Kaseya Community


The place to find product documentation, user guides, video demos, and scripts/procedures shared within the community


Windows Workstation Antivirus Monitoring

I put together an agent procedure to collect AV status information from the Windows Security Center, currently only supported by Microsoft on XP, Vista, and Windows 7.

I know I've seen a procedure like this posted here before, but this one is probably the most comprehensive.

Before you run the procedure, you'll need to create three custom audit fields which will have Antivirus information populated once the procedure runs.

To create these fields, select Audit -> Machine Summary -> Summary Tab (select any agent) -> New custom Field

The three fields you'll need are:

Antivirus Product
Antivirus Definition Status
Antivirus Realtime Scan Status

If you want, you can click the "Bulk edit custom" button and fill in "Pending" for Antivirus Product if you wish to make it clear if a machine has not been scanned for an Antivirus product yet.

Now you're ready to go run the procedure on your agents. Below is a screenshot of the results I get when I run it on a demo server - you can easily add these three columns to the Agent Status page to quickly view the results of the procedure.

Take a close look at the procedure and you'll see where you can even monitor the Windows event log to alarm if an AV product is not found.

Have fun :)


  • Windows Workstation Antivirus Monitoring

    You can create an event log alert to be notified if an error is detected with antivirus (either not found, definitions out of date, or protection disabled.

    I'll paste an example monitor set below. The event will be an Error in the application log, so be sure your agents are collecting Application Errors and you use that as your criteria for the alert.

    <?xml version="1.0" encoding="ISO-8859-1" ?>


     <set_elements setName="Antivirus Monitoring - See Audit AV Procedure" eventSetId="91133409" snmpTraps="0">

       <element_data ignore="0" source="kaseya_agent" category="*" eventId="-1" username="*" description="*Antivirus*"/>



  • Windows Workstation Antivirus Monitoring

    Very impressive Ben.

    - Max

  • Windows Workstation Antivirus Monitoring

    I'll have to check this out, thanks Ben!

  • Windows Workstation Antivirus Monitoring

    Very cool dude! You just earned another cigar (gotta come up and hang for a while!)

  • Windows Workstation Antivirus Monitoring

    This looks like a great monitor set.   I should just be able to import this into monitor sets, correct?  I get this message when I try to either upload it or copy and paste it.

    The Monitor Set was not a valid Kaseya Monitor Set xml format. Error: -1072896682

    Any ideas or maybe I am putting it in the wrong place?

  • Windows Workstation Antivirus Monitoring

    This is nice.  I implemented on our system with some minor modifications.  I already have a script that (fairly manually) monitors servers so I might merge the two and get a more concise list.  Good work.

  • Windows Workstation Antivirus Monitoring

    Verify useful and handy script. However I discovered in our environment some systems with KES and Windows XP report as no A/V installed. Windows 7 is fine. Must be a bug with KES not reporting to windows security center properly.

  • Windows Workstation Antivirus Monitoring

    Is anyone else seeing a issue with the script? On first run it worked great but after the second day I am getting "No AV installed" on systems that were reporting AV was installed just the day before. Of course I've looked and yes AV is installed, active and running.

    In the Agent logs (not Agent proceedure log) I am getting a error now that reports" ERROR: getVaribleValue() failed to get dynamic script varible value, type 12 - root\SecurityCenter:AntiVirusProduct.companyname . followed by the same alert referencing display.name then again for onAccessScanningEnabled and then again on ProductUptoDate.

    Not sure why script would see this WMI space on 1 day and then fail the next.

    Any clues as to why or how to fix?

  • Windows Workstation Antivirus Monitoring

    very very nice!

  • Windows Workstation Antivirus Monitoring

    Glad you guys are getting some mileage out of it!

    Lenski, for your WinXP systems not showing KES is installed correctly, I'll try an take a closer look at those myself with you. I'm sending a message over now.

    As for WMI returning data one day and not returning data the next, I'm not sure how to start addressing that one... if I get the time I'll try to look into it.

  • Windows Workstation Antivirus Monitoring

    The script works for me but for some clients I get the following error in the Agent Logs:

    10:55:01 27-Apr-11 Antivirus Monitoring-2-2

    Script Summary: Failed in the if step

    10:55:01 27-Apr-11 Antivirus Monitoring-2-2

    FAILED in processing IF step, Check Variable, with error Script variable is undefined. It must be defined by a GetVariable step earlier in this script or a parent script.

    Someone with the same problems and can someone fix this?

  • Windows Workstation Antivirus Monitoring

    The error is about the Antivirusproduct.


    PC with a error: Trend Micro Client/Server Security Agent Antivirus

    PC without a error:TrendAntiVirus Trend Micro Client/Server Security Agent Antivirus 15.1

    (On both the machines is the same antivirus installed)

  • Windows Workstation Antivirus Monitoring

    Actually, that error is related to Windows 7.  As great as Ben's script is, it wasn't defining #productuptodate# for Windows 7 (because that doesn't exist for 7).  Instead, you have to look at the #productState# variable.  Unfortunately, later in the script it assumes #productuptodate# is defined.  I've modified it to handle this as the errors were plentiful.

  • Windows Workstation Antivirus Monitoring

    I can provide the modifications if someone will tell me where the appropriate place to do so in this forum.  I'm new to Kaseya and this forum and don't want to start posting lots of XML in this box unless thats the standard way of helping out.  I don't see another way to upload a file in this thread.

  • Windows Workstation Antivirus Monitoring

    brilliant so far with this, well done all involved.

    One question though, is it possible to modify it to email a daily roudup of machines it finds with no AV or AV updates that our out of date.  I'm sure this is achievable but out way out of my skill set.

    More a version 1.1 request.