From 6276633f66ec6871d65d6fe2ff78d7f49e3d03a7 Mon Sep 17 00:00:00 2001
From: Zawadi Done <zawadi.done@huntandhackett.com>
Date: Tue, 8 Aug 2023 13:16:12 +0200
Subject: [PATCH] Add Anti Virus paths

---
 acquire/acquire.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/acquire/acquire.py b/acquire/acquire.py
index 797570a4..aa0fa8c8 100644
--- a/acquire/acquire.py
+++ b/acquire/acquire.py
@@ -875,6 +875,8 @@ class AV(Module):
         ("file", "sysvol/ProgramData/Avast Software/Avast/Chest/index.xml"),
         # Avira
         ("dir", "sysvol/ProgramData/Avira/Antivirus/LOGFILES"),
+        ("dir", "sysvol/ProgramData/Avira/Security/Logs"),
+        ("dir", "sysvol/ProgramData/Avira/VPN"),
         # Bitdefender
         ("dir", "sysvol/ProgramData/Bitdefender/Endpoint Security/Logs"),
         ("dir", "sysvol/ProgramData/Bitdefender/Desktop/Profiles/Logs"),
@@ -885,9 +887,16 @@ class AV(Module):
         ("dir", "sysvol/ProgramData/crs1/Logs"),
         ("dir", "sysvol/ProgramData/apv2/Logs"),
         ("dir", "sysvol/ProgramData/crb1/Logs"),
+        # Cylance
+        ("dir", "sysvol/ProgramData/Cylance/Desktop"),
+        ("dir", "sysvol/ProgramData/Cylance/Optics/Log"),
+        ("dir", "sysvol/Program Files/Cylance/Desktop/log"),
         # ESET
         ("dir", "sysvol/Documents and Settings/All Users/Application Data/ESET/ESET NOD32 Antivirus/Logs"),
         ("dir", "sysvol/ProgramData/ESET/ESET NOD32 Antivirus/Logs"),
+        ("dir", "sysvol/ProgramData/ESET/ESET Security/Logs"),
+        ("dir", "sysvol/ProgramData/ESET/RemoteAdministrator/Agent/EraAgentApplicationData/Logs"),
+        ("dir", "sysvol/Windows/System32/config/systemprofile/AppData/Local/ESET/ESET Security/Quarantine"),
         # Emsisoft
         ("glob", "sysvol/ProgramData/Emsisoft/Reports/scan*.txt"),
         # F-Secure
@@ -949,6 +958,7 @@ class AV(Module):
         ("dir", "sysvol/ProgramData/Microsoft/Microsoft AntiMalware/Support"),
         ("glob", "sysvol/Windows/System32/winevt/Logs/Microsoft-Windows-Windows Defender*.evtx"),
         ("dir", "sysvol/ProgramData/Microsoft/Windows Defender/Support"),
+        ("dir", "sysvol/ProgramData/Microsoft/Windows Defender/Scans/History/Service/DetectionHistory"),
         ("file", "sysvol/Windows/Temp/MpCmdRun.log"),
         ("file", "sysvol/Windows.old/Windows/Temp/MpCmdRun.log"),
     ]