ESET
Antivirusv1.3
Author: Drew Ervin, Phill Moore
description
ESET Antivirus Data
paths
6 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: ESET
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle artifact collection with robocopy
function Collect-Artifact {
param (
[string]$SourceDir,
[string]$FolderName,
[string]$FileMask = "*"
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}
# 1. ESET NOD32 AV Logs (XP)
Collect-Artifact -SourceDir "C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\" -FolderName "ESET_NOD32_AV_Logs__XP_"
# 2. ESET NOD32 AV Logs
Collect-Artifact -SourceDir "C:\ProgramData\ESET\ESET NOD32 Antivirus\Logs\" -FolderName "ESET_NOD32_AV_Logs"
# 3. ESET NOD32 AV Logs
Collect-Artifact -SourceDir "C:\ProgramData\ESET\ESET Security\Logs" -FolderName "ESET_NOD32_AV_Logs"
# 4. ESET Remote Administrator Logs
Collect-Artifact -SourceDir "C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs" -FolderName "ESET_Remote_Administrator_Logs"
# 5. Local User Quarantine
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\ESET\ESET Security\Quarantine\"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Local_User_Quarantine"
# 6. SYSTEM user quarantine
Collect-Artifact -SourceDir "C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\" -FolderName "SYSTEM_user_quarantine"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1