Virus Scan

The data ingested from Virus Scan event sources are used for analytics. Adding virus scan integration allows you to track which users and assets are infected frequently. Additionally, InsightIDR uses this data to produce some notable behaviors and alerts.

Most of the Virus Scan event sources use the two common collection methods, Listen on Network Port and Log Aggregator. See each individual event source for further details.

Antivirus Event Sources

Collecting antivirus events allows for more contextual information to be added to an asset. The only type of AV event that is parsed in InsightIDR is when a virus is detected by the AV software. Collecting the AV events let you view viruses found on an asset when looking at the asset in Insight.

You can configure the following event sources:

For other antivirus products, use the vendor documentation to configure the antivirus server to send syslog to the collector on a unique UDP or TCP port (above 1024).

Not seeing log data?

InsightIDR only parses an event from your Virus Scan event source when a virus is found.