/usr/share/artifacts/antivirus.yaml is in forensic-artifacts 20161022-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 | # Anti-Virus artifacts.
name: EsetAVQuarantine
doc: Eset Anti-Virus Quarantine (Infected) files.
sources:
- type: FILE
attributes: {paths: ['/Library/Application Support/ESET/esets/cache/quarantine/*']}
supported_os: [Darwin]
labels: [Antivirus]
---
name: MicrosoftAVQuarantine
doc: Microsoft Anti-Virus Quarantine (Infected) files.
sources:
- type: FILE
attributes:
paths:
- '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**'
- '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**'
supported_os: [Windows]
labels: [Antivirus]
---
name: SophosAVLogs
doc: Sophos Anti-Virus log files.
sources:
- type: FILE
attributes: {paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*']}
supported_os: [Windows]
sources:
- type: FILE
attributes: {paths: ['/Library/Logs/Sophos*.log']}
supported_os: [Darwin]
supported_os: [Windows, Darwin]
labels: [Antivirus, Logs]
---
name: SophosAVQuarantine
doc: Sophos Anti-Virus Quarantine (Infected) files.
sources:
- type: FILE
attributes: {paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*']}
supported_os: [Windows]
- type: FILE
attributes: {paths: ['/Users/Shared/Infected/*']}
supported_os: [Darwin]
supported_os: [Windows, Darwin]
labels: [Antivirus]
---
name: SymantecAVLogs
doc: Symantec Anti-Virus Log Files.
sources:
- type: FILE
attributes:
paths:
- '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log'
- '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log'
supported_os: [Windows]
supported_os: [Windows]
labels: [Antivirus, Logs]
---
name: SymantecAVQuarantine
doc: Symantec Anti-Virus Quarantine (Infected) files.
sources:
- type: FILE
attributes: {paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5.vbn']}
supported_os: [Windows]
supported_os: [Windows]
labels: [Antivirus, Logs]
|