I ran across a LinkedIn post the other day that mentioned using Windows Defender Support Logs (actually, I think the post referred to them as “diagnostic” logs). These logs are found in the following folder:
C:\ProgramData\Microsoft\Windows Defender\Support\
…and follow the naming convention:
MpWppTracing-YYYYMMDD-HHMMSS-00000003-fffffffeffffffff.bin
The post mentions using strings to parse the files, but I was wondering if there was a parser available, and like Deadpool, I figured I’d go looking…and I found something called mplog_parser. I’ve had a few opportunities to pull down some of these files from endpoints, but nothing has popped out as being related to the incident in question.
That’s okay, though…I’ll keep this one in my kit, and I’ll have to give the parser from Github a shot.
Read the original article: