volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

AVCHECK Volatility3 Plugin

Open malfav opened this issue 1 month ago • 0 comments

avcheck.py – Antivirus and Endpoint Detection and Response (EDR) Artifact Scanner (Volatility 3 Plugin)

avcheck.py is a specialized Volatility 3 plugin designed to detect and enumerate artifacts related to Antivirus (AV) and Endpoint Detection and Response (EDR) solutions within a Windows memory dump.
It enables investigators and threat hunters to identify which security products were active or installed on a system at the time of capture—critical for understanding a compromised system’s defensive posture.

Key Capabilities

Security Software Identification

Performs broad detection of security tools across over 80 known AV and EDR products, including:

  • Windows Defender (MsMpEng.exe)
  • Kaspersky (avp.exe)
  • Symantec
  • AVG
  • CrowdStrike (CsAgent.exe)
  • SentinelOne
  • FireEye
  • And many others

This identification provides immediate situational awareness of protective technologies present on the analyzed host.

Multi-Artifact Detection

Leverages multiple Volatility 3 subsystems to identify security software artifacts across different system components:

  • Processes:
    Scans active process lists (pslist) for executables associated with AV/EDR agents and monitoring daemons.

  • Services:
    Enumerates running services (svcscan) to locate entries related to installed security software.

  • DLLs:
    Inspects loaded libraries (dlllist) to detect known AV/EDR DLLs used for userland hooks or kernel-level integrations.

  • Files:
    Uses file scanning (filescan) to locate security software directories, databases, log files, and quarantine folders.

Each layer of detection provides corroborating evidence of installed and active endpoint protection components.

Detection History Triage

Includes a specialized analysis routine that looks for:

  • Quarantine directories and detection logs
  • Temporary or deleted AV alert files
  • Residual detection history (e.g., Defender history, Kaspersky reports)

These findings offer valuable context on prior malware detections or automated remediation activity performed by security software.

Detailed Summary Reporting

Generates a structured TreeGrid report summarizing all detected artifacts, categorized by source type:

  • Processes Detected
  • Services Detected
  • DLLs Detected
  • Files Detected

At the end of the report, a summary count highlights the number of findings per category, providing a concise overview of the security landscape of the system.

Example output:

Category Name / Artifact Path / Details Source Plugin
Process MsMpEng.exe Windows Defender pslist
Service WinDefend Microsoft Defender Antivirus Service svcscan
DLL mpengine.dll AV core scanning module dlllist
File DetectionHistory.db Defender detection logs filescan

malfav avatar Nov 10 '25 22:11 malfav