ESET

Antivirusv1.3

Author: Drew Ervin, Phill Moore

description

ESET Antivirus Data

paths

6 paths

AntivirusESET NOD32 AV Logs (XP)

C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\

AntivirusESET NOD32 AV Logs

C:\ProgramData\ESET\ESET NOD32 Antivirus\Logs\

Parser available at https://github.com/laciKE/EsetLogParser

AntivirusESET NOD32 AV Logs

C:\ProgramData\ESET\ESET Security\Logs

AntivirusESET Remote Administrator Logs

C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs

Remote Administrator logs include information on tasks executed on the target.

AntivirusLocal User Quarantine

C:\Users\%user%\AppData\Local\ESET\ESET Security\Quarantine\

AntivirusSYSTEM user quarantine

C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: ESET
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. ESET NOD32 AV Logs (XP)
Collect-Artifact -SourcePath "C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\\*" -FolderName "ESET_NOD32_AV_Logs__XP_"

# 2. ESET NOD32 AV Logs
Collect-Artifact -SourcePath "C:\ProgramData\ESET\ESET NOD32 Antivirus\Logs\\*" -FolderName "ESET_NOD32_AV_Logs"

# 3. ESET NOD32 AV Logs
Collect-Artifact -SourcePath "C:\ProgramData\ESET\ESET Security\Logs\*" -FolderName "ESET_NOD32_AV_Logs"

# 4. ESET Remote Administrator Logs
Collect-Artifact -SourcePath "C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\*" -FolderName "ESET_Remote_Administrator_Logs"

# 5. Local User Quarantine
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\ESET\ESET Security\Quarantine\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Local_User_Quarantine"

# 6. SYSTEM user quarantine
Collect-Artifact -SourcePath "C:\Windows\System32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\\*" -FolderName "SYSTEM_user_quarantine"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

Remote Administrator log information: https://help.eset.com/protect_admin/80/en-US/fs_agent_connection_troubleshooting.html

included in collections

SANS_Triage Antivirus KapeTriage

// description

// paths

// collection commands

// references

// included in collections

description

paths

collection commands

references

included in collections