Anti-Virus Log Analysis Cheat Sheet (v1.5)

Florian Roth published the new version of Anti-Virus Log Analysis Cheat Sheet (version 1.5). I highly recommend to implement monitoring of the events included in this cheat sheet. To my mind, this is the easiest and quickest win and AV logs are one of the first things I hunt whenever I go to a new environment.

The new version has information on :

  • Interesting virus types / AV signature names. Moreover, highly relevant av events per vendor are now included (McAfee, Symantec, Sophos and Kaspersky). 
  • Interesting file path location of the AV detections
  • Interesting file extensions (e.g. there is an update on TXT, .XML, and .CHM as highly relevant as sometimes .TXT is actually an .EXE)
  • Type of system (eg. laptop, domain controller, etc..)
  • User context (admin or service account vs non-privileged user)
  • Time of AV detection (regular working hours vs out of work hours)
  • Cheat sheet link:

There are also 4 Sigma rules based on the AV Log Analysis Cheat Sheet:

Many thanks again to Florian and happy hunting!



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.