Log Settings

[lonsun]

Hello,

 

I am trying out Immunet 3.0 AV and for compliance reasons I need to be able to store logs for at least 6 months. I downloaded the free version and could not find any settings for log location, rotation, and retention. Can anyone give me a rundown on how logs are handled in Immunet AV?

 

Thanks,

 

Lon

[ritchie58]

Hello Lon, open the GUI, click on History. A File History window will appear. On the top of this window click on View By: All File Events. This will show you all the activity that Immunet has encountered within the past week. These logs are stored at C:\ Program Files\Immunet\history - which is a .DB file. You will not be able to directly access this file while Immunet is running however. I hope this is what you were looking for. As far as changing the length of time the History is stored I have no knowledge on that or even if it's possible. If it is possible perhaps an Administrator or fellow staff member can provide that information for you. Regards, Ritchie...

[lonsun]

Thanks for the information, Ritchie. If anyone knows how to specify the retention time for event history please let me know. I'm also curious if you can export history to a easily usable format.

[ritchie58]

Microsoft's Access or Excel software might work at converting the DB file into a readable format. If that doesn't work there is a paid software that I know of called Paradox Converter that can convert DB files. You could make a copy of the DB file and then convert the copy. It's rather expensive though. About 30 bucks. There's also is a demo version to this software with very limited functionality unfortunately.

[lonsun]

Thanks again, Ritchie. I will review...

[hnayyar]

Hi Lon,

 

The consumer version of Immunet is not meant to be compliant for enterprises. If you are an enterprise user, I would recommend that you check out our fireAMP offering:

 

http://www.sourcefire.com/security-technologies/advanced-malware-protection/fireamp

 

The fireAMP product which is geared to satisfy business compliance needs, has a lot more functionality compared to the endpoint consumer versions.

 

Hope this helps

[Rob.T]

And FYI, the quarantined file retention time on the Consumer version (Immunet) is 1 month. In the enterprise version (fireAMP) it's configurable and I don't think there is a limit on it.

[ritchie58]

That's interesting to know RobT. That brings a question to mind however. If something is quarantined what happens to that file after one month? Is it automatically deleted then, since that would give you plenty of time to determine if it's malware or a FP being the thinking there? That would be my assumption or am I wrong on that?

[dreaken667]

I realize this thread is quite old, but this is for anyone else that ends up here.

The current version of Immunet at the time of this writing stores it's history in C:\Program Files\Immunet\history.db

This file is a SQLite3 database file which can be opened with any SQLite3 client with no credentials. In my case this was PowerShell using PSSQLite.

This database file contains one table with the following DDL:

CREATE TABLE history (
  id integer, 
  type integer, 
  disposition integer, 
  flags integer, 
  created_at timestamp, 
  file binary(32), 
  filename varchar(255), 
  source binary(32), 
  sourcename varchar(255), 
  detection varchar(255), 
  loc varchar(255)
);

If you're only interested in detected files like I was, this query should provide what you are looking for:

select * from history where detection <> '';

Other database files which may be potentially useful to you are:

cache.db
event.db
historyex.db
jobs.db
nfm_cache.db
nfm_url_file_map.db