ESET Online Help

Search English
Select the topic

List of artifacts/Collected files

This section describes the files contained in the resulting .zip file. The description is divided into subsections based on the information type (files and artifacts).

Location / Filename

Description

metadata.txt

Information on the date of the .zip archive creation, ESET Log Collector version, ESET product version and basic licensing information.

collector_log.txt

A copy of the log file from the GUI containing data up to the point when the .zip file was created.

Windows Processes

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

Running processes

(open handles and loaded DLLs)

Windows\Processes\Processes.txt

Text file containing a list of running processes on the machine. For each process, the following items are printed:

PID

Parent PID

Number of threads

Number of open handles grouped by type

Loaded modules

User account it is running under

Memory usage

Timestamp of start

Kernel and user time

I/O statistics

Command line

Running processes

(open handles and loaded DLLs)

Windows\ProcessesTree.txt

Text file containing a tree of running processes on the machine. For each process following items are printed:

PID

User account it is running under

Timestamp of start

Command line

Windows Logs

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

Application event log

Windows\Logs\Application.xml

Windows Application event logs in a custom XML format. Only messages from the last 30 days are included.

System event log

Windows\Logs\System.xml

Windows System event logs in a custom XML format. Only messages from the last 30 days are included.

Security event log

Windows\Logs\Security.evtx

Windows Security event log file. Only messages from the last 30 days are included.

Terminal services - LSM operational event log*

Windows\Logs\LocalSessionManager-Operational.evtx

Windows event log containing information about RDP sessions.

Terminal Services - Remote Connection Manager*

Windows\Logs\RemoteConnectionManager-Operational.evtx

Windows event log containing information about Windows Remote Desktop connections.

Drivers install logs

Windows\Logs\catroot2_dberr.txt

Information about catalogs that have been added to "catstore" during driver installation.

SetupAPI logs*

Windows\Logs\SetupAPI\setupapi*.log

Device and application installation text logs.

WMI Activity operational event log

Windows\Logs\WMI-Activity.evtx

Windows event log containing WMI Activity tracing data. Only messages from the last 30 days are included.

Application event log

Windows\Logs\Application.evtx

Windows Application event log file. Only messages from the last 30 days are included.

System event log

Windows\Logs\System.evtx

Windows System event log file. Only messages from the last 30 days are included.

Windows PowerShell event log

Windows\Logs\Windows-PowerShell.evtx

Windows Event Log file that contains records details of Windows PowerShell operations.

*Windows Vista and later

System Configuration

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

Drives info

Windows\drives.txt

Windows\volumes.txt

Text file containing information about disk drives and volumes.

Devices info

Windows\devices\*.txt

Windows\Devices\deviceTree.json

Multiple text files containing classes and interfaces information about devices.

Services Registry key content

Windows\Services.reg

A registry key content of KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Collecting this key may be helpful for driver issues.

Network configuration

Config\network.txt

Text file containing network configuration (result of executing ipconfig /all).

Windows updates

Windows Updates\WinUpdates.txt

Text file containing information about Windows Updates.

PowerShell history

Windows\PSHistory\{profileName}\*.*

Text files with PowerShell history in %appdata%\Microsoft\Windows\PowerShell\PSReadline\ under each profile. History is collected for PS version 5 and above, where PSReadLine should be available by default.

.NET Framework info

 

 

Windows\DotNET_info.txt

Text file containing information about installed .NET Framework and .NET CLR versions.

ESET SysInspector log

Config\SysInspector.esil

SysInspector log. It may contain SysInspector XML format instead, depending on the used SysInspector app's version.

Winsock LSP catalog

Config\WinsockLSP.txt

Output of netsh winsock show catalog command.

WFP filters*

Config\WFPFilters.xml

WFP filters configuration in the XML format.

Complete Windows Registry content

Windows\Registry\*

Multiple binary files containing Windows Registry data.

List of files in temporary directories

Windows\TmpDirs\*.txt

Collected multiple text files with content of system's user temp directories, %windir%/temp, %TEMP% and %TMP% directories.

Windows scheduled tasks

Windows\Scheduled Tasks\*.*

Multiple xml files containing all tasks from the Windows Task Scheduler to help detect malware that exploits the Task Scheduler. Because the files are located in subfolders, the whole structure is collected.

WMI repository

Windows\WMI Repository\*.*

Multiple binary files containing WMI database data (meta-information, definition and static data of WMI classes). Collecting these files may help identify malware that uses WMI for persistence (such as Turla). Because WMI files may be located in subfolders, the whole structure is collected.

Shim databases

Windows\Shim Databases\*.sdb

Shim database files located in %SystemRoot%\apppatch directory.

Prefetch files

Windows\Prefetch files\*.sdb

Prefetch files located in %SystemRoot%\Prefetch directory.

Group Policy settings

Windows\GP\gpresult.html

Windows\GP\gpresult_Computer.log

Windows\GP\gpresult_User.log

A report generated by the gpresult tool contains all information about the Resultant Set of Policy for remote users and computers.

Microsoft Defender status*

Windows\Defender\service.txt

Text file containing information about Microsoft Defender service.

Windows Server roles & features*

Windows\server_features.txt

Text file containing a tree of all Windows Server features. Each feature contains the following information:

Installed state

Localized name

Code name

State (available on Microsoft Windows Server 2012 and later)

*Microsoft Windows 7 or Microsoft Windows Server 2008 R2 and later / Microsoft Defender Antivirus Service

ESET Installer

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

ESET Installer logs

ESET\Installer\*.log

Installation logs that were created during ESET NOD32 Antivirus and ESET Smart Security 10 Premium products installation.

ESET PROTECT On-prem

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

ESET PROTECT Server logs

ERA\Server\Logs\RemoteAdministratorServerDiagnostic<datetime>.zip

Create Server product logs in the ZIP archive. It contains trace, status and last-error logs.

ESET PROTECT Agent logs

ERA\Agent\Logs\RemoteAdministratorAgentDiagnostic<datetime>.zip

Create Agent product logs in the ZIP archive. It contains trace, status and last-error logs.

ESET PROTECT process information and dumps*

ERA\Server\Process and old dump\RemoteAdministratorServerDiagnostic<datetime>.zip

Server process dump(s).

ESET PROTECT process information and dumps*

ERA\Agent\Process and old dump\RemoteAdministratorAgentDiagnostic<datetime>.zip

Agent process dump(s).

ESET PROTECT configuration

ERA\Server\Config\RemoteAdministratorServerDiagnostic<datetime>.zip

Server configuration and application information files in the ZIP archive.

ESET PROTECT configuration

ERA\Agent\Config\RemoteAdministratorAgentDiagnostic<datetime>.zip

Agent configuration and application information files in the ZIP archive.

ESET PROTECT Rogue Detection Sensor logs

ERA\RD Sensor\Rogue Detection SensorDiagnostic<datetime>.zip

A ZIP containing RD Sensor trace log, last-error log, status log, configuration, dump(s) and general information files.

ESET PROTECT MDMCore logs

ERA\MDMCore\RemoteAdministratorMDMCoreDiagnostic<datetime>.zip

A ZIP containing MDMCore trace log, last-error log, status log, dump(s) and general information files.

ESET PROTECT Proxy logs

ERA\Proxy\RemoteAdministratorProxyDiagnostic<datetime>.zip

A ZIP containing ERA Proxy trace log, last-error log, status log, configuration, dump(s) and general information files.

ESET PROTECT Agent database

ERA\Agent\Database\data.db

ESET PROTECT Agent database file.

Apache Tomcat configuration

ERA\Apache\Tomcat\conf\*.*

Apache Tomcat configuration files, it contains a copy of server.xml file without sensitive information.

Apache Tomcat logs

ERA\Apache\Tomcat\logs\*.log

ERA\Apache\Tomcat\EraAppData\logs\*.log

ERA\Apache\Tomcat\EraAppData\WebConsole\*.log

Apache Tomcat log(s) in text format located in Apache Tomcat install or application directory. It also contains WebConsole logs.

Apache HTTP Proxy configuration

ERA\Apache\Proxy\conf\httpd.conf

Apache HTTP Proxy configuration file.

Apache HTTP Proxy logs

ERA\Apache\Proxy\logs\*.log

Apache HTTP Proxy log(s) in text format located.

*ESET PROTECT Server or ESET PROTECT Agent

ESET Bridge

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

ESET Bridge configuration

ESET Bridge\pkgid

Configuration file located in ESET Bridge installation directory.

ESET Bridge logs

ESET Bridge\logs\*.*

Log files located in ESET Bridge application data directory.

ESET Bridge dumps

ESET Bridge\dumps\*.*

ESET Bridge dump files.

Nginx logs

ESET Bridge\Nginx\logs\*.log

ESET Bridge\Nginx\conf\*.*

Nginx log files (.key and .pfx are not collected).

ESET Direct Endpoint Management plug-in

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

eRMMI

ERMMI\data\*.*

App data files that are located in the ERMMI directory.

Endpoint Plugin for Connectwise Automate logs

ERMMI\EEPCA\Logs\*.*

Endpoint Plugin for Connectwise Automate logs files.

Endpoint Plugin for Connectwise Automate binaries

ERMMI\EEPCA\bin\*.*

Endpoint Plugin for Connectwise Automate in binary format (except .msi and .exe executables).

Ermmi logs

ERMMI\logs\*.*

Log files located in the ERMMI install directory.

Ermmi binaries

ERMMI\bin\*.*

Binary files located in the ERMMI install directory (except .msi and .exe executables).

ESET Configuration

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

ESET product configuration

info.xml

Informational XML that details the ESET product installed on a system. It contains basic system information, installed product information and a list of product modules.

ESET product configuration

versions.csv

Since version 4.0.3.0 the file is always included (without any dependencies). It contains installed product info. versions.csv must exist in ESET AppData directory to be included.

ESET product configuration

features_state.txt

Information about ESET product features and their states (Active, Inactive, Not integrated). The file is always collected and is not tied to any selectable artifact.

ESET product configuration

Configuration\product_conf.xml

XML with exported product configuration.

ESET data and install directory file list

ESET\Config\data_dir_list.txt

Text file containing list of files in ESET AppData directory and all their subdirectories.

ESET data and install directory file list

ESET\Config\install_dir_list.txt

Text file containing list of files in ESET Install directory and all their subdirectories.

ESET drivers

ESET\Config\drivers.txt

Information about installed ESET drivers.

ESET Personal firewall configuration

ESET\Config\EpfwUser.dat

Copy file with ESET Personal firewall configuration.

ESET firewall troubleshooting wizard

ESET\Config\epfw_troubleshooting_wizard.xml

XML file containing information about blocked local applications and remote devices.

ESET firewall temporary IP address blacklist

ESET\Config\epfw_temporary_ip_address_blacklist.xml

XML file containing information about temporarily blocked IP addresses.

ESET Registry key content

ESET\Config\ESET.reg

Registry key content of HKLM\SOFTWARE\ESET

Winsock LSP catalog

Config/WinsockLSP.txt

Netsh winsock show catalog command output.

Last applied policy

ESET\Config\lastPolicy.dat

The policy applied by ESET PROTECT.

ESET components

ESET\Config\msi_features.txt

Collected information about available ESET product MSI installer components.

ESET License

ESET\Config\License\*.*

License files of the installed ESET product.

HIPS configuration

ESET\Config\HipsRules.bin

HIPS rules data.

Network Inspector configuration

ESET\Config\epfwdata.bin

Network Inspector configuration data.

Connected Home configuration

ESET\Config\homenet.dat

Connected Home data.

Quarantine

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

Info about quarantined files

ESET\Quarantine\quar_info.txt

Create text file with a list of quarantined objects.

Small quarantined files (< 250KB)

ESET\Quarantine\*.*(< 250KB)

Quarantine files smaller than 250 KB.

Big quarantined files (> 250KB)

ESET\Quarantine\*.*(> 250KB)

Quarantine files larger than 250 KB.

Suspicious file (collected with ESET Inspect On-prem log artifact)

Config\SysInspector.esil

All files considered by ESET SysInspector as suspicious.

ESET Logs

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

ESET Events log

ESET\Logs\Common\warnlog.dat

ESET Product event log in binary format.

ESET Detected threats log

ESET\Logs\Common\virlog.dat

ESET Detected threats log in binary format.

ESET Computer scan logs

ESET\Logs\Common\eScan\*.dat

ESET Computer scan log(s) in binary format.

ESET HIPS log*

ESET\Logs\Common\hipslog.dat

ESET HIPS log in binary format.

ESET Parental control logs*

ESET\Logs\Common\parentallog.dat

ESET Parental control log in binary format.

ESET Device control log*

ESET\Logs\Common\devctrllog.dat

ESET Device control log in binary format.

ESET Webcam protection log*

ESET\Logs\Common\webcamlog.dat

ESET Webcam protection log in binary format.

ESET Banking & Payment protection log

ESET\Logs\Common\bpplog.dat

ESET Banking & Payment protection log in binary format.

ESET Blocked files log

ESET\Logs\Common\blocked.dat

ESET Blocked files log(s) in binary format.

ESET Sent files log

ESET\Logs\Common\sent.dat

ESET Sent files log(s) in binary format.

ESET Audit log

ESET\Logs\Common\audit.dat

ESET\Logs\Common\audit\*.*

ESET Audit log(s) in binary format.

ESET Vulnerability & Patch Management log

ESET\Logs\Common\vapmlog.dat

ESET Vulnerability & Patch Management log in binary format.

*Option is displayed only when the file exists.

ESET Server Line of Products Logs

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

ESET On-demand server database scan logs

ESET\Logs\Common\ServerOnDemand\*.dat

ESET server On-demand log(s) in binary format.

ESET Hyper-V server scan logs

ESET\Logs\Common\HyperVOnDemand\*.dat

ESET Hyper-V server scan log(s) in binary format.

ESET OneDrive scan logs

ESET\Logs\Common\O365OnDemand\*.dat

ESET OneDrive scan log(s) in binary format.

ESET Network Logs

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

ESET Network protection log*

ESET\Logs\Net\epfwlog.dat

ESET Network protection log in binary format.

ESET Filtered websites log*

ESET\Logs\Net\urllog.dat

ESET Websites filter log in binary format.

ESET Web control log*

ESET\Logs\Net\webctllog.dat

ESET Web control log in binary format.

ESET pcap logs

ESET\Logs\Net\EsetProxy*.pcapng

Copy ESET pcap logs.

*Option is displayed only when the file exists.

ESET Diagnostics

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

Local cache database

ESET\Diagnostics\local.db

ESET scanned files database.

General product diagnostics logs

ESET\Diagnostics\*.*

Files (mini-dumps) from ESET diagnostics folder.

ECP diagnostic logs

ESET\Diagnostics\ECP\*.*

ESET Communication Protocol diagnostic logs are generated if there are problems with product activation and communication with activation servers.

EPNS diagnostic logs

ESET\Diagnostics\*.*

ESET Push Notification Service diagnostic logs are generated if there are problems.

Vulnerability & Patch Management debug logs

ESET\Diagnostics\Vapm\*.*

ESET Vulnerability & Patch Management diagnostic log files.

ESET Cluster diagnostics logs

ESET\Diagnostics\Cluster\*.*

ESET Cluster diagnostic log files, including those located in the system temporary directory created during product installation/upgrade performed by the ESET Cluster feature.

Update

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

Product update logs

ESET\Update\MicroPcu\*.*

ESET product μ-PCU update files.

Update snapshot info

ESET\Config\db.xml

Backup update snapshot XML file containing information about modules to a specific date.

ESET Secure Authentication

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

ESA logs

ESA\*.log

ESA\logs\*.*

Exported log(s) from the ESET Secure Authentication.

ESA logs

ESA\logs\elastic\*.*

Additional ESET Secure Authentication log files.

ESA Synchronization Agent logs

ESA\Synchronization Agent\*.*

Exported log(s) from the ESET Secure Authentication Synchronization Agent. The files are collected since version 4.9.0.0.

ESET Inspect On-prem

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

EI Server logs

EEI\Server\Logs\*.log

Inspect Server product text logs.

EI Connector logs

EEI\Agent\Logs\*.log

 

Inspect Connector product text logs.

EI Server configuration

EEI\Server\eiserver.ini

An .ini file containing Inspect Server product configuration.

EI Connector configuration

 

EEI\Agent\eiconnector.ini

An .ini file containing Inspect Connector product configuration.

EI Server policy

EEI\Server\eiserver.policy.ini

An .ini file containing Inspect Server product policy.

EI Connector policy

EEI\Agent\eiconnector.policy.ini

An .ini file containing Inspect Connector product policy.

EEI Server certificates

EEI\Server\Certificates\*.*

Contains certification files used by Inspect Server product. Since the files are located in subfolders, the whole structure is collected.

EEI Connector certificates

EEI\Agent\Certificates\*.*

Contains certification files used by Inspect Connector product. Since the files are located in subfolders, the whole structure is collected.

EI Server dumps

EEI\Server\Diagnostics\*.*

Inspect Server product dump files.

MySQL Server configuration

EI\My SQL\my.ini

An .ini file containing MySQL Server configuration used by ESET Inspect On-prem Server product.

MySQL Server logs

EEI\My SQL\EEI.err

An error text log of MySQL Server used by ESET Inspect On-prem Server product.

ESET Full Disk Encryption

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

EFDE logs

EFDE\AIS\Logs\*.*

EFDE\Core\*.log

Exported logs (AIS and Core) from the ESET Full Disk Encryption.

EFDE license data

EFDE\AIS\Licence\*.*

License data files of ESET Full Disk Encryption.

EFDE configuration

EFDE\AIS\lastpolicy.dat

Contains configuration of ESET Full Disk Encryption.

ESET VPN

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

Client application logs

EVPN\ClientApp\*.tx

EVPN client application logs.

Service logs

EVPN\Service\*.log

EVPN service logs.

Network routing table

EVPN\routing_table.txt

Console output of route utility containing routing table.

ESET Email Logs (ESET Mail Security for Exchange, ESET Mail Security for Domino)

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

ESET Spam log

ESET\Logs\Email\spamlog.dat

ESET Spam log in binary format.

ESET Greylist log

ESET\Logs\Email\greylistlog.dat

ESET Greylist log in binary format.

ESET SMTP protection log

ESET\Logs\Email\smtpprot.dat

ESET SMTP protection log in binary format.

ESET mail server protection log

ESET\Logs\Email\mailserver.dat

ESET Mail server protection log in binary format.

ESET diagnostic e-mail processing logs

ESET\Logs\Email\MailServer\*.dat

ESET diagnostic e-mail processing logs in binary format, direct copy from disk.

ESET Spam log*

ESET\Logs\Email\spamlog.dat

ESET Spam log in binary format.

ESET Antispam configuration and diagnostic logs

ESET\Logs\Email\Antispam\antispam.*.log

ESET\Config\Antispam\*.*

Copy ESET Antispam configuration and diagnostic logs.

*Option is displayed only when the file exists.

ESET SharePoint logs (ESET Security for SharePoint)

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

ESET SHPIO.log

ESET\Log\ESHP\SHPIO.log

ESET Diagnostic log from the SHPIO.exe utility.

Product specific logs - options are available for specific product.

Domino (ESET Mail Security for Domino)

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

Domino IBM_TECHNICAL_SUPPORT logs + notes.ini

LotusDomino\Log\notes.ini

IBM Domino configuration file.

Domino IBM_TECHNICAL_SUPPORT logs + notes.ini

LotusDomino\Log\IBM_TECHNICAL_SUPPORT\*.*

IBM Domino logs, not older than 30 days.

MS SharePoint (ESET Security for SharePoint)

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

MS SharePoint logs

SharePoint\Logs\*.log

MS SharePoint logs, not older than 30 days.

SharePoint Registry key content

SharePoint\WebServerExt.reg

Contains a registry key content of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions. Available only when ESET Security for SharePoint is installed.

MS Exchange (ESET Mail Security for Exchange)

Artifact name

Collection profile

Location / Filename

Description

Default

Threat detection

MS Exchange transport agents registration

Exchange\agents.config

MS Exchange transport agents registration config file. For Microsoft Exchange Server 2007 and later.

MS Exchange transport agents registration

Exchange\sinks_list.txt

MS Exchange event sinks registration dump. For Microsoft Exchange Server 2000 and 2003.

MS Exchange EWS logs

Exchange\EWS\*.log

Collection of EWS Exchange Server logs.