collect-attack-evidence enable (antivirus profile view)

The attack evidence collection function relies on hard disks and available only when the hard disks are installed.

Attack evidence collection does not apply to HTTPS traffic.

• A maximum of five attack evidence collection sessions are supported for a single threat ID on a single CPU.
• When the system memory space is less than 200 MB, the device does not collect attack evidence. When the system memory space is restored to 400 MB, the device restores attack evidence collection.
• A single CPU can cache a maximum of 512 MB attack evidence data. When the data volume of attack evidence reaches the maximum, attack evidence collection is not performed.
• By default, the maximum data volume of attack evidence that can be cached in a single session is as follows:
  • Versions earlier than V600R007C20SPC500: 100 KB. If the size of the file whose data needs to be collected exceeds 100 KB, the device does not perform attack evidence collection on the session.
  • V600R007C20SPC500 to V600R007C20SPC601 versions: 30 KB. If the size of the file whose data needs to be collected exceeds 30 KB, the device does not perform attack evidence collection on the session.
  • V600R007C20SPC602 and later versions: 10 KB. If the size of the file whose data needs to be collected exceeds 10 KB, the device does not perform attack evidence collection on the session.

  You are advised to run the debugging collect-attack-evidence max-session-size max-session-size command to increase the threshold for the maximum data volume of attack evidence that the device can collect for a single session. The recommended threshold is 2000 KB.

Attack evidence collection is for troubleshooting only. Because attack evidence collection compromises system performance, you must enable it only when necessary and disable it immediately after you finish attack evidence collection.