List of artifacts / Collected files
This section describes the files contained in the resulting .zip file. Description is divided into subsections based on the information type (files and artifacts).
Location / File name |
Description |
|---|---|
metadata.txt |
Contains the date of the .zip archive creation, ESET Log Collector version, ESET product version and basic licensing information. |
collector_log.txt |
A copy of the log file from the GUI contains data up to the point when the .zip file is being created. |
Windows Processes |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
Running processes (open handles and loaded DLLs) |
✓ |
✓ |
Windows\Processes\Processes.txt |
Text file containing a list of running processes on the machine. For each process, the following items are printed: •PID •Parent PID •Number of threads •Number of open handles grouped by type •Loaded modules •User account it is running under •Memory usage •Timestamp of start •Kernel and user time •I/O statistics •Command line |
Running processes (open handles and loaded DLLs) |
✓ |
✓ |
Windows\ProcessesTree.txt |
Text file containing a tree of running processes on the machine. For each process following items are printed: •PID •User account it is running under •Timestamp of start •Command line |
Windows Logs |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
Application event log |
✓ |
✓ |
Windows\Logs\Application.xml |
Windows Application event logs in a custom XML format. Only messages from the last 30 days are included. |
System event log |
✓ |
✓ |
Windows\Logs\System.xml |
Windows System event logs in a custom XML format. Only messages from the last 30 days are included. |
Terminal services - LSM operational event log* |
✓ |
✓ |
Windows\Logs\LocalSessionManager-Operational.evtx |
Windows event log containing information about RDP sessions. |
Drivers install logs |
✓ |
✗ |
Windows\Logs\catroot2_dberr.txt |
Contains information about catalogs that have been added to "catstore" during driver installation. |
SetupAPI logs* |
✓ |
✗ |
Windows\Logs\SetupAPI\setupapi*.log |
Device and application installation text logs. |
WMI Activity operating event log |
✓ |
✓ |
Windows\Logs\WMI-Activity.evtx |
Windows event log containing WMI Activity tracing data. Only messages from the last 30 days are included. |
Application event log |
✓ |
✓ |
Windows\Logs\Application.evtx |
Windows Application event log file. Only messages from the last 30 days are included. |
System event log |
✓ |
✓ |
Windows\Logs\System.evtx |
Windows System event log file. Only messages from the last 30 days are included. |
Services Registry key content |
|
|
Windows\Services.reg |
Contains a registry key content of KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services. Collecting this key may be helpful in case of issues with drivers. |
*Windows Vista and newer
System Configuration |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
Drives info |
✓ |
✓ |
Windows\drives.txt |
Collected text file containing information about disk drives and volumes. |
Devices info |
✓ |
✓ |
Windows/devices/*.txt |
Collected multiple text files containing classes and interfaces information about devices. |
Network configuration |
✓ |
✓ |
Config\network.txt |
Collected text file containing network configuration. (Result of executing ipconfig /all) |
ESET SysInspector log |
✓ |
✓ |
Config\SysInspector.xml |
SysInspector log in the XML format. |
Winsock LSP catalog |
✓ |
✓ |
Config\WinsockLSP.txt |
Collect the output of netsh winsock show catalog command. |
WFP filters* |
✓ |
✓ |
Config\WFPFilters.xml |
Collected WFP filters configuration in the XML format. |
Complete Windows Registry content |
✗ |
✓ |
Windows\Registry\* |
Collected multiple binary files containing Windows Registry data. |
List of files in temporary directories |
✓ |
✓ |
Windows\TmpDirs\*.txt |
Collected multiple text files with content of system's user temp directories, %windir%/temp, %TEMP% and %TMP% directories. |
Windows scheduled tasks |
✗ |
✓ |
Windows\Scheduled Tasks\*.* |
Collected multiple xml files containing all tasks from the Windows Task Scheduler to help detect malware that exploits the Task Scheduler. Since the files are located in subfolders, the whole structure is collected. |
WMI repository |
✗ |
✓ |
Windows\WMI Repository\*.* |
Collected multiple binary files containing WMI database data (meta-information, definition and static data of WMI classes). Collecting these files may help identify malware that uses WMI for persistence (such as Turla). Since WMI files may be located in subfolders, the whole structure is collected. |
Windows Server roles & features |
✓ |
✗ |
Windows\server_features.txt |
Text file containing a tree of all Windows Server features. Each feature contains the following information: oInstalled state oLocalized name oCode name oState (available on Microsoft Windows Server 2012 and newer) |
*Windows 7 and newer
ESET Installer |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
ESET Installer logs |
✓ |
✗ |
ESET\Installer\*.log |
Installation logs that were created during the installation of ESET NOD32 Antivirus and ESET Smart Security 10 Premium products. |
ESET Remote Administrator |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
EP/ESMC/ERA Server logs |
✓ |
✗ |
ERA\Server\Logs\RemoteAdministratorServerDiagnostic<datetime>.zip |
Create Server product logs in the ZIP archive. It contains trace, status and last-error logs. |
EP/ESMC/ERA Agent logs |
✓ |
✗ |
ERA\Agent\Logs\RemoteAdministratorAgentDiagnostic<datetime>.zip |
Create Agent product logs in the ZIP archive. It contains trace, status and last-error logs. |
EP/ESMC/ERA process information and dumps* |
✗ |
✗ |
ERA\Server\Process and old dump\RemoteAdministratorServerDiagnostic<datetime>.zip |
Server process dump(s). |
EP/ESMC/ERA process information and dumps* |
✗ |
✗ |
ERA\Agent\Process and old dump\RemoteAdministratorAgentDiagnostic<datetime>.zip |
Agent process dump(s). |
EP/ESMC/ERA configuration |
✓ |
✗ |
ERA\Server\Config\RemoteAdministratorServerDiagnostic<datetime>.zip |
Server configuration and application information files in the ZIP archive. |
EP/ESMC/ERA configuration |
✓ |
✗ |
ERA\Agent\Config\RemoteAdministratorAgentDiagnostic<datetime>.zip |
Agent configuration and application information files in the ZIP archive. |
EP/ESMC/ERA Rogue Detection Sensor logs |
✓ |
✗ |
ERA\RD Sensor\Rogue Detection SensorDiagnostic<datetime>.zip |
A ZIP containing RD Sensor trace log, last-error log, status log, configuration, dump(s) and general information files. |
EP/ESMC/ERA MDMCore logs |
✓ |
✗ |
ERA\MDMCore\RemoteAdministratorMDMCoreDiagnostic<datetime>.zip |
A ZIP containing MDMCore trace log, last-error log, status log, dump(s) and general information files. |
EP/ESMC/ERA Proxy logs |
✓ |
✗ |
ERA\Proxy\RemoteAdministratorProxyDiagnostic<datetime>.zip |
A ZIP containing ERA Proxy trace log, last-error log, status log, configuration, dump(s) and general information files. |
EP/ESMC/ERA Agent database |
✓ |
✗ |
ERA\Agent\Database\data.db |
EP/ESMC/ERA Agent database file. |
Apache Tomcat configuration |
✓ |
✗ |
ERA\Apache\Tomcat\conf\*.* |
Apache Tomcat configuration files, it contains a copy of server.xml file without sensitive information. |
Apache Tomcat logs |
✓ |
✗ |
ERA\Apache\Tomcat\logs\*.log ERA\Apache\Tomcat\EraAppData\logs\*.log ERA\Apache\Tomcat\EraAppData\WebConsole\*.log |
Apache Tomcat log(s) in text format located in Apache Tomcat install or application directory. It also contains WebConsole logs. |
Apache HTTP Proxy configuration |
✓ |
✗ |
ERA\Apache\Proxy\conf\httpd.conf |
Apache HTTP Proxy configuration file. |
Apache HTTP Proxy logs |
✓ |
✗ |
ERA\Apache\Proxy\logs\*.log |
Apache HTTP Proxy log(s) in text format located. |
*EP/ESMC/ERA Server or EP/ESMC/ERA Agent
ESET Configuration |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
ESET product configuration |
✓ |
✓ |
info.xml |
Informational XML that details the ESET product installed on a system. It contains basic system information, installed product information and a list of product modules. |
ESET product configuration |
✓ |
✓ |
versions.csv |
Since version 4.0.3.0 the file is always included (without any dependences). It contains installed product info. versions.csv must exist in ESET AppData directory to be included. |
ESET product configuration |
✓ |
✓ |
features_state.txt |
Contains information about ESET product features and their states (Active, Inactive, Not integrated). The file is always collected and is not tied to any selectable artifact. |
ESET product configuration |
✓ |
✓ |
Configuration\product_conf.xml |
Create XML with exported product configuration. |
ESET data and install directory file list |
✓ |
✓ |
ESET\Config\data_dir_list.txt |
Create text file containing list of files in ESET AppData directory and all their subdirectories. |
ESET data and install directory file list |
✓ |
✓ |
ESET\Config\install_dir_list.txt |
Create text file containing list of files in ESET Install directory and all their subdirectories. |
ESET drivers |
✓ |
✓ |
ESET\Config\drivers.txt |
Collect information about installed ESET drivers. |
ESET Personal firewall configuration |
✓ |
✓ |
ESET\Config\EpfwUser.dat |
Copy file with ESET Personal firewall configuration. |
ESET Registry key content |
✓ |
✓ |
ESET\Config\ESET.reg |
Contains a registry key content of HKLM\SOFTWARE\ESET |
Winsock LSP catalog |
✓ |
✓ |
Config/WinsockLSP.txt |
Collect the output of netsh winsock show catalog command. |
Last applied policy |
✓ |
✓ |
ESET\Config\lastPolicy.dat |
The policy applied by EP/ESMC/ERA. |
ESET components |
✓ |
✓ |
ESET\Config\msi_features.txt |
Collected information about available ESET product MSI installer components. |
HIPS configuration |
✓ |
✓ |
ESET\Config\HipsRules.bin |
HIPS rules data. |
Connected Home configuration |
✓ |
✓ |
ESET\Config\homenet.dat |
Connected Home data. |
Quarantine |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
Info about quarantined files |
✓ |
✓ |
ESET\Quarantine\quar_info.txt |
Create text file with a list of quarantined objects. |
Small quarantined files (< 250KB) |
✓ |
✗ |
ESET\Quarantine\*.*(< 250KB) |
Quarantine files smaller than 250 KB. |
Big quarantined files (> 250KB) |
✗ |
✓ |
ESET\Quarantine\*.*(> 250KB) |
Quarantine files larger than 250 KB. |
ESET Logs |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
ESET Events log |
✓ |
✓ |
ESET\Logs\Common\warnlog.dat |
ESET Product event log in binary format. |
ESET Detected threats log |
✓ |
✓ |
ESET\Logs\Common\virlog.dat |
ESET Detected threats log in binary format. |
ESET Computer scan logs |
✗ |
✓ |
ESET\Logs\Common\eScan\*.dat |
ESET Computer scan log(s) in binary format. |
ESET HIPS log* |
✓ |
✓ |
ESET\Logs\Common\hipslog.dat |
ESET HIPS log in binary format. |
ESET Parental control logs* |
✓ |
✓ |
ESET\Logs\Common\parentallog.dat |
ESET Parental control log in binary format. |
ESET Device control log* |
✓ |
✓ |
ESET\Logs\Common\devctrllog.dat |
ESET Device control log in binary format. |
ESET Webcam protection log* |
✓ |
✓ |
ESET\Logs\Common\webcamlog.dat |
ESET Webcam protection log in binary format. |
ESET On-demand server database scan logs |
✓ |
✓ |
ESET\Logs\Common\ServerOnDemand\*.dat |
ESET server On-demand log(s) in binary format. |
ESET Hyper-V server scan logs |
✓ |
✓ |
ESET\Logs\Common\HyperVOnDemand\*.dat |
ESET Hyper-V server scan log(s) in binary format. |
MS OneDrive scan logs |
✓ |
✓ |
ESET\Logs\Common\O365OnDemand\*.dat |
MS OneDrive scan log(s) in binary format. |
ESET Blocked files log |
✓ |
✓ |
ESET\Logs\Common\blocked.dat |
ESET Blocked files log(s) in binary format. |
ESET Sent files log |
✓ |
✓ |
ESET\Logs\Common\sent.dat |
ESET Sent files log(s) in binary format. |
ESET Audit log |
✓ |
✓ |
ESET\Logs\Common\audit.dat |
ESET Audit log(s) in binary format. |
*Option is displayed only when the file exists.
ESET Network Logs |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
ESET Network protection log* |
✓ |
✓ |
ESET\Logs\Net\epfwlog.dat |
ESET Network protection log in binary format. |
ESET Filtered websites log* |
✓ |
✓ |
ESET\Logs\Net\urllog.dat |
ESET Websites filter log in binary format. |
ESET Web control log* |
✓ |
✓ |
ESET\Logs\Net\webctllog.dat |
ESET Web control log in binary format. |
ESET pcap logs |
✓ |
✗ |
ESET\Logs\Net\EsetProxy*.pcapng |
Copy ESET pcap logs. |
*Option is displayed only when the file exists.
ESET Diagnostics |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
Local cache database |
✗ |
✓ |
ESET\Diagnostics\local.db |
ESET scanned files database. |
General product diagnostics logs |
✓ |
✗ |
ESET\Diagnostics\*.* |
Files (mini-dumps) from ESET diagnostics folder. |
ECP diagnostic logs |
✓ |
✗ |
ESET\Diagnostics\ECP\*.xml |
ESET Communication Protocol diagnostic logs are generated in case of problems with product activation and communication with activation servers. |
Update |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
Product update logs |
✓ |
✓ |
C:\ProgramData\ESET\ESET Security\MicroPcu |
Create XML with exported product configuration. |
ESET Secure Authentication |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
ESA logs |
✓ |
✗ |
ESA\*.log |
Exported log(s) from the ESET Secure Authentication. |
ESET Inspect |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
EI Server logs |
✓ |
✗ |
EEI\Server\Logs\*.log |
Server product text logs. |
EI Agent logs |
✓ |
✗ |
EEI\Agent\Logs\*.log |
Agent product text logs. |
EI Server configuration |
✓ |
✗ |
EEI\Server\eiserver.ini |
An .ini file containing Server product configuration. |
EI Agent configuration |
✓ |
✗ |
EEI\Agent\eiagent.ini |
An .ini file containing Agent product configuration. |
EI Server policy |
✓ |
✗ |
EEI\Server\eiserver.policy.ini |
An .ini file containing Server product policy. |
EI Agent policy |
✓ |
✗ |
EEI\Agent\eiagent.policy.ini |
An .ini file containing Agent product policy. |
EI Server certificates |
✓ |
✗ |
EEI\Server\Certificates\*.* |
Contains certification files used by Server product. Since the files are located in subfolders, the whole structure is collected. |
EI Agent certificates |
✓ |
✗ |
EEI\Agent\Certificates\*.* |
Contains certification files used by Agent product. Since the files are located in subfolders, the whole structure is collected. |
EI Server dumps |
✓ |
✗ |
EEI\Server\Diagnostics\*.* |
Server product dump files. |
MySQL Server configuration |
✓ |
✗ |
EEI\My SQL\my.ini |
An .ini file containing MySQL Server configuration used by ESET Inspect Server product. |
MySQL Server logs |
✓ |
✗ |
EEI\My SQL\EEI.err |
An error text log of MySQL Server used by ESET Inspect Server product. |
ESET Full Disk Encryption |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
EFDE logs |
✗ |
✗ |
EFDE\AIS\Logs\*.* |
Exported logs (AIS and Core) from the ESET Full Disk Encryption. |
EFDE license data |
✗ |
✗ |
EFDE\AIS\Licesne\*.* |
License data files of EFDE. |
EFDE configuration |
✗ |
✗ |
EFDE\AIS\lastpolicy.dat |
Contains configuration of EFDE. |
ESET Email Logs (ESET Mail Security for Exchange, ESET Mail Security for Domino) |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
ESET Spam log |
✓ |
✗ |
ESET\Logs\Email\spamlog.dat |
ESET Spam log in binary format. |
ESET Greylist log |
✓ |
✗ |
ESET\Logs\Email\greylistlog.dat |
ESET Greylist log in binary format. |
ESET SMTP protection log |
✓ |
✗ |
ESET\Logs\Email\smtpprot.dat |
ESET SMTP protection log in binary format. |
ESET mail server protection log |
✓ |
✗ |
ESET\Logs\Email\mailserver.dat |
ESET Mail server protection log in binary format. |
ESET diagnostic e-mail processing logs |
✓ |
✗ |
ESET\Logs\Email\MailServer\*.dat |
ESET diagnostic e-mail processing logs in binary format, direct copy from disk. |
ESET Spam log* |
✓ |
✗ |
ESET\Logs\Email\spamlog.dat |
ESET Spam log in binary format. |
ESET Antispam configuration and diagnostic logs |
✓ |
✗ |
ESET\Logs\Email\Antispam\antispam.*.log ESET\Config\Antispam\*.* |
Copy ESET Antispam configuration and diagnostic logs. |
*Option is displayed only when the file exists.
ESET SharePoint logs (ESET Security for SharePoint) |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
ESET SHPIO.log |
✓ |
✗ |
ESET\Log\ESHP\SHPIO.log |
ESET Diagnostic log from the SHPIO.exe utility. |
Product specific logs - options are available for specific product.
Domino (ESET Mail Security for Domino) |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
Domino IBM_TECHNICAL_SUPPORT logs + notes.ini |
✓ |
✗ |
LotusDomino\Log\notes.ini |
IBM Domino configuration file. |
Domino IBM_TECHNICAL_SUPPORT logs + notes.ini |
✓ |
✗ |
LotusDomino\Log\IBM_TECHNICAL_SUPPORT\*.* |
IBM Domino logs, not older than 30 days. |
MS SharePoint (ESET Security for SharePoint) |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
MS SharePoint logs |
✓ |
✗ |
SharePoint\Logs\*.log |
MS SharePoint logs, not older than 30 days. |
SharePoint Registry key content |
✓ |
✗ |
SharePoint\WebServerExt.reg |
Contains a registry key content of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\Web Server Extensions. Available only when ESET Security for SharePoint is installed. |
MS Exchange (ESET Mail Security for Exchange) |
||||
|---|---|---|---|---|
Artifact name |
Collection profile |
Location / File name |
Description |
|
Default |
Threat detection |
|||
MS Exchange transport agents registration |
✓ |
✗ |
Exchange\agents.config |
MS Exchange transport agents registration config file. For Microsoft Exchange Server 2007 and newer. |
MS Exchange transport agents registration |
✓ |
✗ |
Exchange\sinks_list.txt |
MS Exchange event sinks registration dump. For Microsoft Exchange Server 2000 and 2003. |
MS Exchange EWS logs |
✓ |
✗ |
Exchange\EWS\*.log |
Collecting of EWS Exchange Server logs. |