Data of Kaspersky Endpoint Agent for Windows

Kaspersky Endpoint Agent for Windows stores and processes data locally to provide base functionality and audit capability, as well as to improve the speed with which Kaspersky Technical Support can solve potential problems.

Computers with Kaspersky Endpoint Agent for Windows store data prepared to be sent automatically to Kaspersky Anti Targeted Attack Platform servers and Kaspersky Security Center.

Files prepared by Kaspersky Endpoint Agent for Windows to be sent for scanning to program servers are stored on computers with Kaspersky Endpoint Agent for Windows in plain unencrypted form in the directory that is used by default for storing files prior to sending them.

Files associated with detected events can be transmitted to the server with the Central Node component.

This data may include personal data of the user or confidential data of your organization.

Transmission of data from computers with Kaspersky Endpoint Agent for Windows to the server with the Central Node component cannot be disabled.

Do not use Kaspersky Endpoint Agent for Windows on computers from which data transfer is forbidden by your corporate policy.

Data received from Kaspersky Endpoint Agent for Windows is stored in a database on the server hosting the Central Node component and is rotated as disk space is filled.

Files that are prepared to be sent by Kaspersky Endpoint Agent for Windows to the server with the Central Node component are stored on computers hosting Kaspersky Endpoint Agent for Windows in plain unencrypted form in the same directory that is used as the default directory for storing files on each computer with Kaspersky Endpoint Agent before they are sent.

Files from computers with Kaspersky Endpoint Agent for Windows are only sent to the server with the Central Node component over a secure SSL connection.

Files that have been encrypted on computers with Kaspersky Endpoint Agent for Windows using the Windows Encrypting File System or Kaspersky File Level Encryption (within the program Kaspersky Endpoint Security for Windows) are sent in encrypted form to the server with the Central Node component.

Kaspersky Anti Targeted Attack Platform lets you modify the settings of the local computer hosting Kaspersky Endpoint Agent for Windows that impact the performance of the computer during interaction with the Central Node component.

Settings should be modified only when exclusively recommended by Kaspersky Technical Support.

Modifying settings on your own could diminish the performance of the local computer.

The Kaspersky Anti Targeted Attack Platform administrator must take steps to use the data listed above to ensure the security of computers with Kaspersky Endpoint Agent for Windows as well as Kaspersky Anti Targeted Attack Platform servers. The administrator of Kaspersky Anti Targeted Attack Platform is responsible for access to this information.

This section contains the following information about user data that is stored on computers with Kaspersky Endpoint Agent for Windows:

• Contents of stored data
• Storage location
• Storage duration
• User access to data

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

Data received from the Central Node component

Kaspersky Endpoint Agent saves the values of settings received from the Central Node component on the computer's hard drive. Data is saved in open non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Data is deleted when Kaspersky Endpoint Agent is removed.

Data received from the Central Node component may contain the following information:

• Data on network connections.
• Data on the operating system that is installed on the server with the Central Node component.
• Data on operating system user accounts.
• Data on user sessions in the operating system.
• Data on Windows event log.
• About a RT_VERSION resource.
• About the contents of a PE file.
• About operating system services.
• Certificate of the server with the Central Node component.
• URL- and IP addresses of visited websites.
• HTTP protocol headers.
• Computer name.
• MD5 hashes of files.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Names and values of Windows registry keys.
• Paths to Windows registry keys.
• Names of Windows registry variables.
• Name of the local DNS cache entry.
• Address from the local DNS cache entry in IPv4 format.
• IP address or name of the requested host from the local DNS cache.
• Host of the local DNS cache element.
• Domain name of the local DNS cache element.
• Address of the ARP cache element in IPv4 format.
• Physical address of the ARP cache element.
• Serial number of the logical drive.
• Home folder of the local user.
• Name of the user account that started the process.
• Path to the script that is run when the user logs in to the system.
• Name of the user account under which the event occurred.
• Name of the computer where the event occurred.
• Full paths to files on computers with Kaspersky Endpoint Agent.
• Names of files on computers with Kaspersky Endpoint Agent.
• Masks of files on computers with Kaspersky Endpoint Agent.
• Full names of folders on computers with Kaspersky Endpoint Agent.
• Comments of the file publisher.
• Mask of the process file image.
• Path to the process file image that opened the port.
• Name of the process that opened the port.
• Local IP address of the port.
• Trusted public key of the digital signature of executable modules.
• Process name.
• Process segment name.
• Command-line parameters.

Data in fields of Windows Event Log events of Kaspersky Endpoint Agent

Windows Event Log data is stored in the %SystemRoot%\System32\Winevt\Logs\Kaspersky-Security-Soyuz%4Product.evtx file in plain unencrypted form. The data is stored until Kaspersky Endpoint Agent is uninstalled.

This data can be automatically sent to Kaspersky Security Center.

By default, only users with System and Administrator permissions have read-access to the files. Kaspersky Endpoint Agent does not manage access permissions to this folder and the files in this folder. It is the system administrator who determines access permissions.

Event data can contain information related to the following:

• Data on user sessions in the operating system.
• Operating system user accounts (userID).
• Errors occurred during object scan tasks execution.
• Object scanning tasks.
• Kaspersky Sandbox alerts.
• Kaspersky Sandbox events.
• Kaspersky Endpoint Agent IOC files generated as part of automatic Threat Response.
• Object scan results.
• Kaspersky Sandbox server certificates.
• The object scan queue.
• Modified settings of Kaspersky Endpoint Agent.
• Changes of Kaspersky Security Center policies.
• Modified status of an object scan task.
• Kaspersky Security Center policies.
• Quarantined objects.
• Automatic Threat Response actions.
• Errors of interaction with program servers.
• Objects blocked in accordance with prevention rules.
• Results of Delete file tasks.
• Results of Kill process tasks.
• Results of Run program tasks.
• Results of Get file tasks.
• The active license of Kaspersky Endpoint Detection and Response Optimum.
• Program activation status.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

Data in Kaspersky Endpoint Agent for Windows requests to Kaspersky Anti Targeted Attack Platform

When integrated with the Central Node component, the following data is stored locally on the device with Kaspersky Endpoint Agent installed.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

Data from Kaspersky Endpoint Agent requests to the Central Node component:

1. In the synchronization requests:
   • Unique ID of Kaspersky Endpoint Agent.
   • Base part of the server web address.
   • Device name.
   • IP address of the device.
   • MAC address of the device.
   • Local time on the device.
   • Self-defense status of Kaspersky Endpoint Agent.
   • Name and version of the operating system that is installed on the device.
   • Kaspersky Endpoint Agent version.
   • Versions of program settings and task settings.
   • Task statuses in Kaspersky Endpoint Agent: IDs of running tasks, execution statuses, execution error codes.
   • Statuses of Kaspersky Endpoint Agent settings: type of applied settings, version of settings, status of applying the settings, error codes of applying the settings.
2. In requests for obtaining files from the server:
   • Unique IDs of files.
   • Unique ID of Kaspersky Endpoint Agent.
   • Unique IDs of tasks.
   • Base part of the web address of the Central Node server.
   • IP address of the node.
3. In the reports on task execution results:
   • IP address of the node.
   • Details of objects detected during IOC or YARA scan.
   • Flags of the additional actions performed by Kaspersky Endpoint Agent after completion of tasks (for example, "deleteFileAfterReboot": false).
   • Task execution errors and return codes.
   • Task completion statuses.
   • Task completion time.
   • Versions of settings used for task execution.
   • Details of objects submitted to the server, quarantined objects, and objects restored from Quarantine: paths to objects, MD5 and SHA256 hashes of objects, IDs of quarantined objects.
   • Details of processes started or stopped on the Kaspersky Endpoint Agent device following the server request: PID and UniquePID, error code, MD5 and SHA256 hashes of objects.
   • Information about services started or stopped on the device following the server request (name of the service, run type, error code, MD5 and SHA256 hashes of service file images).
   • Details of objects for which a memory dump was created for YARA scanning (paths, dump file ID).
   • Files requested by the server.
   • Telemetry packets.
   • Data on running processes:
     • Name of the executable file, including the full path and extension.
     • Process autorun settings.
     • Process ID.
     • Logon session code.
     • Logon session name.
     • Date and time when the process started.
     • MD5 hash of the object.
     • SHA256 hash of the object.
   • Data on files:
     • Path to the file.
     • File name.
     • File size.
     • File attributes.
     • File creation date and time.
     • Date and time of the last modification of the file.
     • File description

       

       Basic information about the file that is displayed to users. This line can be displayed in the list when the user selects files for installation. This line is mandatory.

       .
     • Company name

       

       Name of the company that created the file.

       .
     • MD5 hash of the object.
     • SHA256 hash of the object.
     • Registry key (for autorun points).

• Data indicated in errors receiving information about objects:
  • Full name of the object whose processing resulted in the error.
  • Error code.

1. Telemetry data:
   • IP address of the node.
   • Type of data in the registry prior to the registered modification operation.
   • Data in the registry key prior to the registered modification operation.
   • Text of the processed script or part of it.
   • Type of processed object.
   • Method of sending the command to the command shell.

Data from the requests of the Central Node component to Kaspersky Endpoint Agent:

1. Task settings:
   • Task types.
   • Task schedule settings.
   • Names and passwords of the accounts that must be used to run tasks.
   • Versions of settings.
   • IDs of quarantined objects.
   • Paths to objects.
   • MD5 and SHA256 hashes of objects.
   • Command line to start the process together with the arguments.
   • Flags of additional actions performed by Kaspersky Endpoint Agent after completion of the task.
   • IOC file identifiers that must be retrieved from the server.
   • IOC files.
   • Names of services.
   • Run type of services.
   • Folders for which you need to obtain results of the Get forensics task.
   • Masks of the names and extensions of objects for the Get forensics task.
2. Network isolation settings:
   • Types of settings.
   • Versions of settings.
   • Lists of network isolation exclusions and exclusion settings: traffic direction, IP addresses, ports, protocols, and full paths to executable files.
   • Flags of additional actions performed by Kaspersky Endpoint Agent.
   • Time of automatic disabling of isolation.
3. Settings for preventing execution and opening of documents:
   • Types of settings.
   • Versions of settings.
   • Lists of prevention rules and rule settings: paths to objects, types of objects, MD5 and SHA256 hashes of objects.
   • Flags of additional actions performed by Kaspersky Endpoint Agent.
4. Event filtering settings:
   • Module names.
   • Full paths to objects.
   • MD5 and SHA256 hashes of objects.
   • Identifiers of entries in the Windows event log.
   • Digital certificate settings.
   • Traffic direction, IP addresses, ports, protocols, full paths to executable files.
   • User names.
   • User logon types.
   • Types of telemetry events for which filters are applied.

Service data of Kaspersky Endpoint Agent for Windows

Service data of Kaspersky Endpoint Agent include:

• Data that is stored in configuration files as a result of configuring the settings by an administrator.
• Data processed as part of automatic Threat Response.
• Data processed during integration with Kaspersky Sandbox.
• Data processed during integration with the KATA Central Node component.
• Data processed during integration with Kaspersky Industrial CyberSecurity for Networks.

Service data are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<product version> file. Data in the Settings subfolder are encrypted using the Encrypting File System (EFS). The data is stored until Kaspersky Endpoint Agent is uninstalled.

This data can be automatically sent to Kaspersky Security Center.

By default, only users with System and Administrator permissions have access to the files (full access for System, read and execute for Administrator). The %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<product version> folder and the Restored subfolder are also accessible to users with User (read only) permissions.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

Kaspersky Endpoint Agent stores the following data that are processed during automatic response and integration with Kaspersky Sandbox:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Kaspersky Endpoint Agent access password.
   • Quarantined files.
   • Kaspersky Endpoint Agent settings.
   • Credentials of operating system users for starting tasks with certain user permissions.
   • Authentication credentials for Kaspersky Security Center Administration Server.
   • Authorization credentials for the proxy server.
   • Addresses of custom update sources.
   • Public key of the certificate used for integration with Kaspersky Sandbox.
2. Kaspersky Endpoint Agent cache:
   • Time when scan results were written to the cache.
   • MD5 hash of the scan task.
   • Scan task identifier.
   • Object scan result.
3. Queue of the object scan requests:
   • ID of the object in the queue.
   • Time when the object was queued.
   • Processing status of the queued object.
   • ID of the user session in the operating system where the object scan task was created.
   • System identifier (SID) of the operating system user whose user account permissions were used to create the object scan task.
   • MD5 hash of the object scan task.
4. Information about the tasks for which Kaspersky Endpoint Agent awaits scan results from Kaspersky Sandbox:
   • Time when the object scan task was received.
   • Object processing status.
   • ID of the user session in the operating system where the object scan task was created.
   • ID of the object scan task.
   • MD5 hash of the object scan task.
   • System identifier (SID) of the operating system user whose user account was used to create the task.
   • XML schema of the automatically created IOC.
   • MD5 or SHA256 hash of the scanned object.
   • Processing errors.
   • Names of the objects that the scanning task was created for.
   • Object scan result.

When integrated with the KATA Central Node component, Kaspersky Endpoint Agent stores the following data locally:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Quarantined files.
   • Kaspersky Endpoint Agent settings:
     • Kaspersky Endpoint Agent access password.
     • Credentials of operating system users for starting tasks with certain user permissions.
     • Authentication credentials for Kaspersky Security Center Administration Server.
     • Authorization credentials for the proxy server.
     • Addresses of custom update sources.
     • Public key of the certificate used for integration with KATA Central Node.
     • Public key of the certificate used for integration with Kaspersky Sandbox.
     • License data.
2. Data required for integration with the KATA Central Node component:
   • Updatable telemetry filtering schemes.
   • Telemetry event packet queue.
   • Cache of IOC file identifiers received from the KATA Central Node component.
   • Objects to be passed to the server as part of the Get file task.
   • Reports on the Get forensics task results.

Kaspersky Endpoint Agent locally stores the following data when integrated with the Kaspersky Industrial CyberSecurity for Networks server:

1. Processed files and data entered by the user during configuration of Kaspersky Endpoint Agent settings:
   • Kaspersky Endpoint Agent settings:
     • Kaspersky Endpoint Agent access password.
     • Credentials of operating system users for starting tasks with certain user permissions.
     • Authentication credentials for Kaspersky Security Center Administration Server.
     • Authorization credentials for the proxy server.
     • Addresses of custom update sources.
     • Public key of the certificate for integration with Kaspersky Industrial CyberSecurity for Networks.
     • License data.
2. Data required for integration with Kaspersky Industrial CyberSecurity for Networks.
   • Updatable telemetry filtering schemes.
   • Telemetry event packet queue.

Data contained in Kaspersky Endpoint Agent for Windows trace files and dumps

Kaspersky Endpoint Agent for Windows can record debug information in trace files in accordance with settings to support the operation of Kaspersky Endpoint Agent for Windows.

Kaspersky Endpoint Agent for Windows dump files are created by the operating system when the program fails and are rewritten after each failure.

Trace and dump files can include any personal data of the user or confidential data of your organization.

Do not use Kaspersky Endpoint Agent for Windows on hosts from which data transfer is forbidden by your corporate policy.

By default, Kaspersky Endpoint Agent does not record any debug information.

Trace files and dump files are never automatically sent beyond the host on which the files were generated. The contents of trace files can be viewed using the standard tools for viewing text files. Trace files and dump files are stored indefinitely and are not deleted when Kaspersky Endpoint Agent for Windows is uninstalled.

Debug information can be necessary for contacting the Technical Support.

There are no special mechanisms to limit access to trace and dump files. The administrator can take steps to configure writing this information into a secured folder.

The path for trace files and dump files is not configured by default. The administrator must manually specify a folder for writing trace files and dump files.

Data in trace files and dump files can contain the following information:

• Actions performed by Kaspersky Endpoint Agent for Windows on the host.
• Information about objects processed by Kaspersky Endpoint Agent for Windows.
• Errors occurring during the operation of Kaspersky Endpoint Agent for Windows.
• Event time.
• Number of thread of execution.
• Program component that caused an alert.
• Event importance.
• Data on executable modules.
• Data on open ports.
• Data on network connections.
• About the operating system that is installed on the computer with Kaspersky Endpoint Agent for Windows.
• Data on operating system user accounts.
• Data on user sessions in the operating system.
• Data on Windows event log.
• About alerts of Kaspersky Endpoint Security for Windows.
• About organizational units (OU) of Active Directory.
• Unique ID of the computer with Kaspersky Endpoint Agent for Windows.
• Fully qualified domain name of the computer.
• Serial number of the logical drive.
• HTTP protocol headers.
• Full paths to files on computers with Kaspersky Endpoint Agent for Windows.
• Names of files on computers with Kaspersky Endpoint Agent for Windows.
• Full names of folders on computers with Kaspersky Endpoint Agent for Windows.
• Home folder of the local user.
• Name of the user account that started the process.
• Path to the script that is run when the user logs in to the system.
• Name of the user account under which the event occurred.
• URLs and IP addresses of visited websites, and links from these websites.
• When using a proxy server: Proxy server IP address, computer name, port, proxy server user name.
• External IP addresses, with which a connection was established from a local computer.
• Process start commands.
• Command-line parameters.
• Kaspersky Security Center Network Agent ID.
• Path to keys in the Windows registry.
• Names of Windows registry variables.
• Values of Windows registry variables.
• Windows registry hives.
• Names of detected objects.
• Name of the local DNS cache entry.
• IP address from the local DNS cache entry in IPv4 format.
• IP address or name of the requested host from the local DNS cache.
• Host of the local DNS cache element.
• Domain name of the local DNS cache element.
• IP address of the ARP cache element in IPv4 format.
• Physical address of the ARP cache element.
• Name of the user account that started the operating system service.
• Settings with which the operating system service was started.
• Original name of the file (OriginalFileName) for the RT_VERSION resource.

Data sent to Kaspersky if the KSN Statement was accepted

If you agree with the terms and conditions of the Kaspersky Security Network (KSN) Statement, the program automatically sends information about this to Kaspersky.

Data on acceptance of the terms and conditions of this Statement can be stored locally in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<version>\Data\ folder.

All data that is stored locally on the device, except for trace and dump files, is deleted from the device when the program is uninstalled.

The following data is sent to Kaspersky when you accept or decline the terms and conditions of the KSN Statement:

• Statement identifier (KSN, EULA).
• Statement version.
• Statement acceptance flag (1 – Statement accepted, 0 – Statement declined).
• Date when the Statement was accepted or declined.

Kaspersky can use this data to generate statistical information.

Data in alerts and events

Event data is saved in binary form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata in open non-encrypted form.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Event data can contain information related to the following:

• Data on executable modules.
• Data on network connections.
• About the operating system that is installed on the computer with Kaspersky Endpoint Agent.
• Data on user sessions in the operating system.
• Data on operating system user accounts.
• Data on Windows event log.
• About alerts of Kaspersky Endpoint Security for Windows.
• About organizational units (OU) of Active Directory.
• HTTP protocol headers.
• Fully qualified domain name of the computer.
• MD5- and SHA256 hash of files and their fragments.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Unique IDs of certificates.
• Certificate publisher.
• Certificate subject.
• Name of the algorithm used to generate the certificate fingerprint.
• Address and port of the local network interface.
• Address and port of the remote network interface.
• Program vendor.
• Program name.
• Name of the Windows registry variable.
• Path to the Windows registry key.
• Windows registry variable data.
• Name of the detected object.
• Kaspersky Security Center Network Agent ID.
• Contents of the hosts file.
• Process start command line.

Data contained in task completion reports

Prior to being sent to the Central Node component, the reports and relevant files are temporarily saved on the hard disk drive of the computer with Kaspersky Endpoint Agent. The task completion reports are saved in archived non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\data_queue.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Task completion reports contain the following information:

• Data on task output.
• Data on executable modules.
• Data on operating system processes.
• Data on user accounts.
• Data on user sessions.
• Fully qualified domain name of the computer.
• Unique ID of the computer with Kaspersky Endpoint Agent.
• Files of the computer with Kaspersky Endpoint Agent.
• Names of
  alternate streams of NTFS

  Data streams of the NTFS file system (alternate data streams) are intended for additional attributes or information on a file.

  Each file in the NTFS file system consists of a set of streams. One of them contains the file contents that we will be able to see by opening the file. The other (alternate) ones are intended for metadata and to ensure, for example, compatibility between the NTFS system and other systems, such as the old Macintosh file system known as Hierarchical File System (HFS). Streams can be created, deleted, individually saved, renamed, and can even be run as a process.

  Alternate streams can be used by hackers for concealed transmission or receipt of data from a computer.

  .
• Full paths to files on the computer with Kaspersky Endpoint Agent.
• Full names of folders on the computer with Kaspersky Endpoint Agent.
• Content of the process standard output.
• Content of the process standard error stream.

Data on files that are blocked from starting

Data on files that are blocked from starting is stored in open non-encrypted form in the folder C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.

Data on files that are blocked from starting may contain the following information:

• Full path to the blocked file.
• MD5 hash of the file.
• SHA256 hash of the file.
• Process start command.

Data related to the performance of tasks

When performing a task for placing a file in quarantine, the archive containing this file is temporarily saved in one of the following folders:

• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\temp for Kaspersky Endpoint Agent that is installed as part of Kaspersky Endpoint Security.
• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data\kata\temp for Kaspersky Endpoint Agent that is installed from the Kaspersky Anti Targeted Attack Platform distribution kit.

When performing a program run task on a host, Kaspersky Endpoint Agent locally stores the contents of standard output streams and errors of the running process in plain unencrypted form until the task completion report is sent to the Central Node component. Files are stored in one of the following folders:

• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\kata\temp for Kaspersky Endpoint Agent that is installed as part of Kaspersky Endpoint Security.
• C:\ProgramData\Kaspersky Lab\Endpoint Agent\protected\data\kata\temp for Kaspersky Endpoint Agent that is installed from the Kaspersky Anti Targeted Attack Platform distribution kit.

By default, only users with System and Administrator permissions have read-access to files when Self-Defense is enabled. When Self-Defense is disabled, users with System and Administrator permissions can also delete the files, modify their contents, and modify the access rights to them. The Kaspersky Endpoint Agent application does not manage access permissions to this folder or any files in it. It is the system administrator who determines access permissions.