Decrypt my World

Cryptography, Security, Debugging and more!

How to get Antivirus information with WMI (VBScript)

How to get Antivirus information with WMI (VBScript)

  • Comments 36

Hi all, welcome back,

As we read in Windows Security Center – Managing the State of Security, the vast majority of antivirus Independent Software Vendors (ISVs) support WMI integration. Windows Security Center uses it to detect antivirus and firewall solutions.

The following script shows how to get some information from those solutions:

 

strComputer = "."
    
Set oWMI = GetObject( _
  "winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")
  
Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

For Each objItem in colItems
  With objItem
    WScript.Echo .companyName
    WScript.Echo .displayName
    WScript.Echo .instanceGuid
    WScript.Echo .onAccessScanningEnabled
    WScript.Echo .pathToSignedProductExe
    WScript.Echo .productHasNotifiedUser
    WScript.Echo .productState
    WScript.Echo .productUptoDate
    WScript.Echo .productWantsWscNotifications
    WScript.Echo .versionNumber  
  End With
Next

Cheers,

 

Alex (Alejandro Campos Magencio)

  • What about 64-bit systems... XP-64 2003-64 bit doesn't seem to have this namespace. I've verified with the WMICodeCreator or ScriptoMatic...

  • You are right, root\securitycenter namespace is not in x64 systems by default.

    An antivirus WMI provider must be installed for that namespace to exist in x64 systems.

    You should contact the Antivirus Vendor and ask for the WMI provider.

    Cheers,

    Alex

  • Is it possible to get Antivirus information with WMI (VBScript) in case of Windows Vista and Windows 2008. If yes then can you please guide...

    Basant

  • Hi,

    This namespace is no longer available on Windows Vista SP1/2008 Server. That namespace is the legacy store for ISV products to register and report the status of their AV/AS/FW products.

    We no longer support writing directly to the root\securitycenter WMI namespace, and instead vendors must use our API. This API is not published and is only made available for those vendors that meet the criteria. Contact info can be found here:

    Implementing the Teredo Security Model

    http://msdn.microsoft.com/en-us/library/bb190942(VS.85).aspx

    "

    The API utilized to register a firewall with the WSC can be obtained by contacting Microsoft at wscisv@microsoft.com. A Non-Disclosure Agreement (NDA) is required for the disclosure of this API due to security concerns.

    "

    I've only found this public info on the API:

    Windows Security Center

    http://msdn.microsoft.com/en-us/library/bb963845(VS.85).aspx

    Regards,

    Alex

  • So I am reading your blog post entitled “How to get Antivirus information with WMI (VBScript)”, you state that this is no longer supported to Writing to the root\SecurityCenter in Vista SP1 and Windows 2008. However I’m unclear if this namespace is support for reading data going forward.

    Brief Background. I do a lot of work with ConfigMgr and During my reviews of some environments. I find lots of Workstations that are listed within ConfigMgr that are not listed with in AV management software (EPO for example). I want to create an ConfigMgr update that will read and collect all the Root\SecurityCenter. This task should be easily done 1-2 days to update and test. Then we would compare the EPO results to the ConfigMgr results, comparing/fixing the differences between both products. However if this class is not being updated by the majority of AV vendors any more then is there another class that is being used now?

  • I would also like to know where to look for WMI antivirus status in Vista SP1+. I've checked root\securitycenter2 but all that's listed there is one single entry for "displayName = Trend Micro Client/Server Security Agent Antivirus"

    Nothing there for AV status or if it's up to date.

    How can you get antivirus information with wmi for Vista SP1 or SP2 (or windows 7 for that matter)?

    Thanks

  • I believe the solution to querying antivirus status on Vista SP1/SP2 is with the strange "productState" value. This seems to represent the entire AV status as a number.

    e.g.

    C:\>WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List

    displayName=Trend Micro Client/Server Security Agent Antivirus

    productState=266240

    If you stop the AV services, the productState changes to 262144.

    productState=262144 = Up to Date Defs, On Access Scanning OFF

    productState=266240 = Up to Date Defs, ON Access Scanning ON

    It there any info from Microsoft regarding these productState values? Are they different for each AV version etc. etc..

    Thanks.

  • Hi John,

    Did you get any further on the productstates?

    Thanks

  • To read the product state you have to use the WscGetSecurityProviderHealth in the wscapi.dll

    More information here: http://msdn.microsoft.com/en-us/library/bb432506(VS.85).aspx

    There is also an example in the Windows Software Development Kit (SDK) for Windows Server 2008 and .NET Framework 3.5

  • How to check on Windows 2003??

    is there any way to get the Av information

  • I am also looking for more information about productstates.  Victor's post doesn't really explain the values given by WMI.

  • Is it possible to save the scan results into a .txt file?

  • Sorry for the late reply Victor, just seeing this now.

    Anyway, we are successfully looking for these values:

    productState=266240: This means AV has up to Date Definitions with ON Access Scanning turned ON

    productState=262144 = This means the AV is up to Date Defs but On Access Scanning OFF

    There are other values but these are not necessary since in our case all we care about is productState=266240 otherwise we have an AV problem.

    I wrote a nagios monitoring plug-in to audit all machines on the network looking for productState=266240 (AV okay) and if not 266240 then there is some problem that needs to be investigated so flag an alert.

    That's sufficient for our needs.

    Thanks,

    John.

  • Jhon!

    Could you please let us know is it possible to fetch the Av information installed on Server Operating System?

    As I checked and found that this script shows for desktops Only..

  • Can somebody provide value map for

    AntiVirusProduct.productState ?

    Developer "forgot" to put it propery qualifier in class definition.

    I getting productState = 397312 and like to know what it means.

Page 1 of 3 (36 items) 123
Leave a Comment
  • Please add 5 and 3 and type the answer here:
  • Post
Translate This Page