As of last weekend I have full moved to my new home so I hopefully will have more time to spend on informative posts.
An important part of a workstation’s security is its Antivirus or Security software.
However, how to see which device is already protected? Because before you know it, you might have devices in a network that don’t have a security product as someone has forgotten to install it. Let us look at where to find this information!
Before we start, this will be the base skeleton of a script as values etc. can change depending on security software and thus you might have to adjust/add some rules to this script.
The example will also only work on Windows 7 and/or higher. This is because of using WMI namespace “root\SecurityCenter2” while Windows XP and older use “root\SecurityCenter”.
Now to the explanation.
First, Windows saves information it has on its Security software in a WMI object. This object is located in root/SecurityCenter2 and is called AntivirusProduct.
This is the same location that the basic Windows Security Center gets most of its information from.
While we could use WMI commands to retrieve the information, that is the old way and has since then been proceeded by the Cim method which is better supported.
In this example we use a get-cimInstance to show us everything under the AntiVirusProduct object located under root/SecurityCenter2.
This retrieves multiple things. The most important ones being the software name and product state.
We can use the software name as a string.
The product state however can be used in 2 different ways:
1. The number itself shows the state of the security software.
This is where your input comes in because while a lot of software packages follow the same rules of being in a good state when below 270000, being inactive when between 270000 and 300000 and being in error above that.
However, there also are a good few software packages that have different values. As can be seen by the commented rules within the example, Sophos and Symantec are 2 examples that have different values.
These can be filtered out by doing the comparisons before the generic ones and filter them out by product name.
2. When the number is changed to Hex, it will contain information on whether it is the main enabled Security software on the device. The script is set to filter out anything not set as fully enabled and do nothing with the specific security software.
Now you might ask, but why do you have this command run at the end?
“Get-CimInstance -Namespace root\SecurityCenter2 -Class AntiVirusProduct | Remove-CimInstance”
Well, the answer is easy. The namespace is terrible at updating .. or to be precise, Windows and/or the antivirus software is terrible at updating the namespace.
That security software that you had installed 5 years ago, but don’t use anymore? It might still be in there with a product state saying that it is enabled.
That’s why I have the script clear out the WMI class at the end of the script.
The only issue is that the namespace will not fill itself back up with the correct information until after the workstation has been booted up again.
Therefore it might be best to, at this point, check on the results the day after to see whether this has fixed it and delivered them correctly this time or wether the security software on that device needs an in-depth checkup.
You do not have to use the command or can use it in different ways, but I had to many issues in regards to old information to not use it.
There it is, using CimInstance to get a barebones script that can be built upon to retrieve desired data and perform actions and/or give warnings depending on results.
There might still be a good bit of work to be done to this to make it work for someone elses specific purpose, but it is always good to know where to start.
Well, hopefully this has given some insight to people regarding the SecurityCenter2 namespace and the way to interact with it.
Categories: Windows, Powershell, Script, Antivirus
Patrick Berger AKA Powershellder.
[ i ] Parallax section below. Click on the section below to upload image. Don't worry if it looks weird in the Weebly editor. It'll look normal on your published site.
To edit or delete your image, press the "toggle" button below. Then, hover over your image until a popup appears with the "edit" and "delete" options. If you don't want a white content section, leave it blank. It will disappear on your live website.