lonsun Posted March 12, 2012 Report Share Posted March 12, 2012 Hello, I am trying out Immunet 3.0 AV and for compliance reasons I need to be able to store logs for at least 6 months. I downloaded the free version and could not find any settings for log location, rotation, and retention. Can anyone give me a rundown on how logs are handled in Immunet AV? Thanks, Lon Link to comment Share on other sites More sharing options...
ritchie58 Posted March 12, 2012 Report Share Posted March 12, 2012 Hello Lon, open the GUI, click on History. A File History window will appear. On the top of this window click on View By: All File Events. This will show you all the activity that Immunet has encountered within the past week. These logs are stored at C:\ Program Files\Immunet\history - which is a .DB file. You will not be able to directly access this file while Immunet is running however. I hope this is what you were looking for. As far as changing the length of time the History is stored I have no knowledge on that or even if it's possible. If it is possible perhaps an Administrator or fellow staff member can provide that information for you. Regards, Ritchie... Link to comment Share on other sites More sharing options...
lonsun Posted March 12, 2012 Author Report Share Posted March 12, 2012 Thanks for the information, Ritchie. If anyone knows how to specify the retention time for event history please let me know. I'm also curious if you can export history to a easily usable format. Link to comment Share on other sites More sharing options...
ritchie58 Posted March 12, 2012 Report Share Posted March 12, 2012 Microsoft's Access or Excel software might work at converting the DB file into a readable format. If that doesn't work there is a paid software that I know of called Paradox Converter that can convert DB files. You could make a copy of the DB file and then convert the copy. It's rather expensive though. About 30 bucks. There's also is a demo version to this software with very limited functionality unfortunately. Link to comment Share on other sites More sharing options...
lonsun Posted March 13, 2012 Author Report Share Posted March 13, 2012 Thanks again, Ritchie. I will review... Link to comment Share on other sites More sharing options...
hnayyar Posted March 15, 2012 Report Share Posted March 15, 2012 Hi Lon, The consumer version of Immunet is not meant to be compliant for enterprises. If you are an enterprise user, I would recommend that you check out our fireAMP offering: http://www.sourcefire.com/security-technologies/advanced-malware-protection/fireamp The fireAMP product which is geared to satisfy business compliance needs, has a lot more functionality compared to the endpoint consumer versions. Hope this helps Link to comment Share on other sites More sharing options...
Rob.T Posted March 26, 2012 Report Share Posted March 26, 2012 And FYI, the quarantined file retention time on the Consumer version (Immunet) is 1 month. In the enterprise version (fireAMP) it's configurable and I don't think there is a limit on it. Link to comment Share on other sites More sharing options...
ritchie58 Posted March 27, 2012 Report Share Posted March 27, 2012 That's interesting to know RobT. That brings a question to mind however. If something is quarantined what happens to that file after one month? Is it automatically deleted then, since that would give you plenty of time to determine if it's malware or a FP being the thinking there? That would be my assumption or am I wrong on that? Link to comment Share on other sites More sharing options...
dreaken667 Posted July 9, 2019 Report Share Posted July 9, 2019 I realize this thread is quite old, but this is for anyone else that ends up here. The current version of Immunet at the time of this writing stores it's history in C:\Program Files\Immunet\history.db This file is a SQLite3 database file which can be opened with any SQLite3 client with no credentials. In my case this was PowerShell using PSSQLite. This database file contains one table with the following DDL: CREATE TABLE history ( id integer, type integer, disposition integer, flags integer, created_at timestamp, file binary(32), filename varchar(255), source binary(32), sourcename varchar(255), detection varchar(255), loc varchar(255) ); If you're only interested in detected files like I was, this query should provide what you are looking for: select * from history where detection <> ''; Other database files which may be potentially useful to you are: cache.db event.db historyex.db jobs.db nfm_cache.db nfm_url_file_map.db Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now