Get Installed Antivirus Information

Required Files: None

Gathers the name, location, update status, real time protection status, and product state of any installed Antivirus.

function Get-LHSAntiVirusProduct 
{
<#
.SYNOPSIS
    Get the status of Antivirus Product on local and Remote Computers.
 
.DESCRIPTION
    It works with MS Security Center and detects the status for most AV products.
 
    Note that this script will only work on Windows XP SP2, Vista, 7, 8.x, 10 
    operating systems as Windows Servers does not have 
    the required WMI SecurityCenter\SecurityCenter(2) name spaces.
 
.PARAMETER ComputerName
    The computer name(s) to retrieve the info from. 
 
.EXAMPLE
    Get-LHSAntiVirusProduct
 
    ComputerName             : Localhost
    Name                     : Kaspersky Endpoint Security 10 für Windows
    ProductExecutable        : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint 
                               Security 10 for Windows SP1\wmiav.exe
    DefinitionStatus         : UP_TO_DATE
    RealTimeProtectionStatus : ON
    ProductState             : 266240
 
.EXAMPLE
    Get-LHSAntiVirusProduct –ComputerName PC1,PC2,PC3
 
    ComputerName             : PC1
    Name                     : Kaspersky Endpoint Security 10 für Windows
    ProductExecutable        : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint 
                               Security 10 for Windows SP1\wmiav.exe
    DefinitionStatus         : UP_TO_DATE
    RealTimeProtectionStatus : ON
    ProductState             : 266240
    (..)
 
.EXAMPLE
    (get-content PClist.txt) | Get-LHSAntiVirusProduct
 
 .INPUTS
    System.String, you can pipe ComputerNames to this Function
 
.OUTPUTS
    Custom PSObjects 
 
.NOTE
    WMI query to get anti-virus information has been changed.
    Pre-Vista clients used the root/SecurityCenter namespace, 
    while Post-Vista clients use the root/SecurityCenter2 namespace.
    But not only the namespace has been changed, The properties too. 
 
 
    More info at http://neophob.com/2010/03/wmi-query-windows-securitycenter2/
    and from this MSDN Blog 
    http://blogs.msdn.com/b/alejacma/archive/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript.aspx
 
 
    AUTHOR: Pasquale Lantella 
    LASTEDIT: 23.06.2016
    KEYWORDS: Antivirus
    Version :1.1
    History :1.1 support for Win 10, changed the use of WMI productState   
 
.LINK
    WSC_SECURITY_PRODUCT_STATE enumeration
    https://msdn.microsoft.com/en-us/library/jj155490%28v=vs.85%29
 
.LINK
    Windows Security Center
    https://msdn.microsoft.com/en-us/library/gg537273%28v=vs.85%29
 
.LINK
    http://neophob.com/2010/03/wmi-query-windows-securitycenter2/
 
#Requires -Version 2.0
#>
 
 
[CmdletBinding()]
 
param (
    [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
    [Alias('CN')]
    [String[]]$ComputerName=$env:computername
)
 
BEGIN {
 
    Set-StrictMode -Version Latest
    ${CmdletName} = $Pscmdlet.MyInvocation.MyCommand.Name
 
} # end BEGIN
 
PROCESS {
 
    ForEach ($Computer in $computerName) 
    {
        IF (Test-Connection -ComputerName $Computer -count 2 -quiet) 
        { 
            Try
            {
                [system.Version]$OSVersion = (Get-WmiObject win32_operatingsystem -computername $Computer).version
 
                IF ($OSVersion -ge [system.version]'6.0.0.0') 
                {
                    Write-Verbose "OS Windows Vista/Server 2008 or newer detected."
                    $AntiVirusProduct = Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct -ComputerName $Computer -ErrorAction Stop
                } 
                Else 
                {
                    Write-Verbose "Windows 2000, 2003, XP detected" 
                    $AntiVirusProduct = Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct  -ComputerName $Computer -ErrorAction Stop
                } # end IF ($OSVersion -ge 6.0) 
 
                <#
                it appears that if you convert the productstate to HEX then you can read the 1st 2nd or 3rd block 
                to get whether product is enabled/disabled and whether definitons are up-to-date or outdated
                #>
 
                $productState = $AntiVirusProduct.productState
 
                # convert to hex, add an additional '0' left if necesarry
                #$hex = [Convert]::ToString($productState, 16).PadLeft(6,'0')
    			$hex = [convert]::ToString($productState[0], 16).PadLeft(6,'0')
 
 
                # Substring(int startIndex, int length)  
                $WSC_SECURITY_PROVIDER = $hex.Substring(0,2)
                $WSC_SECURITY_PRODUCT_STATE = $hex.Substring(2,2)
                $WSC_SECURITY_SIGNATURE_STATUS = $hex.Substring(4,2)
 
                #n ot used yet
                $SECURITY_PROVIDER = switch ($WSC_SECURITY_PROVIDER)
                {
                    0  {"NONE"}
                    1  {"FIREWALL"}
                    2  {"AUTOUPDATE_SETTINGS"}
                    4  {"ANTIVIRUS"}
                    8  {"ANTISPYWARE"}
                    16 {"INTERNET_SETTINGS"}
                    32 {"USER_ACCOUNT_CONTROL"}
                    64 {"SERVICE"}
                    default {"UNKNOWN"}
                }
 
 
                $RealTimeProtectionStatus = switch ($WSC_SECURITY_PRODUCT_STATE)
                {
                    "00" {"OFF"} 
                    "01" {"EXPIRED"}
                    "10" {"ON"}
                    "11" {"SNOOZED"}
                    default {"UNKNOWN"}
                }
 
                $DefinitionStatus = switch ($WSC_SECURITY_SIGNATURE_STATUS)
                {
                    "00" {"UP_TO_DATE"}
                    "10" {"OUT_OF_DATE"}
                    default {"UNKNOWN"}
                }  
 
<#  
                # Switch to determine the status of antivirus definitions and real-time protection.
                # The values in this switch-statement are retrieved from the following website: http://community.kaseya.com/resources/m/knowexch/1020.aspx
                switch ($AntiVirusProduct.productState) {
                     #AVG Internet Security 2012 (from antivirusproduct WMI)
                     "262144" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
                     "266240" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
 
                     "262160" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
                     "266256" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
                     "393216" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
                     "393232" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
                     "393488" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
                     "397312" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
                     "397328" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
                     #Windows Defender
                     "393472" {$defstatus = "Up to date" ;$rtstatus = "Disabled"} 
                     "397584" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
                     "397568" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
 
                     default {$defstatus = "Unknown" ;$rtstatus = "Unknown"}
                }
#>
 
 
                # Output PSCustom Object
                $AV = $Null
                $AV = New-Object -TypeName PSObject -ErrorAction Stop -Property @{
 
                    ComputerName = $AntiVirusProduct.__Server;
                    Name = $AntiVirusProduct.displayName;
                    ProductExecutable = $AntiVirusProduct.pathToSignedProductExe;
                    DefinitionStatus = $DefinitionStatus;
                    RealTimeProtectionStatus = $RealTimeProtectionStatus;
                    ProductState = $productState;
 
                } | Select-Object ComputerName,Name,ProductExecutable,DefinitionStatus,RealTimeProtectionStatus,ProductState  
 
                Write-Output $AV 
            }
            Catch 
            {
                Write-Error "\\$Computer : WMI Error"
                Write-Error $_
            }                              
        } 
        Else 
        {
            Write-Warning "\\$computer DO NOT reply to ping" 
        } # end IF (Test-Connection -ComputerName $Computer -count 2 -quiet)
 
    } # end ForEach ($Computer in $computerName)
 
} # end PROCESS
 
END { Write-Verbose "Function Get-LHSAntiVirusProduct finished." } 
} # end function Get-LHSAntiVirusProduct
 
Get-LHSAntiVirusProduct

function Get-LHSAntiVirusProduct { <# .SYNOPSIS Get the status of Antivirus Product on local and Remote Computers. .DESCRIPTION It works with MS Security Center and detects the status for most AV products. Note that this script will only work on Windows XP SP2, Vista, 7, 8.x, 10 operating systems as Windows Servers does not have the required WMI SecurityCenter\SecurityCenter(2) name spaces. .PARAMETER ComputerName The computer name(s) to retrieve the info from. .EXAMPLE Get-LHSAntiVirusProduct ComputerName : Localhost Name : Kaspersky Endpoint Security 10 für Windows ProductExecutable : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\wmiav.exe DefinitionStatus : UP_TO_DATE RealTimeProtectionStatus : ON ProductState : 266240 .EXAMPLE Get-LHSAntiVirusProduct –ComputerName PC1,PC2,PC3 ComputerName : PC1 Name : Kaspersky Endpoint Security 10 für Windows ProductExecutable : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security 10 for Windows SP1\wmiav.exe DefinitionStatus : UP_TO_DATE RealTimeProtectionStatus : ON ProductState : 266240 (..) .EXAMPLE (get-content PClist.txt) | Get-LHSAntiVirusProduct .INPUTS System.String, you can pipe ComputerNames to this Function .OUTPUTS Custom PSObjects .NOTE WMI query to get anti-virus information has been changed. Pre-Vista clients used the root/SecurityCenter namespace, while Post-Vista clients use the root/SecurityCenter2 namespace. But not only the namespace has been changed, The properties too. More info at http://neophob.com/2010/03/wmi-query-windows-securitycenter2/ and from this MSDN Blog http://blogs.msdn.com/b/alejacma/archive/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript.aspx AUTHOR: Pasquale Lantella LASTEDIT: 23.06.2016 KEYWORDS: Antivirus Version :1.1 History :1.1 support for Win 10, changed the use of WMI productState .LINK WSC_SECURITY_PRODUCT_STATE enumeration https://msdn.microsoft.com/en-us/library/jj155490%28v=vs.85%29 .LINK Windows Security Center https://msdn.microsoft.com/en-us/library/gg537273%28v=vs.85%29 .LINK http://neophob.com/2010/03/wmi-query-windows-securitycenter2/ #Requires -Version 2.0 #> [CmdletBinding()] param ( [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] [Alias('CN')] [String[]]$ComputerName=$env:computername ) BEGIN { Set-StrictMode -Version Latest ${CmdletName} = $Pscmdlet.MyInvocation.MyCommand.Name } # end BEGIN PROCESS { ForEach ($Computer in $computerName) { IF (Test-Connection -ComputerName $Computer -count 2 -quiet) { Try { [system.Version]$OSVersion = (Get-WmiObject win32_operatingsystem -computername $Computer).version IF ($OSVersion -ge [system.version]'6.0.0.0') { Write-Verbose "OS Windows Vista/Server 2008 or newer detected." $AntiVirusProduct = Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct -ComputerName $Computer -ErrorAction Stop } Else { Write-Verbose "Windows 2000, 2003, XP detected" $AntiVirusProduct = Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct -ComputerName $Computer -ErrorAction Stop } # end IF ($OSVersion -ge 6.0) <# it appears that if you convert the productstate to HEX then you can read the 1st 2nd or 3rd block to get whether product is enabled/disabled and whether definitons are up-to-date or outdated #> $productState = $AntiVirusProduct.productState # convert to hex, add an additional '0' left if necesarry #$hex = [Convert]::ToString($productState, 16).PadLeft(6,'0') $hex = [convert]::ToString($productState[0], 16).PadLeft(6,'0') # Substring(int startIndex, int length) $WSC_SECURITY_PROVIDER = $hex.Substring(0,2) $WSC_SECURITY_PRODUCT_STATE = $hex.Substring(2,2) $WSC_SECURITY_SIGNATURE_STATUS = $hex.Substring(4,2) #n ot used yet $SECURITY_PROVIDER = switch ($WSC_SECURITY_PROVIDER) { 0 {"NONE"} 1 {"FIREWALL"} 2 {"AUTOUPDATE_SETTINGS"} 4 {"ANTIVIRUS"} 8 {"ANTISPYWARE"} 16 {"INTERNET_SETTINGS"} 32 {"USER_ACCOUNT_CONTROL"} 64 {"SERVICE"} default {"UNKNOWN"} } $RealTimeProtectionStatus = switch ($WSC_SECURITY_PRODUCT_STATE) { "00" {"OFF"} "01" {"EXPIRED"} "10" {"ON"} "11" {"SNOOZED"} default {"UNKNOWN"} } $DefinitionStatus = switch ($WSC_SECURITY_SIGNATURE_STATUS) { "00" {"UP_TO_DATE"} "10" {"OUT_OF_DATE"} default {"UNKNOWN"} } <# # Switch to determine the status of antivirus definitions and real-time protection. # The values in this switch-statement are retrieved from the following website: http://community.kaseya.com/resources/m/knowexch/1020.aspx switch ($AntiVirusProduct.productState) { #AVG Internet Security 2012 (from antivirusproduct WMI) "262144" {$defstatus = "Up to date" ;$rtstatus = "Disabled"} "266240" {$defstatus = "Up to date" ;$rtstatus = "Enabled"} "262160" {$defstatus = "Out of date" ;$rtstatus = "Disabled"} "266256" {$defstatus = "Out of date" ;$rtstatus = "Enabled"} "393216" {$defstatus = "Up to date" ;$rtstatus = "Disabled"} "393232" {$defstatus = "Out of date" ;$rtstatus = "Disabled"} "393488" {$defstatus = "Out of date" ;$rtstatus = "Disabled"} "397312" {$defstatus = "Up to date" ;$rtstatus = "Enabled"} "397328" {$defstatus = "Out of date" ;$rtstatus = "Enabled"} #Windows Defender "393472" {$defstatus = "Up to date" ;$rtstatus = "Disabled"} "397584" {$defstatus = "Out of date" ;$rtstatus = "Enabled"} "397568" {$defstatus = "Up to date" ;$rtstatus = "Enabled"} default {$defstatus = "Unknown" ;$rtstatus = "Unknown"} } #> # Output PSCustom Object $AV = $Null $AV = New-Object -TypeName PSObject -ErrorAction Stop -Property @{ ComputerName = $AntiVirusProduct.__Server; Name = $AntiVirusProduct.displayName; ProductExecutable = $AntiVirusProduct.pathToSignedProductExe; DefinitionStatus = $DefinitionStatus; RealTimeProtectionStatus = $RealTimeProtectionStatus; ProductState = $productState; } | Select-Object ComputerName,Name,ProductExecutable,DefinitionStatus,RealTimeProtectionStatus,ProductState Write-Output $AV } Catch { Write-Error "\\$Computer : WMI Error" Write-Error $_ } } Else { Write-Warning "\\$computer DO NOT reply to ping" } # end IF (Test-Connection -ComputerName $Computer -count 2 -quiet) } # end ForEach ($Computer in $computerName) } # end PROCESS END { Write-Verbose "Function Get-LHSAntiVirusProduct finished." } } # end function Get-LHSAntiVirusProduct Get-LHSAntiVirusProduct

Get Installed Antivirus Information

Submit a Comment Cancel reply