform installed on Central Node servers is incompatible with the version of Kaspersky Endpoint Agent installed on computers on the corporate LAN, the functionality of Kaspersky Anti Targeted Attack Platform may be limited.

Information about the compatibility of Kaspersky Endpoint Agent component versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent for Windows versions with Kaspersky Anti Targeted Attack Platform versions

Version Kaspersky Endpoint Agent	Type Kaspersky Endpoint Agent	Compatibility with KATA 3.7	Compatibility with KATA 3.7.1	Compatibility with KATA 3.7.2	Compatibility with KATA 4.0	Compatibility with KATA 4.1	Compatibility with KATA 5.0
Endpoint Agent 3.7	Standalone installation or as part of KES versions 11.2 and 11.3	No	No	No	No	No	No
Endpoint Agent 3.8	Standalone installation	Yes	Yes	There are limitations The amount of data sent by Kaspersky Endpoint Agent is limited: AMSI scan event data not available. The amount of data sent by Kaspersky Endpoint Agent for Module loaded, File changed, Registry modified, Process: console interactive input events is limited. Details of the scope of data for these events are described in the Kaspersky Anti Targeted Attack Platform Help for version 3.7.1. The Get list of files and processes task is not supported.	There are limitations The amount of data sent by Kaspersky Endpoint Agent is limited: Event information does not display the OS name and OS name fields. The amount of data sent by Kaspersky Endpoint Agent for Module loaded, File changed, Registry modified, Process: console interactive input, and Connection to remote host events is limited. Details of the scope of data for these events are described in the Kaspersky Anti Targeted Attack Platform Help for version 3.7.1. AMSI scan event data not available. The tasks Collect data, Start YARA scan, Service management are not supported.	There are limitations The amount of data sent by Kaspersky Endpoint Agent is limited: Event information does not display the OS name and OS name fields. The amount of data sent by Kaspersky Endpoint Agent for Module loaded, File changed, Registry modified, Process: console interactive input, and Connection to remote host events is limited. Details of the scope of data for these events are described in the Kaspersky Anti Targeted Attack Platform Help for version 3.7.1. AMSI scan event data not available. Details of the scope of data for these events are described in the Kaspersky Anti Targeted Attack Platform version 3.7.2 Help. The tasks Collect data, Start YARA scan, Service management, Get NTFS metafiles, Get process memory dump, Get registry key are not supported. For detailed information about these tasks, refer to Kaspersky Anti Targeted Attack Platform version 4.0 Help.	There are limitations The amount of data sent by Kaspersky Endpoint Agent is limited: AMSI scan event data not available. The amount of data sent by Kaspersky Endpoint Agent is limited for the events: Module loaded, File changed (File created), Registry modified, Process: console interactive input. Details of the scope of data for these events are described in the Kaspersky Anti Targeted Attack Platform version 3.7.1 Help. OS name, OS name, and Host IP are not displayed in information about events. The tasks Start YARA scan, Service management, Get forensics, Get NTFS metafiles, Get process memory dump, Get registry key, Get disk image, Get memory dump are not supported.
Endpoint Agent 3.9	Standalone installation or as part of EPP applications	Yes	Yes	There are limitations	There are limitations	There are limitations	There are limitations
Endpoint Agent 3.10	Standalone installation or as part of EPP applications	No	There are limitations The server of this version of Kaspersky Anti Targeted Attack Platform accepts a limited amount of data from the Kaspersky Endpoint Agent application for Module loaded, File changed, Registry modified, Process: console interactive input events. Details of the scope of data for these events are described in the Kaspersky Anti Targeted Attack Platform version 3.7.1 Help.	Yes	There are limitations The amount of data sent by Kaspersky Endpoint Agent is limited: The Host IP is not displayed in information about events. Getting an autorun points list using the Get forensics task is not supported. The tasks Start YARA scan and Service management are not supported.	There are limitations The amount of data sent by Kaspersky Endpoint Agent is limited: The Host IP is not displayed in information about events. Getting a list of autorun points using the Collect data task is not supported. The tasks Start YARA scan, Service management, Get NTFS metafiles, Get process memory dump, Get registry key are not supported.	There are limitations The amount of data sent by Kaspersky Endpoint Agent is limited: The Host IP is not displayed in information about events. Getting a list of autorun points using the Collect data task is not supported. The tasks Start YARA scan, Service management, Get NTFS metafiles, Get process memory dump, Get registry key, Get disk image, Get memory dump are not supported.
Endpoint Agent 3.11	Standalone installation or as part of KES version 11.7	No	There are limitations	Yes	There are limitations	There are limitations	There are limitations
Endpoint Agent 3.12	Standalone installation	No	No	No	Yes	There are limitations The amount of data sent by Kaspersky Endpoint Agent is limited: Scanning autorun points using the Start YARA scan task is not supported. The tasks Get NTFS metafiles, Get process memory dump, Get registry key are not supported.	There are limitations The amount of data sent by Kaspersky Endpoint Agent is limited: Scanning autorun points using the Start YARA scan task is not supported. The tasks Get NTFS metafiles, Get process memory dump, Get registry key, Get disk image, Get memory dump are not supported.
Endpoint Agent 3.13	Standalone installation	No	No	No	There are limitations The server of this Kaspersky Anti Targeted Attack Platform version receives a limited scope of data from the Kaspersky Endpoint Agent program: You cannot create the tasks Get NTFS metafiles, Get process memory dump, Get registry key in the web interface of the program.	Yes	There are limitations The amount of data sent by Kaspersky Endpoint Agent is limited: The tasks Get disk image and Get memory dump are not supported.
Endpoint Agent 3.14	Standalone installation	No	No	No	There are limitations The server of this Kaspersky Anti Targeted Attack Platform version can receive a limited scope of data from the Kaspersky Endpoint Agent program: the tasks Get NTFS metafiles, Get process memory dump, Get registry key, Get disk image, Get memory dump cannot be created in the web interface of the program.	There are limitations A server of this Kaspersky Anti Targeted Attack Platform version receives a limited scope of data from the Kaspersky Endpoint Agent program: the tasks Get disk image and Get memory dump cannot be created in the web interface of the program.	Yes

Page top

[Topic 198694]

Compatibility of Kaspersky Endpoint Agent for Windows versions with EPP applications

You can use Kaspersky Endpoint Agent alone or set up an integration of Kaspersky Endpoint Agent with workstation protection programs (Endpoint Protection Platform, hereinafter also "EPP"), Kaspersky Endpoint Security for Windows, Kaspersky Security for Windows Server, and Kaspersky Security for Virtualization Light Agent. If the integration of programs is configured, Kaspersky Endpoint Agent also sends the information about threats detected by EPP programs and their processing results to the Central Node server.

The integration scenarios described above do not work when Kaspersky Endpoint Agent is installed on a virtual desktop in Virtual Desktop Infrastructure.

Integration of Kaspersky Endpoint Agent with Kaspersky Endpoint Security for Windows and Kaspersky Security for Windows Server requires installing Kaspersky Endpoint Agent as part of those programs.

Compatibility of Kaspersky Endpoint Agent for Windows with versions of Kaspersky Security for Windows Server

You can install the following versions of Kaspersky Endpoint Agent as part of Kaspersky Security for Windows Server:

• Kaspersky Endpoint Agent 3.9 as part of Kaspersky Security 11 for Windows Server.
• Kaspersky Endpoint Agent 3.10 as part of Kaspersky Security 11.0.1 for Windows Server.

When you install Kaspersky Endpoint Agent as part of Kaspersky Security for Windows Server, the standalone Kaspersky Endpoint Agent of the same or earlier version is removed. If Kaspersky Endpoint Agent installed as part of Kaspersky Security for Windows Server has an earlier version, it will not be installed. In this case, you must first remove the standalone Kaspersky Endpoint Agent.

If necessary, you can upgrade the Kaspersky Endpoint Agent that is already installed as part of Kaspersky Security for Windows Server. Integration between compatible versions of the programs is maintained both when Kaspersky Endpoint Agent is upgraded and when Kaspersky Security for Windows Server is upgraded.

Information about the compatibility of Kaspersky Endpoint Agent versions with Kaspersky Security for Windows Server versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent versions with Kaspersky Security for Windows Server versions

For more details about installing Kaspersky Security for Windows Server, see Kaspersky Security for Windows Server Help.

Compatibility of Kaspersky Endpoint Agent for Windows with versions of Kaspersky Endpoint Security for Windows

You can install the following versions of Kaspersky Endpoint Agent (Endpoint Sensors) as part of Kaspersky Endpoint Security for Windows:

• Kaspersky Endpoint Agent 3.7 or Kaspersky Endpoint Agent (Endpoint Sensors) 3.6.1 as part of Kaspersky Endpoint Security 11.2, 11.3 for Windows.

  Kaspersky Endpoint Agent (Endpoint Sensors) 3.6.1 is not compatible with Kaspersky Anti Targeted Attack Platform version 4.1 or later.

  Kaspersky Endpoint Agent 3.7 is incompatible with all versions of Kaspersky Anti Targeted Attack Platform.

• Kaspersky Endpoint Agent 3.9 as part of Kaspersky Endpoint Security 11.4, 11.5.
• Kaspersky Endpoint Agent 3.10 as part of Kaspersky Endpoint Security 11.6.
• Kaspersky Endpoint Agent 3.11 as part of Kaspersky Endpoint Security 11.7, 11.8.

When you install Kaspersky Endpoint Agent 3.10 or later as part of Kaspersky Endpoint Security for Windows, the standalone Kaspersky Endpoint Agent program of the same or earlier version is removed. If the separately installed Kaspersky Endpoint Agent has a later version, the program bundled with Kaspersky Endpoint Security for Windows is not installed. In this case, you must first remove the standalone Kaspersky Endpoint Agent.

If necessary, you can upgrade the Kaspersky Endpoint Agent that is already installed as part of Kaspersky Endpoint Security for Windows. Integration between compatible versions of the programs is maintained when both Kaspersky Endpoint Agent is updated and when Kaspersky Endpoint Security for Windows is updated. You can upgrade a previous version of Kaspersky Endpoint Agent to version 3.14 only for Kaspersky Endpoint Agent version 3.7 or later.

Information about the compatibility of Kaspersky Endpoint Agent versions with Kaspersky Endpoint Security for Windows versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent versions with Kaspersky Endpoint Security for Windows versions

For more details about installing Kaspersky Endpoint Security, see Kaspersky Endpoint Security for Windows Help.

Compatibility of Kaspersky Endpoint Agent with versions of Kaspersky Security for Virtualization Light Agent

You can configure the integration of separately installed Kaspersky Endpoint Agent and Kaspersky Security for Virtualization Light Agent.

Information about the compatibility of Kaspersky Endpoint Agent versions with Kaspersky Security for Virtualization Light Agent is listed in the table below.

Compatibility of Kaspersky Endpoint Agent versions and Kaspersky Security for Virtualization Light Agent versions

Kaspersky Endpoint Agent and Kaspersky Security for Virtualization Light Agent installed on a virtual machine generate the same load on the Central Node server as Kaspersky Endpoint Agent and Kaspersky Security for Virtualization Light Agent installed on the host.

For more details about enabling the integration of Kaspersky Endpoint Agent with Kaspersky Security for Virtualization Light Agent, see Kaspersky Security for Virtualization Light Agent Help.

Compatibility of Kaspersky Endpoint Agent with versions of Kaspersky Industrial CyberSecurity for Nodes

You can install Kaspersky Endpoint Agent on a device with Kaspersky Industrial CyberSecurity for Nodes installed. The applications are integrated automatically.

Integration is supported only for Kaspersky Endpoint Agent version 3.14 and Kaspersky Industrial CyberSecurity for Nodes version 3.1. Integration between other versions of the programs is not supported.

To integrate with Kaspersky Industrial CyberSecurity for Nodes, the corresponding license key must be installed in the Kaspersky Endpoint Agent.

For detailed information, you can contact your account manager.

[Topic 194530]

Compatibility of Kaspersky Endpoint Agent for Windows versions with other applications

Kaspersky Anti Targeted Attack Platform does not support joint operation with programs not listed in this section.

Compatibility of Kaspersky Endpoint Agent 3.8 and 3.9 for Windows with other Kaspersky programs

Kaspersky Endpoint Agent program versions 3.8 and 3.9 are compatible with the following Kaspersky programs and solutions:

• Kaspersky Security Center 11, 12, or later.
• Kaspersky Sandbox 1.0.

Compatibility of Kaspersky Endpoint Agent 3.8 and 3.9 for Windows with third-party anti-virus programs

One of the following third-party anti-virus programs can be installed on computers on which you want to install Kaspersky Endpoint Agent:

• Symantec Endpoint Protection.
• Sophos Endpoint Protection.
• ESET NOD32 Business Edition Smart Security.
• Bitdefender GravityZone Advanced Business Security.
• McAfee Endpoint Security 10.6.1.
• McAfee Endpoint Security 10.7.

If multiple third-party anti-virus programs are simultaneously installed on the computer, correct operation of Kaspersky Endpoint Agent is not guaranteed.

If RealTimes Desktop Service is installed on computers on which you want to install Kaspersky Endpoint Agent, you are advised to remove it before installing Kaspersky Endpoint Agent.

Compatibility of Kaspersky Endpoint Agent for Windows version 3.10 with other Kaspersky programs

Kaspersky Endpoint Agent version 3.10 can be integrated with the following Kaspersky programs and solutions:

• Kaspersky Security Center versions 11 and 12.1.
• Kaspersky Sandbox 1.0.
• Kaspersky Endpoint Detection and Response Optimum 1.0.

Compatibility of Kaspersky Endpoint Agent 3.10 for Windows with third-party anti-virus programs

Computers on which you want to install Kaspersky Endpoint Agent 3.10 can have Bitdefender GravityZone Advanced Business Security installed.

Compatibility of Kaspersky Endpoint Agent for Windows version 3.11 with other Kaspersky programs

Kaspersky Endpoint Agent version 3.11 can be integrated with the following Kaspersky programs and solutions:

• Kaspersky Security Center 10.5, 11, 12.1, 13, or later.
• Kaspersky Sandbox 1.0.
• Kaspersky Endpoint Detection and Response Optimum 1.0.
• Kaspersky Industrial CyberSecurity for Networks 3.0.

Compatibility of Kaspersky Endpoint Agent 3.11 for Windows with third-party anti-virus programs

Computers on which you want to install Kaspersky Endpoint Agent 3.11 can have Bitdefender GravityZone Advanced Business Security installed.

Compatibility of Kaspersky Endpoint Agent 3.12 for Windows with other Kaspersky programs

Kaspersky Endpoint Agent 3.12 can be integrated with the following Kaspersky programs and solutions:

• Kaspersky Security Center versions 13, 13.1, and 13.2.
• Kaspersky Security Center Cloud Console.
• Kaspersky Sandbox 1.0.
• Kaspersky Endpoint Detection and Response Optimum 1.0.

Compatibility of Kaspersky Endpoint Agent for Windows versions 3.13 and 3.14 with other Kaspersky programs

Kaspersky Endpoint Agent versions 3.13 and 3.14 can be integrated with the following Kaspersky programs and solutions:

• Kaspersky Security Center versions 13, 13.1, 13.2, and 14.
• Kaspersky Sandbox 2.0.
• Kaspersky Endpoint Detection and Response Optimum 1.0.

[Topic 209446]

Requirements for Kaspersky Endpoint Agent for Linux

This section describes hardware and software requirements of Kaspersky Endpoint Agent 3.12 for Linux.

Software requirements for installing Kaspersky Endpoint Agent 3.12 for Linux

Kaspersky Endpoint Agent 3.12 only works on computers that have one of the following operating systems installed:

• Ubuntu 16.04 LTS or later
• Ubuntu 18.04 LTS or later
• Ubuntu 20.04 LTS
• Red Hat Enterprise Linux 7.2 or later
• Red Hat Enterprise Linux 8.0 or later
• CentOS 7.2 or later
• CentOS 8.0 or later
• Debian GNU / Linux 9.4 or later
• Debian GNU / Linux 10.1 or later
• Debian GNU / Linux 11 or later
• Oracle Linux 7.3 or later
• Oracle Linux 8 or later
• SUSE Linux Enterprise Server 12 or later
• SUSE Linux Enterprise Server 15
• Astra Linux Special Edition RUSB.10015-01 (regular update 1.6)
• Astra Linux Special Edition RUSB.10015-01 (regular update 1.7)
• Astra Linux Special Edition RUSB.10015-16 (variant 1) (regular update 1.6)
• Astra Linux Common Edition (regular update 2.12)
• Alt 8 SP Server
• Alt Server 9
• Alt Workstation 9
• Goslinux 7.17
• RED OS 7.3

Hardware requirements for installing Kaspersky Endpoint Agent 3.12 for Linux

Minimum hardware requirements:

• CPU: 2 GHz.
• RAM: 512 MB.
• Available disk space: 1 GB.

Required software

Kaspersky Endpoint Agent for Linux requires Linux Audit Daemon 2.8 or later. Installed on hosts with Kaspersky Endpoint Agent.

Compatibility of Kaspersky Endpoint Agent 3.12 for Linux with Kaspersky EPP programs

Kaspersky Endpoint Agent 3.12 supports integration with Kaspersky Endpoint Security for Linux 11.1, 11.2.

Compatibility of Kaspersky Endpoint Agent 3.12 for Linux with other Kaspersky programs

Kaspersky Endpoint Agent 3.12 can be integrated with the following Kaspersky programs and solutions:

• Kaspersky Security Center 13, 13.2.
• Kaspersky Endpoint Agent administration plug-in 3.10, 3.11, 3.12.
• Kaspersky Endpoint Agent web plug-in 3.10, 3.11, 3.12.

[Topic 210401]

Compatibility of Kaspersky Endpoint Agent for Linux versions with Kaspersky Anti Targeted Attack Platform versions

Information about the compatibility of Kaspersky Endpoint Agent program versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Agent for Linux versions with Kaspersky Anti Targeted Attack Platform versions

Page top

[Topic 228792]

Compatibility of Kaspersky Endpoint Agent for Linux versions with EPP applications

You can use Kaspersky Endpoint Agent alone or configure the integration of Kaspersky Endpoint Agent with the workstation protection program (Endpoint Protection Platform, hereinafter also called EPP) Kaspersky Endpoint Security for Linux. If the integration is configured, Kaspersky Endpoint Agent also sends the information about threats detected by this program and the results of threat processing to the Central Node server.

Kaspersky Endpoint Agent 3.9 and 3.12 are compatible with the following versions of Kaspersky Endpoint Security for Linux: 11.1, 11.2.

For more details about installing Kaspersky Endpoint Security, see Kaspersky Endpoint Security for Linux Help.

[Topic 225693]

Compatibility of Kaspersky Endpoint Agent for Linux versions with other applications

Compatibility of Kaspersky Endpoint Agent 3.9 for Linux with other Kaspersky programs

Kaspersky Endpoint Agent 3.9 can be integrated with the following Kaspersky programs and solutions:

• Kaspersky Security Center versions 12.1 and 12.2.
• Kaspersky Endpoint Agent administration plug-in 3.10.
• Kaspersky Endpoint Agent web plug-in 3.10.

Compatibility of Kaspersky Endpoint Agent 3.12 for Linux with other Kaspersky programs

Kaspersky Endpoint Agent 3.12 can be integrated with the following Kaspersky programs and solutions:

• Kaspersky Security Center 13, 13.2.
• Kaspersky Endpoint Agent administration plug-in 3.10, 3.11, 3.12.
• Kaspersky Endpoint Agent web plug-in 3.10, 3.11, 3.12.

[Topic 246849]

Compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions

You can use Kaspersky Endpoint Security as the Endpoint Agent component.

Information about the compatibility of Kaspersky Endpoint Security versions with Kaspersky Anti Targeted Attack Platform versions is listed in the table below.

Compatibility of Kaspersky Endpoint Security for Windows versions with Kaspersky Anti Targeted Attack Platform versions

To integrate Kaspersky Endpoint Security 12.1 with Kaspersky Anti Targeted Attack Platform, you do not need to install Kaspersky Endpoint Agent.

[Topic 199118]

Limitations of the current version of the application

Kaspersky Anti Targeted Attack Platform 5.0 has the following known limitations:

1. When you upgrade to version 5.0, a non fault-tolerant version of the program is installed. The program data is saved during the update process.
2. To update the Central Node component on the server with this component, you must first run the script. The script is included in the program distribution kit.
3. If the Central Node component is installed on a virtual server, before you upgrade the application, make sure that BIOS boot mode is selected for the virtual machine. If EFI boot mode is selected for the virtual machine, an error will occur if you try to install the upgrade.

Restrictions that apply when deploying the Central Node component:

The password for the local administrator account is preset. You can change the password in the web interface of the program.

Restrictions that apply when deploying the Central Node component as a cluster:

1. A Central Node cluster must include at least 4 servers: 2 storage servers and 2 processing servers. You can scale the cluster to increase the amount of traffic handled or the number of connected hosts in accordance with the Sizing Guide.
2. It is recommended to add servers with the same hardware configuration to the cluster. Otherwise, a proportional increase in performance is not guaranteed.
3. Adding an extra server to the cluster does not speed up the processing of objects that are already in the scan queue.
4. The web interface of the program can be unavailable for some time if the server on which it is located fails.
5. If the processing server fails, you may lose ICAP, POP3, and SMTP traffic data as well as the copies of emails that are waiting to be processed and the detections associated with them.
6. If the processing server is configured to receive mirrored traffic from SPAN ports, then SPAN traffic is not processed if this server fails.
7. If one of the cluster servers fails or the connection between the server and the Kaspersky Endpoint Agent program is temporarily lost, temporary data synchronization in the event database is still possible.
8. If the configuration of the cluster servers is changed, traffic and events from hosts with Kaspersky Endpoint Agent may be temporarily slowed down.

Restrictions that apply to the Sandbox component:

If the set of operating systems installed on the Sandbox server does not match the set selected on the Central Node server, Kaspersky Anti Targeted Attack Platform does not send objects to be scanned by the Sandbox server. If multiple Sandbox servers are connected to the Central Node server, the program sends objects to those Sandbox servers whose installed operating systems match the set selected on Central Node.

Limitations that apply when integrating with the Kaspersky Endpoint Agent for Windows:

1. RAM dump retrieval and disk image retrieval tasks can only be assigned to hosts with Kaspersky Endpoint Agent for Windows version 3.14.
2. Tasks for getting process memory dumps, NTFS metafiles, and registry keys can only be assigned to hosts with Kaspersky Endpoint Agent for Windows version 3.13 or later.
3. The task of scanning hosts using YARA rules can only be assigned to hosts with Kaspersky Endpoint Agent for Windows versions 3.12 or later. If you simultaneously assign a task to hosts with Kaspersky Endpoint Agent version 3.12 or later, and to hosts with earlier versions of the program, the task is executed only on hosts with Kaspersky Endpoint Agent 3.12 or later.

   If autorun points are selected as the scan scope, the task is run only on hosts with Kaspersky Endpoint Agent 3.13 or later.

Limitations that apply when integrating with Kaspersky Endpoint Agent 3.12 for Linux:

1. Hosts with Kaspersky Endpoint Agent for Linux program cannot use the following functions:
   • Network isolation of a host.
   • Creating a prevention rule.

     No notifications are created about the unsuccessful application of a prevention rule on hosts with Kaspersky Endpoint Agent for Linux program.

   • Finding indicators of compromise on hosts using IOC files.

     No notifications are created about the unsuccessful search of indicators of compromise on hosts with the Kaspersky Endpoint Agent for Linux program.

2. Searching the event database using the OSVersion criterion displays only hosts with the Kaspersky Endpoint Agent for Linux program. Hosts with the Kaspersky Endpoint Agent for Windows program are not displayed in search results.
3. The OS name field in the event information is only filled in for events that are logged in the event database by Kaspersky Endpoint Agent for Linux. Event information logged in the event database by Kaspersky Endpoint Agent for Windows does not have this field filled in.
4. The list of events that Kaspersky Endpoint Agent for Linux logs in the event database is limited to the following types:
   • File modified.
   • Process started.
   • System event log.
   • Scan: detect.
   • Scan: detect processing result.
5. The list of tasks that you can create on hosts with the Kaspersky Endpoint Agent for Linux program is limited to the following types:
   • Get file
   • Run program

     When you create the task, the program does not attempt to verify the path to the executable file or the file that you want to receive.

6. In information about events registered in the event database by Kaspersky Endpoint Agent for Linux, the Time created field displays file modification time.

Kaspersky Endpoint Agent 3.14 for Windows has the following known limitations:

1. SHA-2 support in Windows is required for Kaspersky Endpoint Agent to work correctly.
2. When creating an installation package in Kaspersky Security Center version 12 or later to install Kaspersky Endpoint Agent on Windows XP devices, you must use the installer file (setup.exe) from the installation package created in Kaspersky Security Center version 10.5.
3. In Kaspersky Security Center 13.2 or later, to install Kaspersky Endpoint Agent on Windows XP devices, you must use the standard Kaspersky Endpoint Agent 3.14 distribution kit instead of the installation package created in Kaspersky Security Center.
4. The installer cannot stop the soyuz service until the service is initialized. For example, the installer returns the Invalid password error when trying to remove or modify the configuration of the application immediately after installation is completed, since initialization of the soyuz service is not completed and the service cannot be stopped.
5. Kaspersky Endpoint Agent cannot be restored or uninstalled from the device if the integrity of the agent.exe module (Kaspersky Endpoint Agent command line utility) is violated.
6. The capability to run and execute Kaspersky Endpoint Agent service (soyuz.exe) with the PPL flag is implemented. This feature is provided by the klelaml.sys driver. Violation of the klelaml.sys driver integrity results in the operating system loading failure. In this case, it is recommended to use Windows system recovery utilities. The absence of the klelaml.sys driver when the PPL flag is enabled for the soyuz.exe process does not lead to the operating system failure, but results in Kaspersky Endpoint Agent crash. In this case, it is recommended to run the program installer and perform recovery in the quiet mode with the REINSTALL=Drivers.klelam key.
7. After installing, restoring, changing set of components, or removing Kaspersky Endpoint Agent, it is recommended to restart the operating system as soon as possible because changes to some program settings can only be finalized at system startup.
8. Kaspersky Endpoint Agent installer cannot be launched on a device with the operating system to which the active CodeIntegrity policy is applied.
9. The component that prohibits opening documents has the following limitation: document blocking rules are not applied to objects that are opened using OLE automation.
10. Before sending telemetry events to the KATA Central Node server, Kaspersky Endpoint Agent saves data in the event queue. If the event queue exceeds 10,000 unprocessed events, Kaspersky Endpoint Agent does not queue the events until free slots appear in the queue.
11. If Kaspersky Endpoint Agent is running on devices with the Windows 7 operation system, the program excludes data about network connections related to processes with PID=4 and PID=0 from telemetry.
12. If Kaspersky Endpoint Agent is used on the same device with Kaspersky Endpoint Security, and the file system level encryption (FLE) component is installed in Kaspersky Endpoint Security, Kaspersky Endpoint Agent does not register telemetry events about loading modules (LoadImage) and does not send these events to KATA Central Node component.
13. If more than one application is specified as the value of the Application criterion when configuring the settings of network isolation exclusions, Kaspersky Endpoint Agent allows connection only for the first application in the list. Network connections for other applications specified in the list will be ignored. This limitation is reproduced when isolating devices with Windows 7 or Windows Server 2008 R2 operating systems.
14. When scanning for indicators of compromise, if the search involves parsing text strings, the "is" condition takes into account whitespace, and the need to escape the indicator description in the IOC file with CDATA characters. For example, to detect an object with the copyright Copyright (C) 1998-2017 John Smith by the is condition, the indicator description must be specified in the following format: <Content type="string"><![CDATA[Copyright (C) 1998-2017 John Smith]]></Content>. To simplify description of the indicators, the contains condition can also be used.
15. Objects quarantined by Kaspersky Endpoint Agent cannot be sent from Kaspersky Security Center quarantine to Kaspersky for analysis.
16. The check boxes corresponding to the "Read" and "Perform operations with device selections" permissions that are displayed in the group of settings for role-based access control (RBAC) in the Administration Console, in the section with permissions for managing Kaspersky Endpoint Agent plug-in, do not apply to the group of settings in Kaspersky Security Center. If you select these check boxes, the Read and Perform operations with device selections permissions will not be restricted for the specified users.
17. When generating event selections, the filters are not applied to some of Kaspersky Endpoint Agent events published in Kaspersky Security Center Administration Console.
18. The installer of Kaspersky Endpoint Agent and Kaspersky Endpoint Agent management plug-in automatically selects the program localization based on the operating system regional settings on the device where the program or management plug-in is installed:
    • If the operating system uses the RU-RU locale, the Russian version of Kaspersky Endpoint Agent and Kaspersky Endpoint Agent administration plug-in is installed.
    • If the operating system uses any locale other than RU-RU, the English version of Kaspersky Endpoint Agent and Kaspersky Endpoint Agent administration plug-in is installed.

    Program localization affects the language of texts used to describe program modules in the system and when publishing program events to the Windows Event Log, as well as texts of Kaspersky Security Center reports. Kaspersky Endpoint Agent management plug-in localization affects the language of texts used in the program interface of Administration Console (interface of policies, group tasks, and program properties). Configuring the localization of the program manually is not supported.

    Please note that if regional settings on managed devices and on the device with Kaspersky Endpoint Agent administration plug-in do not match, localization of Kaspersky Endpoint Agent interface in the Administration Console and localization of events published by the program in Kaspersky Security Center reports may not be the same. Also, the localization of the program interface in the Administration Console and the localization of events published by the program in Kaspersky Security Center reports may differ from the localization of Administration Console interface and the compatible EPP interface in the Administration Console.

19. After installing, restoring, changing set of components, or removing Kaspersky Endpoint Agent, it is recommended to restart the operating system as soon as possible because changes to some program settings can only be finalized at system startup.
20. If the start schedule for a group task is set to On application launch, the task execution status is updated with a delay in the task execution history For this reason, in some cases, the task execution history will not display the task execution statuses.
21. If the operating system is activated under a Volume License, you may need to reactivate the operating system after Kaspersky Endpoint Agent is installed due to the installation of the program network drivers.
22. In the Windows XP and Windows Vista operating systems, some information about files in telemetry events sent to the Telemetry collection server may be missing. This is due to the fact that the possibility of obtaining some information about files appeared in later versions of MS Windows operating systems.

Kaspersky Endpoint Agent 3.12 for Linux has the following known limitations:

1. Kaspersky Endpoint Agent for Linux does not support AppArmor and SELinux mandatory access control systems in their enforcing modes. For the program to work correctly, these systems must be switched to permissive mode.
2. Kaspersky Endpoint Agent for Linux requires installing Linux Audit Daemon 2.8 or later on the device.
3. For connection of Kaspersky Endpoint Agent for Linux with Kaspersky Endpoint Security for Linux rsyslog service with loaded imuxsock module is used. To check if the module is loaded in the rsyslog service configuration, run the following command: grep -r imuxsock /etc/rsyslog*. If the module loading string is commented, remove the # comment sign before the string and restart rsyslog service to save the changes.

[Topic 159935]

About data provision

The operation of certain components of Kaspersky Anti Targeted Attack Platform requires data processing on the Kaspersky side. Components do not send data without the consent of the administrator of Kaspersky Anti Targeted Attack Platform.

You can view the list of data and the terms on which it is used as well as give consent to data processing in the following agreements between your organization and Kaspersky:

• In the End User License Agreement (for example, during installation of the program).

  According to the terms of the End User License Agreement, you agree to automatically send Kaspersky the information listed in the End User License Agreement under Data Provision. The End User License Agreement is included in the program distribution kit.

• In the KSN Statement (for example, during installation of the program or in the administrator menu after installation).

  When you participate in Kaspersky Security Network, information obtained as a result of Kaspersky Anti Targeted Attack Platform operation is automatically sent to Kaspersky. The list of transmitted data is specified in the KSN Statement. The Kaspersky Anti Targeted Attack Platform user independently decides on his/her participation in KSN. The KSN Statement is included in the program distribution kit.

  Before KSN statistics are sent to Kaspersky, they are accumulated in the cache on servers hosting Kaspersky Anti Targeted Attack Platform components.

Kaspersky protects any information received in this way as prescribed by law and applicable rules of Kaspersky. Data is sent over encrypted communication channels.

When using Kaspersky Private Security Network, Kaspersky is not sent information about the operation of Kaspersky Anti Targeted Attack Platform. However, KSN statistical data is accumulated in the cache on servers hosting Kaspersky Anti Targeted Attack Platform components to the same extent as when using Kaspersky Security Network. This accumulated KSN statistical data may be transmitted beyond the confines of your organization if a server with Kaspersky Private Security Network is located outside of your organization.

The Kaspersky Private Security Network administrator must personally ensure the security of such data.

[Topic 242920]

Service data of the program

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

Service data of Kaspersky Anti Targeted Attack Platform include:

• Data on user accounts.
• Data about computers connected to the Central Node component on which Kaspersky Endpoint Agent is installed.
• Data about presets and prevention rules.
• Data about tasks assigned to computers running Kaspersky Endpoint Agent.
• Data about TAA (IOA) user-defined rules.
• Data about user IDS user-defined rules.
• Data about IOC user-defined rules.
• Data on network isolation rules.
• Data about scan exclusions.
• Data on report templates.
• Data about Kaspersky Endpoint Agent certificates.

  The above data is stored indefinitely on the server hosting the Central Node component in the / data directory if the Central Node component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• System event log

  OS log files are stored indefinitely in the /var/log directory on the server hosting the Central Node component.

• Log with information about the program operation.

  The log file is stored indefinitely in the data/ directory on the server hosting the Central Node component, if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• File scan queue.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. The data is retained until the scan is completed.

• Files received from computers with Kaspersky Endpoint Agent.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Files with YARA and IDS rules (user-defined and from Kaspersky).

  Files are stored indefinitely in the data/ directory on the server hosting the Central Node component, if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• Files with data about alerts sent to external systems.

  Files are stored indefinitely on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers indefinitely.

• Artifacts of the Sandbox component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Files for which alerts were created by the Sandbox component.

  Files are stored on the server hosting the Central Node component in the /data directory if the component is installed on the server. When the Central Node component is installed on a cluster, data is stored on storage servers. Data is rotated when disk space becomes full.

• Certificate files used for the authentication of program components.

  Files are stored indefinitely in the /var/log directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with Kaspersky Endpoint Agent.

• Encryption keys that are transmitted between program components.

  Files are stored indefinitely in the /var/log directory on the server hosting the Central Node, PCN, SCN, Sensor component or on the computer with Kaspersky Endpoint Agent.

The program stores the following information about user accounts:

• Account ID.
• Account name.
• The hash and salt of the account password.
• Domain name of the user.
• Account role.
• Account status.
• Access rights to tenants in distributed solution and multitenancy mode.
• ID of the tenant in distributed solution and multitenancy mode.

The program stores the following information about computers connected to the Central Node component on which Kaspersky Endpoint Agent is installed:

• ID of the computer assigned by Kaspersky Security Center.
• Computer name.
• IP address of the computer.
• The operating system used on the computer.
• Kaspersky Endpoint Agent version.
• Self-Defense status.
• Date and time when the first and last telemetry packet were sent to the Central Node component.
• Date and time of the last IOC scan run.
• Result of the last IOC scan run.

The program stores the following information about the prevention rules:

• MD5 or SHA256 hash of the file that is prevented from running.
• The account name of the user who created the prevention rule.
• The account name of the user who changed the prevention rule.
• List of computers on which the file is prevented from running.
• Prevention rules change log.

The program stores the following information about tasks assigned to computers running Kaspersky Endpoint Agent:

• Task type.
• Computer name.
• IP address of the computer.
• Task creation date and time.
• Task expiration date.
• Name of the user account that created the task.
• Task settings data.
• Task report data.
• Task comments.

The program stores the following information about TAA (IOA) user-defined rules:

• Rule name.
• Source code of the request being scanned.
• Rule ID.
• Rule status.
• Rule creation date and time.
• The importance that was specified when the rule was added.
• Level of confidence that depends on the likelihood of false alarms as defined by the user when the rule was added.

The program stores the following information about IDS user-defined rules:

• Account name of the user who uploaded the rules file.

The program stores the following information about IOC user-defined rules:

• Account name of the user who uploaded the rules file.
• Name of the IOC file.
• Contents of the IOC file.

The program stores the following information about network isolation rules:

• Account name of the user that enabled network isolation.
• ID of the isolated computer.
• Rule name.
• Rule status.
• List of resources excluded from network isolation.

The program stores the following information about scan exclusions:

• Account name of the user that added the exception.
• List of objects excluded from the scan.
• Rule exception ID.

The program stores the following information about report templates:

• ID of the user account that created or modified the template.
• Template creation date.
• Date of last modification of the template.
• Text of the template as HTML code.

The program stores the following information about Kaspersky Endpoint Agent certificates:

• Account name of the user who uploaded the certificate file.
• Digest of the certificate.
• Serial number of the certificate.
• Public key.

[Topic 176644]

Data of the Central Node and Sensor components

This section contains the following information about user data that is stored on the server with the Central Node component and on the server with the Sensor component:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

[Topic 197172]

Traffic data of the Sensor component

Traffic data of the Sensor component is stored on the server with the Sensor component or on the server with Sensor and Central Node components if Sensor and Central Node are installed on the same server.

Traffic data is recorded and stored in sequentially created files. The program stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached (you can configure this setting)
• The configured time interval has elapsed (you can configure this setting)
• The traffic saving service or the entire Kaspersky Anti Targeted Attack Platform program is restarted

As traffic data accrues, Kaspersky Anti Targeted Attack Platform filters data and keeps only the following information:

• Information related to alerts generated by the Targeted Attack Analyzer technology
• PCAP files in which:
  • Source or destination IP address matches an IP address from the alert
  • Traffic data belongs to the time period within 15 minutes from the alert time

Filtered traffic data is moved to a separate section. The rest of the traffic data (that do not satisfy filtering criteria) is deleted.

Filtered traffic data is saved in sequentially created files. The program stops recording data in one file and starts logging data in the next file if:

• The maximum file size is reached
• The configured time interval has elapsed

Filtered data traffic is stored for the last 24 hours. Older data is deleted.

[Topic 194741]

Data in alerts

Alerts may contain user data. If the Central Node component is installed on the server, information about alerts and files that resulted in an alert are stored on the server hosting the Central Node component in the /data/var/lib/kaspersky/storage/pgsql/10/data/ directory. When the Central Node component is installed on a cluster, information about alerts and files that resulted in an alert are stored on the storage servers.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

The following information is stored in all alerts:

• Alert time.
• Category of the detected object.
• Name of the detected file.
• Detected URL.
• MD5 and SHA256 hash of the detected file.
• User comments added to the alert information.
• ID of the TAA rule by which the alert was generated.
• IP address and name of the computer on which the alert was generated.
• ID of the computer on which the alert was generated.

When an alert is changed, the following information is stored on the server:

• The user account that modified the alert.
• The user account to which the alert was assigned.
• Date and time of alert modification.

If an email message was detected, the following information may be stored on the server:

• Email addresses of the sender and recipients of the message, including the recipients of copies and blind carbon copies of the message.
• Subject of the email message.
• Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
• All service headers of the message (as they appear in the message).

If the alert was generated by URL Reputation technology, the following information may be stored on the server:

• Name of the computer from which the data was sent.
• Name of the computer that received the data.
• The IP address of the computer from which the data was sent.
• The IP address of the computer that received the data.
• The URI of the transferred resource.
• Information about the proxy server.
• Unique ID of the email message.
• Email addresses of the sender and recipients of the message (including the recipients of copies and blind carbon copies of the message).
• Subject of the email message.
• Date and time when the message was received by Kaspersky Anti Targeted Attack Platform, with precision up to the second.
• List of detected objects.
• Time of network connection.
• URL of network connection.

If the alert was generated by Intrusion Detection System technology, the following information may be stored on the server:

• Name of the computer from which the data was sent.
• Name of the computer that received the data.
• The IP address of the computer from which the data was sent.
• The IP address of the computer that received the data.
• Transmitted data.
• Data transfer time.
• URL extracted from the file containing the traffic, User Agent, and method.
• File containing the traffic where the alert occurred.

If the alert was generated using YARA rules, the following information can be stored on the server:

• Version of YARA rules that was used to generate the alert.
• Category of the detected object.
• Name of the detected object.
• MD5 hash of the detected object.

If the alert was generated using the Sandbox component, the following information may be stored on the server:

• Version of the program databases used to generate the alert.
• Category of the detected object.
• Names of detected objects.
• MD5 hashes of detected objects.
• Information about detected objects.

If the alert was generated by IOC or TAA (IOA) user rules, the following information can be stored on the server:

• Date and time of scan completion.
• IDs of the computers on which the alert was generated.
• Name of TAA (IOA) rule.
• Name of the IOC file.
• Information about detected objects.

If the alert was generated by Anti-Malware Engine technology, the following information may be stored on the server:

• Versions of databases of Kaspersky Anti Targeted Attack Platform components that were used to generate the alert.
• Category of the detected object.
• List of detected objects.
• MD5 hash of detected objects.
• Additional information about the alert.

[Topic 194742]

Data in events

Events may contain user data. If the Central Node component is installed on the server, information about occurred events is stored on the server with the component in the /data/var/lib/kaspersky/storage/fastsearch/elasticsearch/data/ directory. When the Central Node component is installed on a cluster, information is stored on storage servers.

Data is rotated as the disk becomes full.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

Event data can contain information related to the following:

• Name of the computer where the event occurred.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Name of the user account under which the event occurred.
• Name of the group that the user belongs to.
• Event type.
• Event time.
• Information about the file for which the event was logged: name, path, full name.
• MD5 and SHA256 hash of the file.
• File creation time.
• File modification time.
• File access rights.
• Environment variables of the process.
• Command-line parameters.
• Text of the command entered into the command line.
• Local IP address of the adapter.
• Local port.
• Remote host name.
• Remote host IP address.
• Port on the remote host.
• URLs and IP addresses of visited websites, and links from these websites.
• Network connection protocol.
• HTTP request method.
• HTTP request header.
• Information about Windows registry variables: path to the variable, variable name, variable value.
• Contents of a script or binary file sent for AMSI scanning.
• Information about the event in the Windows log: event type, event type ID, event ID, user account under which the event was logged, full text of the event from the Windows Event Log in XML format.

[Topic 176802]

Data in reports

Reports may contain user data. If the Central Node component is installed on the server, information about occurred events is stored indefinitely on the server with the component in the /data/var/lib/kaspersky/storage/pgsql/10/data/ directory. When the Central Node component is installed on a cluster, information is stored on storage servers.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

Reports may contain the following information:

• Report creation date.
• Time period covered in the report.
• ID of the user account that generated the report.
• Report status.
• Text of the report as HTML code.

[Topic 194743]

Data on objects in Storage and Quarantine

Objects in Storage and Quarantine may contain user data. Information about objects in Storage and about copies of objects quarantined on computers with Kaspersky Endpoint Agent using the Get file tasks is stored indefinitely on the Central Node server in the /data/var/lib/kaspersky/storage/pgsql/10/data/ directory.

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

Data on objects in Storage and Quarantine may contain the following information:

• Name of the object.
• Path to the object on the computer with Kaspersky Endpoint Agent.
• MD5 and SHA256 hash of the file.
• ID of the user who quarantined the object on the computer with Kaspersky Endpoint Agent.
• ID of the user who placed the object in Storage.
• IP address of the computer on which the quarantined object is stored.
• Name of the computer on which the quarantined object is stored.
• Unique ID of the computer on which the quarantined object is stored in Storage.
• ID of the TAA (IOA) rule by which the alert was generated.
• Category of the detected object.
• Results for the object scanned using individual modules and technologies of the program.

[Topic 176763]

Sandbox component data

For the processing time, the body of the file sent by the Central Node component is saved in open form on the server hosting the Sandbox component. During processing, the server administrator can access the sent file in Technical Support Mode. The scanned file is deleted by a special script according to the schedule. Once every 60 minutes by default.

Information about the data stored on the server with the Sandbox component is provided in the table below.

Data stored on the server with the Sandbox component

[Topic 194849]

Data transmitted between program components

Central Node and Kaspersky Endpoint Agent for Windows

Kaspersky Endpoint Agent for Windows sends the following to the Central Node component: task completion reports, information about events and alerts that occurred on computers with Kaspersky Endpoint Agent for Windows, and information about terminal sessions.

If there is no connection with the Central Node component, all data to be sent is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Agent for Windows is removed from the computer, but no longer than 21 days.

If an event occurs on the user's computer, Kaspersky Endpoint Agent for Windows sends the following data to the events database:

1. General information for all events:
   • Event type.
   • Event time.
   • User account for which the event was generated.
   • Name of the host where the event occurred.
   • IP address of the host.
   • Type of the operating system installed on the host.
2. File creation event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • File name.
   • Path to the file.
   • Full name of the file.
   • MD5 and SHA256 hash of the file.
   • Date of file creation and modification.
   • File size.
3. Registry monitoring event.
   • Details of the process that modified the registry: Process ID, process file name, and MD5- and SHA256 hash of the process file.
   • Path to the registry key.
   • Registry value name.
   • Registry value data.
   • Registry value type.
   • Previous path to the registry key.
   • Previous registry value data.
   • Previous registry value type.
4. Driver loading event.
   • File name.
   • Path to the file.
   • Full name of the file.
   • MD5 and SHA256 hash of the file.
   • File size.
   • Date of file creation and modification.
5. Listening port opening event.
   • Details of the process that opened the listening port: process file name, and MD5- and SHA256 hash of the process file.
   • Port number.
   • Adapter IP address.
6. Event in the operating system log.
   • Time of the event, host on which the event occurred, and user account name.
   • Event ID.
   • Channel/log name.
   • Event ID in the log.
   • Provider name.
   • Authentication event subtype.
   • Domain name.
   • Remote IP address.
   • Event header fields: ProviderName, EventId, Version, Level, Task, Opcode, Keywords, TimeCreatedSystemTime, EventRecordId, CorellationActivityId, ExecutionProcessID, ThreadID, Channel, Computer.
   • Event body fields: AccessList, AccessMask, AccountExpires, AllowedToDelegateTo, Application, AuditPolicyChanges, AuthenticationPackageName, CategoryId, CommandLine, DisplayName, Dummy, ElevatedToken, EventCode, EventProcessingFailure, FailureReason, FilterRTID, HandleId, HomeDirectory, HomePath, ImpersonationLevel, IpAddress, IpPort, KeyLength, LayerName, LayerRTID, LmPackageName, LogonGuid, LogonHours, LogonProcessName, LogonType, MandatoryLabel, MemberName, MemberSid, NewProcessId, NewProcessName, NewUacValue, NewValue, NewValueType, ObjectName, ObjectServer, ObjectType, ObjectValueName, OldUacValue, OldValue, OldValueType, OperationType, PackageName, ParentProcessName, PasswordLastSet, PrimaryGroupId, PriviledgeList, ProcessId, ProcessName, ProfileChanged, ProfilePath, Protocol, PublisherId, ResourceAttributes, RestrictedAdminMode, SamAccountName, ScriptPath, ServiceAccount, ServiceFileName, ServiceName, ServiceStartType, ServiceType, SettingType, SettingValue, ShareLocalPath, ShareName, SidHistory, SourceAddress, SourcePort, Status, SubcategoryGuid, SubcategoryId, SubjectDomainName, SubjectLogonId, SubjectUserName, SubjectUserSid, SubStatus, TargetDomainName, TargetLinkedLogonId, TargetLogonId, TargetOutboundDomainName, TargetOutboundUserName, TargetUserName, TargetUserSid, TaskContent, TaskName, TokenElevationType, TransmittedServices, UserAccountControl, UserParameters, UserPrincipalName, UserWorkstations, VirtualAccount, Workstation, WorkstationName.
7. Process start event.
   • Information about the process file: file name, file path, MD5 or SHA256 hash of the file, file size, creation and modification date, name of the organization that issued the digital certificate of the file, digital signature verification result.
   • UniquePID.
   • Process start options.
   • Process start time.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
8. Process stop event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, file size, and process end time.
   • UniquePID.
   • Process start options.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, process start options.
9. Module loading event.
   • Details of the file that loaded the module: UniquePID, file name, file path, full name of the file, MD5- and SHA256 hash of the file, and file size.
   • DLL name.
   • Path to DLL.
   • DLL full name.
   • MD5 or SHA256 hash of the DLL.
   • DLL size.
   • Date of DLL creation and modification.
   • Name of the organization that issued the digital certificate of the DLL.
   • DLL digital signature verification result.
10. Process startup blocking event.
    • Details of the file that attempted to run: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Command-line parameters.
11. File startup blocking event.
    • Details of the file that attempted to open: file name, file path, full name of the file, MD5- and SHA256 hash of the file, type of checksum used for file size blocking (0 – MD5, !=0 – SHA256, not used for search).
    • Details of the executable file: file name, file path, full name of the file, MD5- and SHA256 hash of the file, file size, and date of file creation and modification.
    • Details of the parent process: file name, file path, full name of the file, MD5- and SHA256 hash of the file, PID, and UniquePID.
12. Event of Kaspersky Endpoint Security for Windows.
    • Scan result.
    • Name of the detected object.
    • ID of the record in program databases.
    • Release time of the program databases with which the alert was generated.
    • Object processing mode.
    • Category of the detected object (for example, name of a virus).
    • MD5 hash of the detected object.
    • SHA256 hash of the detected object.
    • Unique ID of the process.
    • Process PID displayed in the Windows Task Manager.
    • Process run command line.
    • Reason for the error when processing the object.
    • Contents of the script scanned using AMSI.
13. AMSI scan event.
    • Contents of the script scanned using AMSI.

Central Node and Kaspersky Endpoint Agent for Linux

Kaspersky Endpoint Agent for Linux sends the following to the Central Node component: task completion reports, information on events and alerts that occurred on computers with Kaspersky Endpoint Agent for Linux, and information on terminal sessions.

If there is no connection with the Central Node component, all data to be sent is accumulated until it is sent to the Central Node component, or until Kaspersky Endpoint Agent for Linux is removed from the computer, but no longer than 21 days.

If an event occurs on the user's computer, Kaspersky Endpoint Agent for Linux sends the following data to the events database:

1. General information for all events:
   • Event type.
   • Event time.
   • User account for which the event was generated.
   • Name of the host where the event occurred.
   • IP address of the host.
   • Type and version of the operating system that is installed on the host.
   • Name of the host that was used to remotely log in to the system.
   • Name of the user assigned when registering in the system.
   • Group to which the user belongs.
   • User name that was used to log in to the system.
   • Group of the user whose name was used to log in to the system.
   • Name of the user who created the file.
   • Name of the group whose users can modify or delete the file.
   • Permissions that can be used to gain access to the file.
   • Inherited privileges of the file.
2. Process start event.
   • Information about the file of the process: file name, file path, full name of the file, MD5 or SHA256 hash of the file, and file size.
   • UniquePID.
   • Command that was used to start the process.
   • Process type.
   • Environment variables of the process.
   • Process start time.
   • Process end time.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.
3. File creation event.
   • Details of the process that created the file: process file name, and MD5- and SHA256 hash of the process file.
   • File name.
   • Path to the file.
   • Full name of the file.
   • File type.
   • MD5 and SHA256 hash of the file.
   • Date of file creation and modification.
   • File size.
4. Event in the operating system log.
   • Event time.
   • Event type.
   • Result of the operation.
   • Information about the parent process: file path, UniquePID, MD5 or SHA256 hash of the process file, command that was used to start the process.

Central Node and Sandbox

The Central Node component sends to the Sandbox component files and URLs extracted from the network and email traffic. The files are not changed in any way prior to sending. The Sandbox component sends scan results to the Central Node component.

Central Node and Sensor

The program may transmit the following data between Central Node and Sensor components:

• Files and email messages.
• Data on alerts generated by the Intrusion Detection System and URL Reputation technologies.
• License information.
• List of data excluded from the scan.
• Data of the Endpoint Sensors program, if integration with a proxy server has been configured.
• Program databases, if the receipt of database updates from the Central Node component is configured.

Servers with PCN and SCN roles

If the program is running in distributed solution mode, the following data is transmitted between the PCN and connected SCNs:

• Data on alerts.
• Data on events.
• Data on tasks.
• Data on policies.
• Data on scans using IOC, TAA (IOA), IDS, YARA user rules.
• Data on files in Storage.
• Data on user accounts.
• About the license.
• List of computers with Kaspersky Endpoint Agent.
• Objects placed in Storage.
• Objects quarantined on computers with Kaspersky Endpoint Agent.
• Files attached to alerts.
• IOC and YARA files.

[Topic 242956]

Data contained in trace files of the program

Kaspersky Anti Targeted Attack Platform resources provide no capability to restrict the rights of the users of servers and operating systems to which the Central Node component is installed. The administrator is advised to use any system resources at their own discretion to control how the users of servers and operating systems with the program installed may be granted access to the personal data of other users.

Trace files can include any personal data of the user or confidential data of your organization. Files are stored in the /data/var/log/kaspersky directory indefinitely.

[Topic 194531]

Data of Kaspersky Endpoint Agent for Windows

Kaspersky Endpoint Agent for Windows stores and processes data locally to provide base functionality and audit capability, as well as to improve the speed with which Kaspersky Technical Support can solve potential problems.

Computers with Kaspersky Endpoint Agent for Windows store data prepared to be sent automatically to Kaspersky Anti Targeted Attack Platform servers and Kaspersky Security Center.

Files prepared by Kaspersky Endpoint Agent for Windows to be sent for scanning to program servers are stored on computers with Kaspersky Endpoint Agent for Windows in plain unencrypted form in the directory that is used by default for storing files prior to sending them.

Files associated with detected events can be transmitted to the server with the Central Node component.

This data may include personal data of the user or confidential data of your organization.

Transmission of data from computers with Kaspersky Endpoint Agent for Windows to the server with the Central Node component cannot be disabled.

Do not use Kaspersky Endpoint Agent for Windows on computers from which data transfer is forbidden by your corporate policy.

Data received from Kaspersky Endpoint Agent for Windows is stored in a database on the server hosting the Central Node component and is rotated as disk space is filled.

Files that are prepared to be sent by Kaspersky Endpoint Agent for Windows to the server with the Central Node component are stored on computers hosting Kaspersky Endpoint Agent for Windows in plain unencrypted form in the same directory that is used as the default directory for storing files on each computer with Kaspersky Endpoint Agent before they are sent.

Files from computers with Kaspersky Endpoint Agent for Windows are only sent to the server with the Central Node component over a secure SSL connection.

Files that have been encrypted on computers with Kaspersky Endpoint Agent for Windows using the Windows Encrypting File System or Kaspersky File Level Encryption (within the program Kaspersky Endpoint Security for Windows) are sent in encrypted form to the server with the Central Node component.

Kaspersky Anti Targeted Attack Platform lets you modify the settings of the local computer hosting Kaspersky Endpoint Agent for Windows that impact the performance of the computer during interaction with the Central Node component.

Settings should be modified only when exclusively recommended by Kaspersky Technical Support.

Modifying settings on your own could diminish the performance of the local computer.

The Kaspersky Anti Targeted Attack Platform administrator must take steps to use the data listed above to ensure the security of computers with Kaspersky Endpoint Agent for Windows as well as Kaspersky Anti Targeted Attack Platform servers. The administrator of Kaspersky Anti Targeted Attack Platform is responsible for access to this information.

This section contains the following information about user data that is stored on computers with Kaspersky Endpoint Agent for Windows:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

[Topic 194532]

Data received from the Central Node component

Kaspersky Endpoint Agent saves the values of settings received from the Central Node component on the computer's hard drive. Data is saved in open non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Data is deleted when Kaspersky Endpoint Agent is removed.

Data received from the Central Node component may contain the following information:

• Data on network connections.
• Data on the operating system that is installed on the server with the Central Node component.
• Data on operating system user accounts.
• Data on user sessions in the operating system.
• Data on Windows event log.
• About a RT_VERSION resource.
• About the contents of a PE file.
• About operating system services.
• Certificate of the server with the Central Node component.
• URL- and IP addresses of visited websites.
• HTTP protocol headers.
• Computer name.
• MD5 hashes of files.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Names and values of Windows registry keys.
• Paths to Windows registry keys.
• Names of Windows registry variables.
• Name of the local DNS cache entry.
• Address from the local DNS cache entry in IPv4 format.
• IP address or name of the requested host from the local DNS cache.
• Host of the local DNS cache element.
• Domain name of the local DNS cache element.
• Address of the ARP cache element in IPv4 format.
• Physical address of the ARP cache element.
• Serial number of the logical drive.
• Home folder of the local user.
• Name of the user account that started the process.
• Path to the script that is run when the user logs in to the system.
• Name of the user account under which the event occurred.
• Name of the computer where the event occurred.
• Full paths to files on computers with Kaspersky Endpoint Agent.
• Names of files on computers with Kaspersky Endpoint Agent.
• Masks of files on computers with Kaspersky Endpoint Agent.
• Full names of folders on computers with Kaspersky Endpoint Agent.
• Comments of the file publisher.
• Mask of the process file image.
• Path to the process file image that opened the port.
• Name of the process that opened the port.
• Local IP address of the port.
• Trusted public key of the digital signature of executable modules.
• Process name.
• Process segment name.
• Command-line parameters.

[Topic 197150]

Data in fields of Windows Event Log events of Kaspersky Endpoint Agent

Windows Event Log data is stored in the %SystemRoot%\System32\Winevt\Logs\Kaspersky-Security-Soyuz%4Product.evtx file in plain unencrypted form. The data is stored until Kaspersky Endpoint Agent is uninstalled.

This data can be automatically sent to Kaspersky Security Center.

By default, only users with System and Administrator permissions have read-access to the files. Kaspersky Endpoint Agent does not manage access permissions to this folder and the files in this folder. It is the system administrator who determines access permissions.

Event data can contain information related to the following:

• Data on user sessions in the operating system.
• Operating system user accounts (userID).
• Errors occurred during object scan tasks execution.
• Object scanning tasks.
• Kaspersky Sandbox alerts.
• Kaspersky Sandbox events.
• Kaspersky Endpoint Agent IOC files generated as part of automatic Threat Response.
• Object scan results.
• Kaspersky Sandbox server certificates.
• The object scan queue.
• Modified settings of Kaspersky Endpoint Agent.
• Changes of Kaspersky Security Center policies.
• Modified status of an object scan task.
• Kaspersky Security Center policies.
• Quarantined objects.
• Automatic Threat Response actions.
• Errors of interaction with program servers.
• Objects blocked in accordance with prevention rules.
• Results of Delete file tasks.
• Results of Kill process tasks.
• Results of Run program tasks.
• Results of Get file tasks.
• The active license of Kaspersky Endpoint Detection and Response Optimum.
• Program activation status.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

[Topic 197151]

Data in Kaspersky Endpoint Agent for Windows requests to Kaspersky Anti Targeted Attack Platform

When integrated with the Central Node component, the following data is stored locally on the device with Kaspersky Endpoint Agent installed.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

Data from Kaspersky Endpoint Agent requests to the Central Node component:

1. In the synchronization requests:
   • Unique ID of Kaspersky Endpoint Agent.
   • Base part of the server web address.
   • Device name.
   • IP address of the device.
   • MAC address of the device.
   • Local time on the device.
   • Self-defense status of Kaspersky Endpoint Agent.
   • Name and version of the operating system that is installed on the device.
   • Kaspersky Endpoint Agent version.
   • Versions of program settings and task settings.
   • Task statuses in Kaspersky Endpoint Agent: IDs of running tasks, execution statuses, execution error codes.
   • Statuses of Kaspersky Endpoint Agent settings: type of applied settings, version of settings, status of applying the settings, error codes of applying the settings.
2. In requests for obtaining files from the server:
   • Unique IDs of files.
   • Unique ID of Kaspersky Endpoint Agent.
   • Unique IDs of tasks.
   • Base part of the web address of the Central Node server.
   • IP address of the node.
3. In the reports on task execution results:
   • IP address of the node.
   • Details of objects detected during IOC or YARA scan.
   • Flags of the additional actions performed by Kaspersky Endpoint Agent after completion of tasks (for example, "deleteFileAfterReboot": false).
   • Task execution errors and return codes.
   • Task completion statuses.
   • Task completion time.
   • Versions of settings used for task execution.
   • Details of objects submitted to the server, quarantined objects, and objects restored from Quarantine: paths to objects, MD5 and SHA256 hashes of objects, IDs of quarantined objects.
   • Details of processes started or stopped on the Kaspersky Endpoint Agent device following the server request: PID and UniquePID, error code, MD5 and SHA256 hashes of objects.
   • Information about services started or stopped on the device following the server request (name of the service, run type, error code, MD5 and SHA256 hashes of service file images).
   • Details of objects for which a memory dump was created for YARA scanning (paths, dump file ID).
   • Files requested by the server.
   • Telemetry packets.
   • Data on running processes:
     • Name of the executable file, including the full path and extension.
     • Process autorun settings.
     • Process ID.
     • Logon session code.
     • Logon session name.
     • Date and time when the process started.
     • MD5 hash of the object.
     • SHA256 hash of the object.
   • Data on files:
     • Path to the file.
     • File name.
     • File size.
     • File attributes.
     • File creation date and time.
     • Date and time of the last modification of the file.
     • File description

       

       Basic information about the file that is displayed to users. This line can be displayed in the list when the user selects files for installation. This line is mandatory.

       .
     • Company name

       

       Name of the company that created the file.

       .
     • MD5 hash of the object.
     • SHA256 hash of the object.
     • Registry key (for autorun points).

• Data indicated in errors receiving information about objects:
  • Full name of the object whose processing resulted in the error.
  • Error code.

1. Telemetry data:
   • IP address of the node.
   • Type of data in the registry prior to the registered modification operation.
   • Data in the registry key prior to the registered modification operation.
   • Text of the processed script or part of it.
   • Type of processed object.
   • Method of sending the command to the command shell.

Data from the requests of the Central Node component to Kaspersky Endpoint Agent:

1. Task settings:
   • Task types.
   • Task schedule settings.
   • Names and passwords of the accounts that must be used to run tasks.
   • Versions of settings.
   • IDs of quarantined objects.
   • Paths to objects.
   • MD5 and SHA256 hashes of objects.
   • Command line to start the process together with the arguments.
   • Flags of additional actions performed by Kaspersky Endpoint Agent after completion of the task.
   • IOC file identifiers that must be retrieved from the server.
   • IOC files.
   • Names of services.
   • Run type of services.
   • Folders for which you need to obtain results of the Get forensics task.
   • Masks of the names and extensions of objects for the Get forensics task.
2. Network isolation settings:
   • Types of settings.
   • Versions of settings.
   • Lists of network isolation exclusions and exclusion settings: traffic direction, IP addresses, ports, protocols, and full paths to executable files.
   • Flags of additional actions performed by Kaspersky Endpoint Agent.
   • Time of automatic disabling of isolation.
3. Settings for preventing execution and opening of documents:
   • Types of settings.
   • Versions of settings.
   • Lists of prevention rules and rule settings: paths to objects, types of objects, MD5 and SHA256 hashes of objects.
   • Flags of additional actions performed by Kaspersky Endpoint Agent.
4. Event filtering settings:
   • Module names.
   • Full paths to objects.
   • MD5 and SHA256 hashes of objects.
   • Identifiers of entries in the Windows event log.
   • Digital certificate settings.
   • Traffic direction, IP addresses, ports, protocols, full paths to executable files.
   • User names.
   • User logon types.
   • Types of telemetry events for which filters are applied.

[Topic 197152]

Service data of Kaspersky Endpoint Agent for Windows

Service data of Kaspersky Endpoint Agent include:

• Data that is stored in configuration files as a result of configuring the settings by an administrator.
• Data processed as part of automatic Threat Response.
• Data processed during integration with Kaspersky Sandbox.
• Data processed during integration with the KATA Central Node component.
• Data processed during integration with Kaspersky Industrial CyberSecurity for Networks.

Service data are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<product version> file. Data in the Settings subfolder are encrypted using the Encrypting File System (EFS). The data is stored until Kaspersky Endpoint Agent is uninstalled.

This data can be automatically sent to Kaspersky Security Center.

By default, only users with System and Administrator permissions have access to the files (full access for System, read and execute for Administrator). The %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<product version> folder and the Restored subfolder are also accessible to users with User (read only) permissions.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

Kaspersky Endpoint Agent stores the following data that are processed during automatic response and integration with Kaspersky Sandbox:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Kaspersky Endpoint Agent access password.
   • Quarantined files.
   • Kaspersky Endpoint Agent settings.
   • Credentials of operating system users for starting tasks with certain user permissions.
   • Authentication credentials for Kaspersky Security Center Administration Server.
   • Authorization credentials for the proxy server.
   • Addresses of custom update sources.
   • Public key of the certificate used for integration with Kaspersky Sandbox.
2. Kaspersky Endpoint Agent cache:
   • Time when scan results were written to the cache.
   • MD5 hash of the scan task.
   • Scan task identifier.
   • Object scan result.
3. Queue of the object scan requests:
   • ID of the object in the queue.
   • Time when the object was queued.
   • Processing status of the queued object.
   • ID of the user session in the operating system where the object scan task was created.
   • System identifier (SID) of the operating system user whose user account permissions were used to create the object scan task.
   • MD5 hash of the object scan task.
4. Information about the tasks for which Kaspersky Endpoint Agent awaits scan results from Kaspersky Sandbox:
   • Time when the object scan task was received.
   • Object processing status.
   • ID of the user session in the operating system where the object scan task was created.
   • ID of the object scan task.
   • MD5 hash of the object scan task.
   • System identifier (SID) of the operating system user whose user account was used to create the task.
   • XML schema of the automatically created IOC.
   • MD5 or SHA256 hash of the scanned object.
   • Processing errors.
   • Names of the objects that the scanning task was created for.
   • Object scan result.

When integrated with the KATA Central Node component, Kaspersky Endpoint Agent stores the following data locally:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Quarantined files.
   • Kaspersky Endpoint Agent settings:
     • Kaspersky Endpoint Agent access password.
     • Credentials of operating system users for starting tasks with certain user permissions.
     • Authentication credentials for Kaspersky Security Center Administration Server.
     • Authorization credentials for the proxy server.
     • Addresses of custom update sources.
     • Public key of the certificate used for integration with KATA Central Node.
     • Public key of the certificate used for integration with Kaspersky Sandbox.
     • License data.
2. Data required for integration with the KATA Central Node component:
   • Updatable telemetry filtering schemes.
   • Telemetry event packet queue.
   • Cache of IOC file identifiers received from the KATA Central Node component.
   • Objects to be passed to the server as part of the Get file task.
   • Reports on the Get forensics task results.

Kaspersky Endpoint Agent locally stores the following data when integrated with the Kaspersky Industrial CyberSecurity for Networks server:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Kaspersky Endpoint Agent settings:
     • Kaspersky Endpoint Agent access password.
     • Credentials of operating system users for starting tasks with certain user permissions.
     • Authentication credentials for Kaspersky Security Center Administration Server.
     • Authorization credentials for the proxy server.
     • Addresses of custom update sources.
     • Public key of the certificate for integration with Kaspersky Industrial CyberSecurity for Networks.
     • License data.
2. Data required for integration with Kaspersky Industrial CyberSecurity for Networks.
   • Updatable telemetry filtering schemes.
   • Telemetry event packet queue.

[Topic 197153]

Data contained in Kaspersky Endpoint Agent for Windows trace files and dumps

Kaspersky Endpoint Agent for Windows can record debug information in trace files in accordance with settings to support the operation of Kaspersky Endpoint Agent for Windows.

Kaspersky Endpoint Agent for Windows dump files are created by the operating system when the program fails and are rewritten after each failure.

Trace and dump files can include any personal data of the user or confidential data of your organization.

Do not use Kaspersky Endpoint Agent for Windows on hosts from which data transfer is forbidden by your corporate policy.

By default, Kaspersky Endpoint Agent does not record any debug information.

Trace files and dump files are never automatically sent beyond the host on which the files were generated. The contents of trace files can be viewed using the standard tools for viewing text files. Trace files and dump files are stored indefinitely and are not deleted when Kaspersky Endpoint Agent for Windows is uninstalled.

Debug information can be necessary for contacting the Technical Support.

There are no special mechanisms to limit access to trace and dump files. The administrator can take steps to configure writing this information into a secured folder.

The path for trace files and dump files is not configured by default. The administrator must manually specify a folder for writing trace files and dump files.

Data in trace files and dump files can contain the following information:

• Actions performed by Kaspersky Endpoint Agent for Windows on the host.
• Information about objects processed by Kaspersky Endpoint Agent for Windows.
• Errors occurring during the operation of Kaspersky Endpoint Agent for Windows.
• Event time.
• Number of thread of execution.
• Program component that caused an alert.
• Event importance.
• Data on executable modules.
• Data on open ports.
• Data on network connections.
• About the operating system that is installed on the computer with Kaspersky Endpoint Agent for Windows.
• Data on operating system user accounts.
• Data on user sessions in the operating system.
• Data on Windows event log.
• About alerts of Kaspersky Endpoint Security for Windows.
• About organizational units (OU) of Active Directory.
• Unique ID of the computer with Kaspersky Endpoint Agent for Windows.
• Fully qualified domain name of the computer.
• Serial number of the logical drive.
• HTTP protocol headers.
• Full paths to files on computers with Kaspersky Endpoint Agent for Windows.
• Names of files on computers with Kaspersky Endpoint Agent for Windows.
• Full names of folders on computers with Kaspersky Endpoint Agent for Windows.
• Home folder of the local user.
• Name of the user account that started the process.
• Path to the script that is run when the user logs in to the system.
• Name of the user account under which the event occurred.
• URLs and IP addresses of visited websites, and links from these websites.
• When using a proxy server: Proxy server IP address, computer name, port, proxy server user name.
• External IP addresses, with which a connection was established from a local computer.
• Process start commands.
• Command-line parameters.
• Kaspersky Security Center Network Agent ID.
• Path to keys in the Windows registry.
• Names of Windows registry variables.
• Values of Windows registry variables.
• Windows registry hives.
• Names of detected objects.
• Name of the local DNS cache entry.
• IP address from the local DNS cache entry in IPv4 format.
• IP address or name of the requested host from the local DNS cache.
• Host of the local DNS cache element.
• Domain name of the local DNS cache element.
• IP address of the ARP cache element in IPv4 format.
• Physical address of the ARP cache element.
• Name of the user account that started the operating system service.
• Settings with which the operating system service was started.
• Original name of the file (OriginalFileName) for the RT_VERSION resource.

[Topic 198691]

Data sent to Kaspersky if the KSN Statement was accepted

If you agree with the terms and conditions of the Kaspersky Security Network (KSN) Statement, the program automatically sends information about this to Kaspersky.

Data on acceptance of the terms and conditions of this Statement can be stored locally in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<version>\Data\ folder.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

The following data is sent to Kaspersky when you accept or decline the terms and conditions of the KSN Statement:

• Statement identifier (KSN, EULA).
• Statement version.
• Statement acceptance flag (1 – Statement accepted, 0 – Statement declined).
• Date when the Statement was accepted or declined.

Kaspersky can use this data to generate statistical information.

[Topic 194534]

Data in alerts and events

Event data is saved in binary form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata in open non-encrypted form.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Event data can contain information related to the following:

• Data on executable modules.
• Data on network connections.
• About the operating system that is installed on the computer with Kaspersky Endpoint Agent.
• Data on user sessions in the operating system.
• Data on operating system user accounts.
• Data on Windows event log.
• About alerts of Kaspersky Endpoint Security for Windows.
• About organizational units (OU) of Active Directory.
• HTTP protocol headers.
• Fully qualified domain name of the computer.
• MD5- and SHA256 hash of files and their fragments.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Unique IDs of certificates.
• Certificate publisher.
• Certificate subject.
• Name of the algorithm used to generate the certificate fingerprint.
• Address and port of the local network interface.
• Address and port of the remote network interface.
• Program vendor.
• Program name.
• Name of the Windows registry variable.
• Path to the Windows registry key.
• Windows registry variable data.
• Name of the detected object.
• Kaspersky Security Center Network Agent ID.
• Contents of the hosts file.
• Process start command line.

[Topic 194535]

Data contained in task completion reports

Prior to being sent to the Central Node component, the reports and relevant files are temporarily saved on the hard disk drive of the computer with Kaspersky Endpoint Agent. The task completion reports are saved in archived non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\data_queue.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Task completion reports contain the following information:

• Data on task output.
• Data on executable modules.
• Data on operating system processes.
• Data on user accounts.
• Data on user sessions.
• Fully qualified domain name of the computer.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Files of the computer with Kaspersky Endpoint Agent.
• Names of
  alternate streams of NTFS

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  .
• Full paths to files on the computer with Kaspersky Endpoint Agent.
• Full names of folders on the computer with Kaspersky Endpoint Agent.
• Content of the process standard output.
• Content of the process standard error stream.

[Topic 194537]

Data on files that are blocked from starting

Data on files that are blocked from starting is stored in open non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Data on files that are blocked from starting may contain the following information:

• Full path to the blocked file.
• MD5 hash of the file.
• SHA256 hash of the file.
• Process start command.

[Topic 194538]

Data related to the performance of tasks

When performing a task for placing a file in quarantine, the archive containing this file is temporarily saved in one of the following folders:

• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\temp for Kaspersky Endpoint Agent that is installed as part of Kaspersky Endpoint Security.
• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data\kata\temp for Kaspersky Endpoint Agent that is installed from the Kaspersky Anti Targeted Attack Platform distribution kit.

When performing a program run task on a host, Kaspersky Endpoint Agent locally stores the contents of standard output streams and errors of the running process in plain unencrypted form until the task completion report is sent to the Central Node component. Files are stored in one of the following folders:

• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\temp for Kaspersky Endpoint Agent that is installed as part of Kaspersky Endpoint Security.
• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data\kata\temp for Kaspersky Endpoint Agent that is installed from the Kaspersky Anti Targeted Attack Platform distribution kit.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

[Topic 210548]

Data of Kaspersky Endpoint Agent for Linux

Kaspersky Endpoint Agent for Linux stores and processes data locally to provide base functionality and audit capability, as well as to improve the speed with which Kaspersky Technical Support can solve potential problems.

Computers with Kaspersky Endpoint Agent for Linux store data prepared to be sent automatically to Kaspersky Anti Targeted Attack Platform servers and Kaspersky Security Center.

This data may include personal data of the user or confidential data of your organization.

Transmission of data from computers with Kaspersky Endpoint Agent for Linux to the server with the Central Node component cannot be disabled.

Do not use Kaspersky Endpoint Agent for Linux on computers from which data transfer is forbidden by your corporate policy.

Data received from Kaspersky Endpoint Agent for Linux is stored in a database on the server hosting the Central Node component and is rotated as disk space is filled.

Files that are prepared to be sent by Endpoint Agent for Linux to the server with the Central Node component are stored on computers hosting Endpoint Agent for Linux in plain unencrypted form in the same directory that is used as the default directory for storing files on each computer with Kaspersky Endpoint Agent before they are sent.

Files from computers with Kaspersky Endpoint Agent for Linux are only sent to the server with the Central Node component via a secure SSL connection.

The Kaspersky Anti Targeted Attack Platform administrator must take steps to ensure the security of computers with Kaspersky Endpoint Agent for Linux and Kaspersky Anti Targeted Attack Platform servers with the data listed above. The administrator of Kaspersky Anti Targeted Attack Platform is responsible for access to this information.

This section contains the following information about user data that is stored on computers with Endpoint Agent for Linux:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

[Topic 210527]

Data in Kaspersky Endpoint Agent for Linux requests to Kaspersky Anti Targeted Attack Platform

When integrated with the Central Node component, the following data is stored locally on the device with Kaspersky Endpoint Agent for Linux installed:

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

1. In the synchronization requests:
   • Unique ID of Kaspersky Endpoint Agent for Linux.
   • Device name.
   • Local time on the device.
   • Name and version of the operating system that is installed on the device.
   • Version of Kaspersky Endpoint Agent for Linux.
   • Versions of program settings and task settings.
   • Task statuses in Kaspersky Endpoint Agent for Linux: identifiers of running tasks, execution statuses, execution error codes.
2. Data on running processes:
   • Information about the executable file of the process. For the scope of data about the file, see below.
   • Process autorun settings.
   • Values of environment variables.
   • Process ID.
   • Parent process ID.
   • Logon session code.
   • Logon session name.
   • IDs of users and groups that started the process.
   • Date and time when the process started.
   • Information about stopped processes:
     • Process ID.
     • Date and time when the process was stopped.
   • Data on files:
     • Path to the file.
     • File name.
     • File size.
     • File attributes.
     • File creation date and time.
     • Date and time of the last modification of the file.
     • Names and unique IDs of the user and group that own the file.
     • Access rights of the file.
     • Unique identifier of the file.
   • Information about file modifications:
     • Unique identifier of the file.
     • Type of operation performed on the file (writing, reading, attribute modification, renaming, deletion).
   • Information about the logon session:
     • Date and time when the logon session began.
     • Type of the session.
     • Name of the user that initiated the session.
     • Type of the user that initiated the session.
     • Remote computer IP address.
   • Information about alerts on the computer with Kaspersky Endpoint Agent for Linux and Kaspersky Endpoint Security for Linux.
     • Type of detected object.
     • Name of the object and full path to the object.
     • Name of the alert.
     • MD5 hash of the object.
     • URL from which the object was downloaded.
     • Remote computer IP address.
     • IP address of the local computer.
     • Alert processing result.

   Before it is sent, data is stored in the /var/opt/kaspersky/epagent/data/cache/queue directory in plain unencrypted form. By default, only users with root permissions have access to the files.

3. Settings of tasks received by Kaspersky Endpoint Agent for Linux from the Central Node:
   • Task types.
   • Task schedule settings.
   • Names and passwords of the accounts under which the tasks can be run.
   • Versions of settings.
   • Paths to objects.
   • MD5 and SHA256 hashes of objects.
   • Command line to start the process together with the arguments.
   • Information about the individual task is stored on the device until Kaspersky Endpoint Agent receives a deletion request from the Central Node or until Kaspersky Endpoint Agent itself is removed from the device.

   Task data is stored in the /var/opt/kaspersky/epagent/tasks directory in plain unencrypted form. By default, only users with root permissions have access to the files.

4. In the reports on task execution results sent by Kaspersky Endpoint Agent for Linux to the Central Node:
   • Task execution errors and return codes.
   • Task completion statuses.
   • Task completion time.
   • Versions of settings used for task execution.
   • Information about objects sent to the server (paths to objects, MD5 and SHA256 hashes of objects).
   • Files requested by the server.
   • Content of the process standard output.
   • Content of the process standard error stream.
   • Kaspersky Endpoint Agent for Linux sends task execution result reports to the Central Node.

   Task execution result data is stored in the /var/opt/kaspersky/epagent/tasks directory in plain unencrypted form. By default, only users with root permissions have access to the files.

   Information with the task execution report is deleted after the information is sent to the Central Node.

[Topic 210529]

Service data of Kaspersky Endpoint Agent for Linux

Service data of Kaspersky Endpoint Agent for Linux includes data that is stored in configuration files as a result of an administrator configuring settings locally or using the Kaspersky Security Center plug-in.

Service data is stored in the /var/opt/kaspersky/epagent/settings and /var/opt/kaspersky/epagent/policy directories. The data is stored until Kaspersky Endpoint Agent for Linux is uninstalled.

This data can be automatically sent to Kaspersky Security Center.

By default, only users with root permissions have access to the files.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

Kaspersky Endpoint Agent for Linux stores the following data:

• Address of the Central Node server.
• Public key of the server certificate for integration with the Central Node.
• Container with the client certificate for integration with the Central Node.
• Authorization credentials for the proxy server.
• Addresses of custom update sources.
• Configuring the frequency of synchronization and sending telemetry to the Central Node server.

[Topic 210463]

Data contained in Kaspersky Endpoint Agent for Linux trace files and dumps

Data contained in trace files

Users are responsible for the security of data stored on their computers, in particular for monitoring and restricting access to the data before it is sent to Kaspersky.

Trace files are stored on the computer during the entire period the program is used and are permanently deleted when the program is removed.

By default, trace files are saved in the /var/log/kaspersky/epagent/ directory. You can view data in trace files. Accessing the default trace file directory requires root permissions.

All trace files contain the following general data:

• Time when the event occurred.
• Number of the thread of execution.
• Program component that initiated the event.
• Event importance level (information, warning, critical, error).
• Description of the event that occurred in connection with a program component running a command, and the result of the command.

In addition to general information, trace files can contain the following data:

• Kaspersky Endpoint Agent component statuses and their working data
• Information about all operating system objects and events including user activity information
• Data contained in operating system objects (for example, contents of files that can include personal data of users)
• Network traffic data (for example, contents of website forms that can include bank card data or other confidential data)
• Data received from Kaspersky servers (for example, version of the program databases)

Trace data is recorded to the lena2021-01-18T052236.log file. When the file size reaches 10 MB, the file is saved in the /var/log/kaspersky/epagent/ directory. A new file with a timestamp is created to record current data. Up to 10 files with trace data can be stored in the directory. When the size of the last created file reaches 10 MB, the oldest file is deleted.

Trace files of other programs are stored on the computer until the program is removed.

Data contained in dump files

Stored dump files can contain personal data. To monitor and restrict access to data, you must take steps to ensure the security of dump files.

Dump files are generated automatically whenever the program crashes, and are stored on the computer during the entire period when the program is used. Dump files are permanently deleted when the program is removed.

Dump files are stored in the /var/opt/kaspersky/epagent/dumps/ directory.

A dump file contains the entire memory dump of Kaspersky Endpoint Agent for Linux processes for the moment when the dump file is created. The dump file can also contain personal data.

Accessing dump files requires root permissions.

[Topic 226747]

Program licensing

This section covers the main aspects of Kaspersky Anti Targeted Attack Platform licensing.

[Topic 176696]

About the End User License Agreement

The End User License Agreement (EULA) is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the program.

Read through the terms of the End User License Agreement carefully before you start using the program.

You can view the terms of the End User License Agreement (EULA) in the following ways:

• During installation of Kaspersky Anti Targeted Attack Platform.
• By reading the text named /EULA/License.<language>.

  This file is included in the program distribution kit.

• In the program web interface, in the Settings section, License subsection, by clicking the License agreement button.
• In the web interface of the Sandbox component, in the menu, by clicking the End User License Agreement link.

By confirming that you agree with the End User License Agreement when installing the program, you signify your acceptance of the terms of the EULA. If you do not accept the terms of the End User License Agreement, you must abort program installation and must not use the program.

[Topic 174984]

About the license

A license is a limited-time right to use Kaspersky Anti Targeted Attack Platform granted under the terms and conditions of the End User License Agreement (EULA).

The list of available functionality and the period for which you can use the application depend on the license under which you are using the application.

Kaspersky Anti Targeted Attack Platform provides the following types of licenses:

• NFR (not for resale) is a free license for a set period, intended to familiarize the user with the program and to carry out test deployments.
• Commercial—Paid license that is provided when you buy the program.

When the license expires, the program continues to work but with limited functionality. To use the program full functionality, you must purchase a commercial license or renew a commercial license.

In the current version of Kaspersky Anti Targeted Attack Platform, the available functionality of the program also depends on the type of key installed.

The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may be unavailable in the territory of the USA.

[Topic 245747]

About the license certificate

The License Certificate is a document provided with the key file or activation code.

The License Certificate contains the following license information:

• License key or order number.
• Details of the license holder.
• Information about the program that can be activated using the license.
• Limitation on the number of licensing units (devices on which the program can be used under the license).
• License start date.
• License expiration date or license validity period.
• License type.

[Topic 195361]

About the key

A license key is a sequence of bits used to activate and use the program in accordance with the End User License Agreement. A license key is generated by Kaspersky.

To add a key to the program, upload the key file.

Kaspersky can block a key over violations of the End User License Agreement. If the key has been blocked, you have to add a different key to continue using the program.

In the current version of Kaspersky Anti Targeted Attack Platform, the available functionality of the program depends on the type of the added license key:

• KATA and KEDR keys. Full functionality of the program.
• KEDR key. Receiving and processing of data from network traffic and mail traffic is limited.
• KATA key. The web interface sections Threat Hunting, Tasks, Prevention, Custom rules, Storage, and Endpoint Agents have limited functionality.

Page top

[Topic 174986]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky. Key files are designed to activate the program by adding a license key.

After purchasing the program or ordering the trial version of the program, you receive a key file at the email address you specified.

You do not need to connect to Kaspersky activation servers in order to activate the program with a key file.

You can recover a key file if it is accidentally deleted. You may need a key file to register with Kaspersky CompanyAccount.

To restore a key file, contact the vendor of the license.

[Topic 174987]

Viewing information about the license and added keys

In

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).