0

I am doing some powershell stuff to parse a few logs at work. I would also like to collect some information from the SCEP logs. I find the amount of logs available as well as the different locations in which they are stored a bit overwhelming to say the least.

I would like to extract the logs reporting that a potential virus was found in both the live and the "regular scanner.

A similiar question has already been answered here: Reporting SCEP update and scan

I have eicar for testing purposes here. So how would I imitate a potential positive finding in both scanners so that I can figure out to which file the scanners log to?

Thanks in advance

Andrew

Community
  • 1
Andrew Tobey
  • 253
  • 1
  • 2
  • 8

1 Answers1

0

as far as the "regular" scanner is concerned in %systemdrive%\ProgramData\Microsoft\Microsoft Antimalware\Support\ MPLog-XXXXXXXX-XXXXXX.log offers a wealth of information.

Here are some interesting patterns to search for: 

Threat Name # record(s) of malware detection 
signature updated via # self-explanatory 
scan source # record of scheduled scan/running scan on demand 
Expensive file # expensive i.e. large files found during a scan (this information can be used to enhance scanning performance)

Anyway, live detections are apparently not written to the aforementioned file!

Andrew Tobey
  • 253
  • 1
  • 2
  • 8