Virus Scan
The data ingested from Virus Scan event sources are used for analytics. Adding virus scan integration allows you to track which users and assets are infected frequently. Additionally, InsightIDR uses this data to produce some notable behaviors and alerts.
Most of the Virus Scan event sources use the two common collection methods, Listen on Network Port and Log Aggregator. See each individual event source for further details.
Antivirus Event Sources
Collecting antivirus events allows for more contextual information to be added to an asset. The only type of AV event that is parsed in InsightIDR is when a virus is detected by the AV software. Collecting the AV events let you view viruses found on an asset when looking at the asset in Insight.
You can configure the following event sources:
- CylancePROTECT
- Carbon Black Cloud
- ESET Antivirus
- F-Secure
- Kaspersky Anti-Virus
- MalwareBytes Endpoint Protection
- McAfee ePO
- Rapid7 Universal Antivirus
- SentinelOne Endpoint Detection and Response
- Sophos Central
- Sophos Intercept X
- Sophos Enduser Protection
- Symantec Endpoint Protection
- Trend Micro Apex One
- Trend Micro Control Manager
- Trend Micro OfficeScan
- Trend Micro Deep Security
For other antivirus products, use the vendor documentation to configure the antivirus server to send syslog to the collector on a unique UDP or TCP port (above 1024).
Not seeing log data?
InsightIDR only parses an event from your Virus Scan event source when a virus is found.