Skip to main content

Gather logs details

When gathering logs, details are gathered for the following objects:

  • Files

    The files from special folders are processed (Windows folders, desktop, quick launch, schedule tasks, and startup). These are folders where the malware is usually placed. Files are gathered in a variety of modes, using anti-rootkit technology in order to bypass advanced malware protection.

    For each file the following information is gathered, if available:

    • Version information.

    • Digital signature details.

    • Header fields.

    Only files with the following extensions are gathered:

    • .exe

    • .dll

    • .sys

    • .com

    • .scr

    • .pif

    • .hta

    • .js

    • .jse

    • .vbs

    • .vbe

    • .bat

    • .cmd

    • .ps1

    • .apk

    • .xpi

    • .xpt

    • .cab

    • .msi

    • .jar

    • .swf

    • .reg

    • .lnk

    The following files are also gathered:

    • Executable and script files based on their content

    • Alternate DataStreams

    • WMI scripts

    • Scheduled tasks files

    • Memory dumps

    • UEFI modules

    • Content/scripts from Windows Event Logs

    • Bitdefender products logs

    • Critical disk sectors

    • Windows Defender logs (if selected)

  • URLs

    The URLs found in various sources are extracted and saved into a list.

  • Users

    Information about operating system user accounts is gathered.

  • Groups

    Information about operating system user accounts groups is gathered.

  • Processes

    Processes that extract the following files are scanned:

    • Files that started each process.

    • Files that are loaded as modules in each process.

    • Possible injected buffers

    Running drivers are also scanned. All active network connections are listed and the processes that use them.

  • Registry

    Registry keys where malware can reside are scanned, along with any files that are referenced in the keys. Registry hives are also scanned for users that are not logged in.

  • Group Policy

    Settings, rules and scripts set by Group Policy are scanned.

  • Programs & updates

    Information is gathered about installed programs, including Windows Universal Applications, and updates.

  • UEFI

    Information regarding system hardware, firmware and its modules and variables is gathered.

  • Network

    The following actions are taken:

    • The host name and network configuration of the computer are listed.

    • System proxies are gathered.

    • The network adapters and DNS servers are listed.

    • Cached DNS queries and ARP are listed.

    • Information about recent network connectivity (name, category, description, creation time, last connected, etc.) is gathered.

    • The external IPv4 and IPv6 addresses are listed.

    • The IPv4 and IPv6 of some sites (upgrade.bitdefender.com, nimbus.bitdefender.net and www.google.com) are resolved using different DNS servers (Bitdefender Strong DNS, Cloudare DNS and Google DNS).

    • Network connectivity and data from the Bitdefender site (upgrade.bitdefender.com) is downloaded to check the validity of the DNS server.

    • All active network connections are listed and the programs that use them.

    • The content of the C:\Windows\system32\drivers\etc\hosts file is listed for possible redirectors.

  • Browsers

    Settings for the browsers are gathered (proxies, startup URLs, search en-gines URLs, etc.). and the download directory, extensions, and plugins are scanned.

    Internet Explorer, Chrome, Edge Firefox and browsers that are based on them are supported. The default browsers are listed.

  • Media

    The following information is gathered:

    • Low level disk information (GPT, MBR and Boot sector scans).

    • High risk files from the root of each partition.

    • Boot manager files.

  • Tasks

    Scheduled tasks, from various sources (API, Registry, XML, Jobs),and the referenced files are scanned.

  • Forensics

    The following actions are taken:

    • Prefetch files are parsed and the files they reference are scanned.

    • Superfetch files are parsed and the files they reference are scanned.

    • Windows event logs are gathered.

    • Files from temporary folders are scanned.

    • Files from browser download folders are scanned.

    • (optional) Files from specified folders are scanned.

    • Files from the writable shared folders (SMB) on the system are scanned.

    • The following files are scanned from the The Application Compatibility Cache (AppCompatCache):

      • AmCache - a special registry hive. It contains information about files that were executed, shortcuts that were recently created and drivers that was recently installed.

      • Recent File Cache - contains information about files that were executed.

      • FileInventory - contains information about executable files that are under specific folders.

      • PropCache - contains information about driver files that were installed or executed on the system.

      • FullCompatReport - contains information about applications that were installed and / or running on the system.

    • ShimCache - a specific location in Registry is parsed, contains information about files that were executed.

    • Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) are scanned for evidence of program execution.

    • Files found in the recently opened documents list, taken from Registry, are scanned.

    • Active mutexes on the system are scanned.

    • Information about the executable files and shortcuts that were opened recently is gathered from the UserAsisst registry key.

    • PowerShell command history and profiles are gathered.

    • Remote Desktop Connection history and Remote Desktop history is gathered.

    • The following information is gathered from TeamViewer:

      • Logs

      • Connections

      • TVC configuration files

    • Recycle bin files are scanned and version, header and signature information is gathered if necessary.

    • Accessibility features (Sticky keys) files are scanned.

    • Audit Policy - information about system audit are gathered.

    • IconCache.db contain icon cache information related to applications.

    • The following infromation is gathered from AnyDesk:

      • Logs

      • Connections

    • Information is gathered from the System Resource Usage Monitor (SRUM), which holds various statistics on recent executed applications.

    • Microsoft Exchange logs and les are scanned.

    • Information (file name, url, creation time, etc.) is gathered from WebCache, which consists of different tables that contain various information such as web cache, history, downloads, cookies and more.

  • Bitdefender

    Information about Bitdefender security agent (if installed) is gathered:

    • Event logs

    • Quarantine file listing

    • Scan logs

    • Product version

    • Settings

    • Exception rules

    • Signatures

    • Installed modules

    • Advanced Threat Control (ATC)

    • Gemma logs

    • Feedback files