List of artifacts / Collected files

This section describes the files contained in the resulting .zip file. Description is divided into subsections based on the information type (files and artifacts).

Location / File name

Description

metadata.txt

Contains the date of the .zip archive creation, ESET Log Collector version, ESET product version and basic licensing information.

collector_log.txt

A copy of the log file from the GUI, contains data up to the point when the .zip file is being created.

 

Windows Processes

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

Running processes

(open handles and loaded DLLs)

Windows\Processes\Processes.txt

Text file containing a list of running processes on the machine. For each process, the following items are printed:

oPID

oParent PID

oNumber of threads

oNumber of open handles grouped by type

oLoaded modules

oUser account it is running under

oMemory usage

oTimestamp of start

oKernel and user time

oI/O statistics

oCommand line

Running processes

(open handles and loaded DLLs)

Windows\ProcessesTree.txt

Text file containing a tree of running processes on the machine. For each process following items are printed:

oPID

oUser account it is running under

oTimestamp of start

oCommand line

 

Windows Logs

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

Application event log

Windows\Logs\Application.xml

Windows Application event logs in a custom XML format. Only messages from the last 30 days are included.

System event log

Windows\Logs\System.xml

Windows System event logs in a custom XML format. Only messages from the last 30 days are included.

Terminal services - LSM operational event log*

Windows\Logs\LocalSessionManager-Operational.evtx

Windows event log containing information about RDP sessions.

Drivers install logs

Windows\Logs\catroot2_dberr.txt

Contains information about catalogs that have been added to "catstore" during driver installation.

SetupAPI logs*

Windows\Logs\SetupAPI\setupapi*.log

Device and application installation text logs.

WMI Activity operating event log

Windows\Logs\WMI-Activity.evtx

Windows event log containing WMI Activity tracing data. Only messages from the last 30 days are included.

Application event log

Windows\Logs\Application.evtx

Windows Application event log file. Only messages from the last 30 days are included.

System event log

Windows\Logs\System.evtx

Windows System event log file. Only messages from the last 30 days are included.

Services Registry key content

 

 

Windows\Services.reg

Contains a registry key content of KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Collecting this key may be helpful in case of issues with drivers.

*Windows Vista and newer

 

System Configuration

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

Drives info

Windows\drives.txt
Windows\volumes.txt

Collected text file containing information about disk drives and volumes.

Devices info

Windows/devices/*.txt

Collected multiple text files containing classes and interfaces information about devices.

Network configuration

Config\network.txt

Collected text file containing network configuration. (Result of executing ipconfig /all)

ESET SysInspector log

Config\SysInspector.xml

SysInspector log in the XML format.

Winsock LSP catalog

Config\WinsockLSP.txt

Collect the output of netsh winsock show catalog command.

WFP filters*

Config\WFPFilters.xml

Collected WFP filters configuration in the XML format.

Complete Windows Registry content

Windows\Registry\*

Collected multiple binary files containing Windows Registry data.

List of files in temporary directories

Windows\TmpDirs\*.txt

Collected multiple text files with content of system's user temp directories, %windir%/temp, %TEMP% and %TMP% directories.

Windows scheduled tasks

Windows\Scheduled Tasks\*.*

Collected multiple xml files containing all tasks from the Windows Task Scheduler to help detect malware that exploits the Task Scheduler. Since the files are located in subfolders, the whole structure is collected.

WMI repository

Windows\WMI Repository\*.*

Collected multiple binary files containing WMI database data (meta-information, definition and static data of WMI classes). Collecting these files may help identify malware that uses WMI for persistence (such as Turla). Since WMI files may be located in subfolders, the whole structure is collected.

Windows Server roles & features

Windows\server_features.txt

Text file containing a tree of all Windows Server features. Each feature contains the following information:

oInstalled state

oLocalized name

oCode name

oState (available on Microsoft Windows Server 2012 and newer)

*Windows 7 and newer

 

ESET Installer

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

ESET Installer logs

ESET\Installer\*.log

Installation logs that were created during the installation of ESET NOD32 Antivirus and ESET Smart Security 10 Premium products.

 

ESET Remote Administrator logs applies to ESET Security Management Center as well.

ESET Security Management Center (ESMC) and ESET Remote Administrator (ERA)

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

ESMC/ERA Server logs

ERA\Server\Logs\RemoteAdministratorServerDiagnostic<datetime>.zip

Create Server product logs in the ZIP archive. It contains trace, status and last-error logs.

ESMC/ERA Agent logs

ERA\Agent\Logs\RemoteAdministratorAgentDiagnostic<datetime>.zip

Create Agent product logs in the ZIP archive. It contains trace, status and last-error logs.

ESMC/ERA process information and dumps*

ERA\Server\Process and old dump\RemoteAdministratorServerDiagnostic<datetime>.zip

Server process dump(s).

ESMC/ERA process information and dumps*

ERA\Agent\Process and old dump\RemoteAdministratorAgentDiagnostic<datetime>.zip

Agent process dump(s).

ESMC/ERA configuration

ERA\Server\Config\RemoteAdministratorServerDiagnostic<datetime>.zip

Server configuration and application information files in the ZIP archive.

ESMC/ERA configuration

ERA\Agent\Config\RemoteAdministratorAgentDiagnostic<datetime>.zip

Agent configuration and application information files in the ZIP archive.

ESMC/ERA Rogue Detection Sensor logs

ERA\RD Sensor\Rogue Detection SensorDiagnostic<datetime>.zip

A ZIP containing RD Sensor trace log, last-error log, status log, configuration, dump(s) and general information files.

ESMC/ERA MDMCore logs

ERA\MDMCore\RemoteAdministratorMDMCoreDiagnostic<datetime>.zip

A ZIP containing MDMCore trace log, last-error log, status log, dump(s) and general information files.

ESMC/ERA Proxy logs

ERA\Proxy\RemoteAdministratorProxyDiagnostic<datetime>.zip

A ZIP containing ERA Proxy trace log, last-error log, status log, configuration, dump(s) and general information files.

ESMC/ERA Agent database

ERA\Agent\Database\data.db

ESMC/ERA Agent database file.

Apache Tomcat configuration

ERA\Apache\Tomcat\conf\*.*

Apache Tomcat configuration files, it contains a copy of server.xml file without sensitive information.

Apache Tomcat logs

ERA\Apache\Tomcat\logs\*.log

ERA\Apache\Tomcat\EraAppData\logs\*.log

ERA\Apache\Tomcat\EraAppData\WebConsole\*.log

Apache Tomcat log(s) in text format located in Apache Tomcat install or application directory. It also contains WebConsole logs.

Apache HTTP Proxy configuration

ERA\Apache\Proxy\conf\httpd.conf

Apache HTTP Proxy configuration file.

Apache HTTP Proxy logs

ERA\Apache\Proxy\logs\*.log

Apache HTTP Proxy log(s) in text format located.

*ESMC/ERA Server or ESMC/ERA Agent

 

ESET Configuration

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

ESET product configuration

info.xml

Informational XML that details the ESET product installed on a system. It contains basic system information, installed product information and a list of product modules.

ESET product configuration

versions.csv

Since version 4.0.3.0 the file is always included (without any dependences). It contains installed product info. versions.csv must exist in ESET AppData directory to be included.

ESET product configuration

features_state.txt

Contains information about ESET product features and their states (Active, Inactive, Not integrated). The file is always collected and is not tied to any selectable artifact.

ESET product configuration

Configuration\product_conf.xml

Create XML with exported product configuration.

ESET data and install directory file list

ESET\Config\data_dir_list.txt

Create text file containing list of files in ESET AppData directory and all their subdirectories.

ESET data and install directory file list

ESET\Config\install_dir_list.txt

Create text file containing list of files in ESET Install directory and all their subdirectories.

ESET drivers

ESET\Config\drivers.txt

Collect information about installed ESET drivers.

ESET Personal firewall configuration

ESET\Config\EpfwUser.dat

Copy file with ESET Personal firewall configuration.

ESET Registry key content

ESET\Config\ESET.reg

Contains a registry key content of HKLM\SOFTWARE\ESET

Winsock LSP catalog

Config/WinsockLSP.txt

Collect the output of netsh winsock show catalog command.

Last applied policy

ESET\Config\lastPolicy.dat

The policy applied by ESMC/ERA.

ESET components

ESET\Config\msi_features.txt

Collected information about available ESET product MSI installer components.

HIPS configuration

ESET\Config\HipsRules.bin

HIPS rules data.

Connected Home configuration

ESET\Config\homenet.dat

Connected Home data.

 

Quarantine

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

Info about quarantined files

ESET\Quarantine\quar_info.txt

Create text file with a list of quarantined objects.

Small quarantined files (< 250KB)

ESET\Quarantine\*.*(< 250KB)

Quarantine files smaller than 250 KB.

Big quarantined files (> 250KB)

ESET\Quarantine\*.*(> 250KB)

Quarantine files larger than 250 KB.

 

ESET Logs

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

ESET Events log

ESET\Logs\Common\warnlog.dat

ESET Product event log in binary format.

ESET Detected threats log

ESET\Logs\Common\virlog.dat

ESET Detected threats log in binary format.

ESET Computer scan logs

ESET\Logs\Common\eScan\*.dat

ESET Computer scan log(s) in binary format.

ESET HIPS log*

ESET\Logs\Common\hipslog.dat

ESET HIPS log in binary format.

ESET Parental control logs*

ESET\Logs\Common\parentallog.dat

ESET Parental control log in binary format.

ESET Device control log*

ESET\Logs\Common\devctrllog.dat

ESET Device control log in binary format.

ESET Webcam protection log*

ESET\Logs\Common\webcamlog.dat

ESET Webcam protection log in binary format.

ESET On-demand server database scan logs

ESET\Logs\Common\ServerOnDemand\*.dat

ESET server On-demand log(s) in binary format.

ESET Hyper-V server scan logs

ESET\Logs\Common\HyperVOnDemand\*.dat

ESET Hyper-V server scan log(s) in binary format.

MS OneDrive scan logs

ESET\Logs\Common\O365OnDemand\*.dat

MS OneDrive scan log(s) in binary format.

ESET Blocked files log

ESET\Logs\Common\blocked.dat

ESET Blocked files log(s) in binary format.

ESET Sent files log

ESET\Logs\Common\sent.dat

ESET Sent files log(s) in binary format.

ESET Audit log

ESET\Logs\Common\audit.dat

ESET Audit log(s) in binary format.

*Option is displayed only when the file exists.

 

ESET Network Logs

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

ESET Network protection log*

ESET\Logs\Net\epfwlog.dat

ESET Network protection log in binary format.

ESET Filtered websites log*

ESET\Logs\Net\urllog.dat

ESET Websites filter log in binary format.

ESET Web control log*

ESET\Logs\Net\webctllog.dat

ESET Web control log in binary format.

ESET pcap logs

ESET\Logs\Net\EsetProxy*.pcapng

Copy ESET pcap logs.

*Option is displayed only when the file exists.

 

ESET Diagnostics

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

Local cache database

ESET\Diagnostics\local.db

ESET scanned files database.

General product diagnostics logs

ESET\Diagnostics\*.*

Files (mini-dumps) from ESET diagnostics folder.

ECP diagnostic logs

ESET\Diagnostics\ECP\*.xml

ESET Communication Protocol diagnostic logs are generated in case of problems with product activation and communication with activation servers.

 

ESET Secure Authentication

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

ESA logs

ESA\*.log

Exported log(s) from the ESET Secure Authentication.

 

ESET Enterprise Inspector

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

EEI Server logs

EEI\Server\Logs\*.log

Server product text logs.

EEI Agent logs

EEI\Agent\Logs\*.log

Agent product text logs.

EEI Server configuration

EEI\Server\eiserver.ini

An .ini file containing Server product configuration.

EEI Agent configuration

EEI\Agent\eiagent.ini

An .ini file containing Agent product configuration.

EEI Server policy

EEI\Server\eiserver.policy.ini

An .ini file containing Server product policy.

EEI Agent policy

EEI\Agent\eiagent.policy.ini

An .ini file containing Agent product policy.

EEI Server certificates

EEI\Server\Certificates\*.*

Contains certification files used by Server product. Since the files are located in subfolders, the whole structure is collected.

EEI Agent certificates

EEI\Agent\Certificates\*.*

Contains certification files used by Agent product. Since the files are located in subfolders, the whole structure is collected.

EEI Server dumps

EEI\Server\Diagnostics\*.*

Server product dump files.

MySQL Server configuration

EEI\My SQL\my.ini

An .ini file containing MySQL Server configuration used by EEI Server product.

MySQL Server logs

EEI\My SQL\EEI.err

An error text log of MySQL Server used by EEI Server product.

 

ESET Full Disk Encryption

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

EFDE logs

EFDE\AIS\Logs\*.*
EFDE\Core\*.log

Exported logs (AIS and Core) from the ESET Full Disk Encryption.

EFDE license data

EFDE\AIS\Licesne\*.*

License data files of EFDE.

EFDE configuration

EFDE\AIS\lastpolicy.dat

Contains configuration of EFDE.

 

ESET Email Logs (ESET Mail Security for Exchange, ESET Mail Security for Domino)

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

ESET Spam log

ESET\Logs\Email\spamlog.dat

ESET Spam log in binary format.

ESET Greylist log

ESET\Logs\Email\greylistlog.dat

ESET Greylist log in binary format.

ESET SMTP protection log

ESET\Logs\Email\smtpprot.dat

ESET SMTP protection log in binary format.

ESET mail server protection log

ESET\Logs\Email\mailserver.dat

ESET Mail server protection log in binary format.

ESET diagnostic e-mail processing logs

ESET\Logs\Email\MailServer\*.dat

ESET diagnostic e-mail processing logs in binary format, direct copy from disk.

ESET Spam log*

ESET\Logs\Email\spamlog.dat

ESET Spam log in binary format.

ESET Antispam configuration and diagnostic logs

ESET\Logs\Email\Antispam\antispam.*.log

ESET\Config\Antispam\*.*

Copy ESET Antispam configuration and diagnostic logs.

*Option is displayed only when the file exists.

 

ESET SharePoint logs (ESET Security for SharePoint)

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

ESET SHPIO.log

ESET\Log\ESHP\SHPIO.log

ESET Diagnostic log from the SHPIO.exe utility.

 

Product specific logs - options are available for specific product.

Domino (ESET Mail Security for Domino)

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

Domino IBM_TECHNICAL_SUPPORT logs + notes.ini

LotusDomino\Log\notes.ini

IBM Domino configuration file.

Domino IBM_TECHNICAL_SUPPORT logs + notes.ini

LotusDomino\Log\IBM_TECHNICAL_SUPPORT\*.*

IBM Domino logs, not older than 30 days.

 

MS SharePoint (ESET Security for SharePoint)

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

MS SharePoint logs

SharePoint\Logs\*.log

MS SharePoint logs, not older than 30 days.

SharePoint Registry key content

SharePoint\WebServerExt.reg

Contains a registry key content of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions. Available only when ESET Security for SharePoint is installed.

 

MS Exchange (ESET Mail Security for Exchange)

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

MS Exchange transport agents registration

Exchange\agents.config

MS Exchange transport agents registration config file. For Microsoft Exchange Server 2007 and newer.

MS Exchange transport agents registration

Exchange\sinks_list.txt

MS Exchange event sinks registration dump. For Microsoft Exchange Server 2000 and 2003.

MS Exchange EWS logs

Exchange\EWS\*.log

Collecting of EWS Exchange Server logs.

 

Kerio Connect (ESET Security for Kerio)

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

Kerio Connect configuration

Kerio\Connect\mailserver.cfg

Kerio Connect configuration file.

Kerio Connect logs

Kerio\Connect\Logs\{mail,error,security,debug,warning}.log

Selected Kerio Connect log files.

 

Kerio Control (ESET Security for Kerio)

Artifact name

Collection profile

Location / File name

Description

Default

Threat detection

Kerio Control configuration

Kerio\Connect\winroute.cfg

Kerio Control configuration file.

Kerio Control logs

Kerio\Connect\Logs\{alert,error,security,debug,warning}.log

Selected Kerio Control log files.