Home / server / Questions / 681527
Accepted
Andrew Tobey
Asked: 2015-04-10 03:07:49 +0800 CST

SCEP: imitate potential threat in both live and regular scanner to inspect logs

  • 772

I am doing some powershell stuff to parse a few logs at work. I would also like to collect some information from the SCEP logs. I find the amount of logs available as well as the different locations in which they are stored a bit overwhelming to say the least.

I would like to extract the logs reporting that a potential virus was found in both the live and the "regular scanner.

A similiar question has already been answered here: Reporting SCEP update and scan

I have eicar for testing purposes here. So how would I imitate a potential positive finding in both scanners so that I can figure out to which file the scanners log to?

Thanks in advance

Andrew

powershell

1 Answers

  1. Best Answer

    as far as the "regular" scanner is concerned in %systemdrive%\ProgramData\Microsoft\Microsoft Antimalware\Support\ MPLog-XXXXXXXX-XXXXXX.log offers a wealth of information.

    Here are some interesting patterns to search for: 

    Threat Name # record(s) of malware detection 
signature updated via # self-explanatory 
scan source # record of scheduled scan/running scan on demand 
Expensive file # expensive i.e. large files found during a scan (this information can be used to enhance scanning performance)

    Anyway, live detections are apparently not written to the aforementioned file!

    • 0