Welcome to MSDN Blogs Sign in | Join | Help

Decrypt my World

Cryptography, Security, Debugging and more!

News

  • Any of my posts is supported under any Microsoft standard support program or service. They are provided "AS IS" without warranty of any kind, and confer no rights.

Where are my readers?

Locations of visitors to this page

Favorite Posts

How to get Antivirus information with WMI (VBScript)

Hi all, welcome back,

As we read in Windows Security Center – Managing the State of Security, the vast majority of antivirus Independent Software Vendors (ISVs) support WMI integration. Windows Security Center uses it to detect antivirus and firewall solutions.

The following script shows how to get some information from those solutions:

  

strComputer = "."
    
Set oWMI = GetObject( _
  "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")
  
Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

For Each objItem in colItems
  With objItem
    WScript.Echo .companyName
    WScript.Echo .displayName
    WScript.Echo .instanceGuid
    WScript.Echo .onAccessScanningEnabled
    WScript.Echo .pathToSignedProductExe
    WScript.Echo .productHasNotifiedUser
    WScript.Echo .productState
    WScript.Echo .productUptoDate
    WScript.Echo .productWantsWscNotifications
    WScript.Echo .versionNumber  
  End With
Next

Cheers,

 

Alex (Alejandro Campos Magencio)

Posted: Monday, May 12, 2008 10:23 AM by alejacma
Filed under: ,

Comments

thewiseWAN said:

What about 64-bit systems... XP-64 2003-64 bit doesn't seem to have this namespace. I've verified with the WMICodeCreator or ScriptoMatic...

# August 25, 2008 5:13 PM

alejacma said:

You are right, root\securitycenter namespace is not in x64 systems by default.

An antivirus WMI provider must be installed for that namespace to exist in x64 systems.

You should contact the Antivirus Vendor and ask for the WMI provider.

Cheers,

Alex

# August 26, 2008 7:55 AM

Basant said:

Is it possible to get Antivirus information with WMI (VBScript) in case of Windows Vista and Windows 2008. If yes then can you please guide...

Basant

# October 2, 2008 10:07 AM

alejacma said:

Hi,

This namespace is no longer available on Windows Vista SP1/2008 Server. That namespace is the legacy store for ISV products to register and report the status of their AV/AS/FW products.

We no longer support writing directly to the root\securitycenter WMI namespace, and instead vendors must use our API. This API is not published and is only made available for those vendors that meet the criteria. Contact info can be found here:

Implementing the Teredo Security Model

http://msdn.microsoft.com/en-us/library/bb190942(VS.85).aspx

"

The API utilized to register a firewall with the WSC can be obtained by contacting Microsoft at wscisv@microsoft.com. A Non-Disclosure Agreement (NDA) is required for the disclosure of this API due to security concerns.

"

I've only found this public info on the API:

Windows Security Center

http://msdn.microsoft.com/en-us/library/bb963845(VS.85).aspx

Regards,

Alex

# February 9, 2009 4:22 AM

GarthMJ said:

So I am reading your blog post entitled “How to get Antivirus information with WMI (VBScript)”, you state that this is no longer supported to Writing to the root\SecurityCenter in Vista SP1 and Windows 2008. However I’m unclear if this namespace is support for reading data going forward.

Brief Background. I do a lot of work with ConfigMgr and During my reviews of some environments. I find lots of Workstations that are listed within ConfigMgr that are not listed with in AV management software (EPO for example). I want to create an ConfigMgr update that will read and collect all the Root\SecurityCenter. This task should be easily done 1-2 days to update and test. Then we would compare the EPO results to the ConfigMgr results, comparing/fixing the differences between both products. However if this class is not being updated by the majority of AV vendors any more then is there another class that is being used now?

# April 20, 2009 8:08 AM

John said:

I would also like to know where to look for WMI antivirus status in Vista SP1+. I've checked root\securitycenter2 but all that's listed there is one single entry for "displayName = Trend Micro Client/Server Security Agent Antivirus"

Nothing there for AV status or if it's up to date.

How can you get antivirus information with wmi for Vista SP1 or SP2 (or windows 7 for that matter)?

Thanks

# June 13, 2009 8:09 PM

John said:

I believe the solution to querying antivirus status on Vista SP1/SP2 is with the strange "productState" value. This seems to represent the entire AV status as a number.

e.g.

C:\>WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List

displayName=Trend Micro Client/Server Security Agent Antivirus

productState=266240

If you stop the AV services, the productState changes to 262144.

productState=262144 = Up to Date Defs, On Access Scanning OFF

productState=266240 = Up to Date Defs, ON Access Scanning ON

It there any info from Microsoft regarding these productState values? Are they different for each AV version etc. etc..

Thanks.

# June 13, 2009 10:43 PM

Victor said:

Hi John,

Did you get any further on the productstates?

Thanks

# July 2, 2009 11:16 AM

Victor said:

To read the product state you have to use the WscGetSecurityProviderHealth in the wscapi.dll

More information here: http://msdn.microsoft.com/en-us/library/bb432506(VS.85).aspx

There is also an example in the Windows Software Development Kit (SDK) for Windows Server 2008 and .NET Framework 3.5

# July 3, 2009 9:07 AM

Sohail Patel said:

How to check on Windows 2003??

is there any way to get the Av information

# September 1, 2009 1:49 AM

Ryan said:

I am also looking for more information about productstates.  Victor's post doesn't really explain the values given by WMI.

# September 10, 2009 2:35 PM

Jeremiah said:

Is it possible to save the scan results into a .txt file?

# September 28, 2009 8:09 AM

John said:

Sorry for the late reply Victor, just seeing this now.

Anyway, we are successfully looking for these values:

productState=266240: This means AV has up to Date Definitions with ON Access Scanning turned ON

productState=262144 = This means the AV is up to Date Defs but On Access Scanning OFF

There are other values but these are not necessary since in our case all we care about is productState=266240 otherwise we have an AV problem.

I wrote a nagios monitoring plug-in to audit all machines on the network looking for productState=266240 (AV okay) and if not 266240 then there is some problem that needs to be investigated so flag an alert.

That's sufficient for our needs.

Thanks,

John.

# October 28, 2009 7:31 PM

Sohail Patel said:

Jhon!

Could you please let us know is it possible to fetch the Av information installed on Server Operating System?

As I checked and found that this script shows for desktops Only..

# November 4, 2009 7:44 AM

Etna said:

Can somebody provide value map for

AntiVirusProduct.productState ?

Developer "forgot" to put it propery qualifier in class definition.

I getting productState = 397312 and like to know what it means.

# December 2, 2009 5:09 PM

Seb said:

Hi,

Any answer for the previous post anyone? I have the same productState using Microsoft Security Essentials installed and up to date on a Windows 7 box.

Cheers

# December 11, 2009 5:46 AM

James said:

I am also receiving 397312.

I am using ForeFront Client Security, and it is up to date with real-time scanning and daily scams, so I am assuming that state just means it's OK..

What is the state of your anti virus with this code?

# December 17, 2009 8:28 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

  
Enter Code Here: Required

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker