1# Anti-Virus artifacts. 2 3name: EsetAVQuarantine 4doc: Eset Anti-Virus Quarantine (Infected) files. 5sources: 6- type: FILE 7 attributes: {paths: ['/Library/Application Support/ESET/esets/cache/quarantine/*']} 8supported_os: [Darwin] 9labels: [Antivirus] 10--- 11name: MicrosoftAVQuarantine 12doc: Microsoft Anti-Virus Quarantine (Infected) files. 13sources: 14- type: FILE 15 attributes: 16 paths: 17 - '%%environ_allusersappdata%%\Microsoft\Microsoft Antimalware\Quarantine\**' 18 - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Quarantine\**' 19 separator: '\' 20supported_os: [Windows] 21labels: [Antivirus] 22--- 23name: MicrosoftAVLogs 24doc: Microsoft Anti-Virus log files. 25sources: 26- type: FILE 27 attributes: 28 paths: 29 - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Support\MPLog-*.log' 30 - '%%environ_allusersappdata%%\Microsoft\Windows Defender\Support\MPDetection-*.log' 31 separator: '\' 32supported_os: [Windows] 33labels: [Antivirus, Logs] 34--- 35name: WindowsDefenderExclusions 36doc: | 37 Directories, processes, and extensions configured not to be scanned by Windows Defender. 38 39 Certain malware families (for example, Tofsee) are known to add 40 directories to the Paths list in order to avoid being detected by 41 Windows Defender. 42sources: 43- type: REGISTRY_KEY 44 attributes: 45 keys: 46 - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Paths\*' 47 - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Processes\*' 48 - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\Extensions\*' 49 - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Defender\Exclusions\TemporaryPaths\*' 50supported_os: [Windows] 51urls: 52- 'https://blog.malwarebytes.com/detections/pum-optional-msexclusion/' 53- 'https://answers.microsoft.com/en-us/protect/forum/all/windows-defender-how-to-remove-exclusions/2a0cc465-97b2-46ea-ae77-b87075ed124e' 54- 'https://blog.talosintelligence.com/2019/05/threat-roundup-0503-0510.html' 55--- 56name: SophosAVLogs 57doc: Sophos Anti-Virus log files. 58sources: 59- type: FILE 60 attributes: {paths: ['/Library/Logs/Sophos*.log']} 61 supported_os: [Darwin] 62- type: FILE 63 attributes: 64 paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\Logs\*'] 65 separator: '\' 66 supported_os: [Windows] 67supported_os: [Darwin, Windows] 68labels: [Antivirus, Logs] 69--- 70name: SophosAVQuarantine 71doc: Sophos Anti-Virus Quarantine (Infected) files. 72sources: 73- type: FILE 74 attributes: {paths: ['/Users/Shared/Infected/*']} 75 supported_os: [Darwin] 76- type: FILE 77 attributes: 78 paths: ['%%environ_allusersappdata%%\Sophos\Sophos Anti-Virus\INFECTED\*'] 79 separator: '\' 80 supported_os: [Windows] 81supported_os: [Darwin, Windows] 82labels: [Antivirus] 83--- 84name: SymantecAVLogs 85doc: Symantec Anti-Virus Log Files. 86sources: 87- type: FILE 88 attributes: 89 paths: 90 - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\*.log' 91 - '%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\*\Data\Logs\AV\*.log' 92 - '%%users.localappdata%%\Symantec\Symantec Endpoint Protection\Logs\*.log' 93 separator: '\' 94 supported_os: [Windows] 95supported_os: [Windows] 96labels: [Antivirus, Logs] 97--- 98name: SymantecAVQuarantine 99doc: Symantec Anti-Virus Quarantine (Infected) files. 100sources: 101- type: FILE 102 attributes: 103 paths: ['%%environ_allusersappdata%%\Symantec\Symantec Endpoint Protection\**5\*.vbn'] 104 separator: '\' 105 supported_os: [Windows] 106supported_os: [Windows] 107labels: [Antivirus, Logs] 108