Awesome
EsetLogParser
Proof of Concept
About
Python script for parsing ESET (NOD32) virlog.dat
file. This file contains records about infections detected during on access scans and it is usually located in C:\ProgramData\Eset\*\Logs
.
GUI of Eset antivirus program can display content of actual virlog.dat
file, also it is possible to use Eset Log Collector for collect logs from this file. But none of this official program can easily display content of another virlog.dat
file, for example file exracted from offline machine for further analysis.
On live system, it is not possible to overwrite the existing virlog.dat
, because it is used by running instance of Eset and it is not so easy to kill the Eset AV program. (turning off the resident shield is not enough).
As far as I know, the only solution for displaying content of another virlog.dat file is to use the PC with Eset installed, shut down this PC, overwrite the original virdat.log file and reboot the system.
This Python script can parse some content from virlog.dat
files and convert this data to CSV format. This tool is based on reverse engineering the file format of virlog.dat
, and work is in progress. For this reason, this scrit currently can not parse all the fields from virlog.dat
.
Disclaimer
Tested on current version of Eset Nod32 and Smart Security and also on versions from middle of 2016.
Correct functionality of this script is not guaranteed, because the file format of virlog.dat
is proprietary internal format of Eset and this format may change with new versions of Eset products. In this case please create an Issue and if it is possible, please also provide samples of virlog.dat
.
Supported fields
- Detected object
- Infiltration type
- User name
- Version of antivirus database
- Program name (or process) in which the infiltration was detected
- SHA1 hash of detected object Detected object
- First seen timestamp
- Timestamp of detection
- ID of record
Note
It seems that not of the above fields are always present in record. If you don't see some of the above fields in the output of EsetLogParser, but you see this value in Eset GUI (Tools -> Logs), please send me the virlog.dat
file and screenshot of Eset GUI Log Viewer.
Known fields
The list of curentlly reversed fields in virlog.dat
file that are not parsed by EsetLogParser:
Unknown fields
The list of fields which I have not reversed in virlog.dat
yet:
- Object type (file, etc.)
- Scanner (resident shield)
- Action (erase, quarantine)
Usage
python EsetLogParser.py path_to_virlog.dat
TODO
- reversing all the fields in
virlog.dat
file - turn this PoC into real parser
- change fields extractor to fields parser