Kaseya Community

WMI variable for XP's "security center" AV status

  • In Windows XP these days, there is that a little tool (Windows SecurityCenter)that they created to check if a firewall and anti-virus is running. If a third-party tool is properly setup, it communicates to XP so that it knows and doesn't bother the user.

    Is there a WMI or other variable that we could pull with a script to determine if a machine has anti-virus and/or a firewall activated? That would be very nice to know in a new environment where all computers may not be protected at all.

    Any ideas?


    Legacy Forum Name: WMI variable for XP's "security center" AV status,
    Legacy Posted By Username: kentschu
  • I'm pretty late on this topic - but wondering if anyone has this figured out. Seems like this is pretty basic stuff. We don't want a different script for every av vendor on the market and not everyone is using KES.

    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: clintdewitt
  • You can create an object from vbs/wsh scriptto perform a wmi query

    objSWbemServices.ExecQuery("Select * From AntiVirusProduct")

    and then read this properties of the object :

    companyName
    displayName
    instanceGuid
    enableOnAccessUIMd5Hash
    enableOnAccessUIParameters
    onAccessScanningEnabled
    pathToUpdateUI
    productUptoDate
    updateUIMd5Hash
    updateUIParameters
    versionNumber

    If you google this property names you can find some prebuilt scritps to query wmi.

    Before setting the sub-object you have to recall wbemservices creating the main object:

    GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")

    I hope this helps.






    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: aqxcb
  • Thanks, I was playing with the following - I don't get any errors, but my output to a text fileis always blank. I'm testing this on xp sp2 w/McAfee Enterprise 8.0i installed. I'm not strong with vb scripting am I doing something wrong?

    strComputer = "." 'Can set to remote machine.

    On Error Resume Next
    Set oWMI = GetObject _
    ("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer _
    & "\root\SecurityCenter")

    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

    If Err = 0 Then
    For Each objAntiVirusProduct In colItems
    WScript.Echo "companyName: " & objAntiVirusProduct.companyName
    WScript.Echo "displayName: " & objAntiVirusProduct.displayName
    WScript.Echo "enableOnAccessUIMd5Hash: " _
    & objAntiVirusProduct.enableOnAccessUIMd5Hash
    WScript.Echo "enableOnAccessUIParameters: " _
    & objAntiVirusProduct.enableOnAccessUIParameters
    WScript.Echo "instanceGuid: " & objAntiVirusProduct.instanceGuid
    WScript.Echo "onAccessScanningEnabled: " _
    & objAntiVirusProduct.onAccessScanningEnabled
    WScript.Echo "pathToEnableOnAccessUI: " _
    & objAntiVirusProduct.pathToEnableOnAccessUI
    WScript.Echo "pathToUpdateUI: " & objAntiVirusProduct.pathToUpdateUI
    WScript.Echo "productUptoDate: " & objAntiVirusProduct.productUptoDate
    WScript.Echo "updateUIMd5Hash: " & objAntiVirusProduct.updateUIMd5Hash
    WScript.Echo "updateUIParameters: " _
    & objAntiVirusProduct.updateUIParameters
    WScript.Echo "versionNumber: " & objAntiVirusProduct.versionNumber
    Next
    Else
    Err.Clear
    WScript.Echo "Unable to connect to SecurityCenter class on " _
    & strComputer & "."
    WScript.Echo " Error Number:" & Err.Number
    WScript.Echo " Source:" & Err.Source
    WScript.Echo " Description:" & Err.Description
    End If


    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: clintdewitt
  • The script works, but I think the problem is related to raw division with underscore symbol. VBS is not VB, it's simpler.

    strComputer = "."
    Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")


    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

    If Err = 0 Then
    For Each objAntiVirusProduct In colItems
    WScript.Echo "companyName: " & objAntiVirusProduct.companyName
    WScript.Echo "displayName: " & objAntiVirusProduct.displayName
    WScript.Echo "enableOnAccessUIMd5Hash: " _
    & objAntiVirusProduct.enableOnAccessUIMd5Hash
    WScript.Echo "enableOnAccessUIParameters: " _
    & objAntiVirusProduct.enableOnAccessUIParameters
    WScript.Echo "instanceGuid: " & objAntiVirusProduct.instanceGuid
    WScript.Echo "onAccessScanningEnabled: " _
    & objAntiVirusProduct.onAccessScanningEnabled
    WScript.Echo "pathToEnableOnAccessUI: " _
    & objAntiVirusProduct.pathToEnableOnAccessUI
    WScript.Echo "pathToUpdateUI: " & objAntiVirusProduct.pathToUpdateUI
    WScript.Echo "productUptoDate: " & objAntiVirusProduct.productUptoDate
    WScript.Echo "updateUIMd5Hash: " & objAntiVirusProduct.updateUIMd5Hash
    WScript.Echo "updateUIParameters: " _
    & objAntiVirusProduct.updateUIParameters
    WScript.Echo "versionNumber: " & objAntiVirusProduct.versionNumber
    Next
    Else
    Err.Clear
    WScript.Echo "Unable to connect to SecurityCenter class on " _
    & strComputer & "."
    WScript.Echo " Error Number:" & Err.Number
    WScript.Echo " Source:" & Err.Source
    WScript.Echo " Description:" & Err.Description
    End If


    This worked for me, but not all properties are resolved.




    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: aqxcb
  • Hmm. Still no error or output to the txt file. Are you using McAfee or another product?

    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: clintdewitt
  • Trend Micro OfficeScan 8.0

    Try removing "On Error Resume Next" from source, so you can see the error.


    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: aqxcb
  • Line 2

    Char 1

    Error 0x80041021

    Code 80041021

    Source (null)


    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: clintdewitt
  • Oh, you missed a slashbar in the object definition

    Set oWMI = GetObject ("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")

    Please note twice \\ after {impersonationLevel=impersonate}!




    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: aqxcb
  • I'm not sure I'm getting this right. No error this time, but whenI run this from the command line as

    avtest.vbs > test.txt

    The output file is blank -- should I be doing something else?

    Thanks for your help with this - I have a lot to learn in this area...

    I tried the following two:

    strComputer = "."
    Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")


    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

    If Err = 0 Then
    For Each objAntiVirusProduct In colItems
    WScript.Echo "companyName: " & objAntiVirusProduct.companyName
    WScript.Echo "displayName: " & objAntiVirusProduct.displayName
    WScript.Echo "enableOnAccessUIMd5Hash: " _
    & objAntiVirusProduct.enableOnAccessUIMd5Hash
    WScript.Echo "enableOnAccessUIParameters: " _
    & objAntiVirusProduct.enableOnAccessUIParameters
    WScript.Echo "instanceGuid: " & objAntiVirusProduct.instanceGuid
    WScript.Echo "onAccessScanningEnabled: " _
    & objAntiVirusProduct.onAccessScanningEnabled
    WScript.Echo "pathToEnableOnAccessUI: " _
    & objAntiVirusProduct.pathToEnableOnAccessUI
    WScript.Echo "pathToUpdateUI: " & objAntiVirusProduct.pathToUpdateUI
    WScript.Echo "productUptoDate: " & objAntiVirusProduct.productUptoDate
    WScript.Echo "updateUIMd5Hash: " & objAntiVirusProduct.updateUIMd5Hash
    WScript.Echo "updateUIParameters: " _
    & objAntiVirusProduct.updateUIParameters
    WScript.Echo "versionNumber: " & objAntiVirusProduct.versionNumber
    Next
    Else
    Err.Clear
    WScript.Echo "Unable to connect to SecurityCenter class on " _
    & strComputer & "."
    WScript.Echo " Error Number:" & Err.Number
    WScript.Echo " Source:" & Err.Source
    WScript.Echo " Description:" & Err.Description
    End If



    Also tried

    strComputer = "."
    Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")


    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

    If Err = 0 Then
    For Each objAntiVirusProduct In colItems
    WScript.Echo "companyName: " & objAntiVirusProduct.companyName
    WScript.Echo "displayName: " & objAntiVirusProduct.displayName
    WScript.Echo "enableOnAccessUIMd5Hash: " & objAntiVirusProduct.enableOnAccessUIMd5Hash
    WScript.Echo "enableOnAccessUIParameters: " & objAntiVirusProduct.enableOnAccessUIParameters
    WScript.Echo "instanceGuid: " & objAntiVirusProduct.instanceGuid
    WScript.Echo "onAccessScanningEnabled: " & objAntiVirusProduct.onAccessScanningEnabled
    WScript.Echo "pathToEnableOnAccessUI: " & objAntiVirusProduct.pathToEnableOnAccessUI
    WScript.Echo "pathToUpdateUI: " & objAntiVirusProduct.pathToUpdateUI
    WScript.Echo "productUptoDate: " & objAntiVirusProduct.productUptoDate
    WScript.Echo "updateUIMd5Hash: " & objAntiVirusProduct.updateUIMd5Hash
    WScript.Echo "updateUIParameters: " & objAntiVirusProduct.updateUIParameters
    WScript.Echo "versionNumber: " & objAntiVirusProduct.versionNumber
    Next
    Else
    Err.Clear
    WScript.Echo "Unable to connect to SecurityCenter class on " & strComputer & "."
    WScript.Echo " Error Number:" & Err.Number
    WScript.Echo " Source:" & Err.Source
    WScript.Echo " Description:" & Err.Description
    End If




    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: clintdewitt
  • oops I meant

    strComputer = "."
    Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "rootSecurityCenter")


    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

    If Err = 0 Then
    For Each objAntiVirusProduct In colItems
    WScript.Echo "companyName: " & objAntiVirusProduct.companyName
    WScript.Echo "displayName: " & objAntiVirusProduct.displayName
    WScript.Echo "enableOnAccessUIMd5Hash: " & objAntiVirusProduct.enableOnAccessUIMd5Hash
    WScript.Echo "enableOnAccessUIParameters: " & objAntiVirusProduct.enableOnAccessUIParameters
    WScript.Echo "instanceGuid: " & objAntiVirusProduct.instanceGuid
    WScript.Echo "onAccessScanningEnabled: " & objAntiVirusProduct.onAccessScanningEnabled
    WScript.Echo "pathToEnableOnAccessUI: " & objAntiVirusProduct.pathToEnableOnAccessUI
    WScript.Echo "pathToUpdateUI: " & objAntiVirusProduct.pathToUpdateUI
    WScript.Echo "productUptoDate: " & objAntiVirusProduct.productUptoDate
    WScript.Echo "updateUIMd5Hash: " & objAntiVirusProduct.updateUIMd5Hash
    WScript.Echo "updateUIParameters: " & objAntiVirusProduct.updateUIParameters
    WScript.Echo "versionNumber: " & objAntiVirusProduct.versionNumber
    Next
    Else
    Err.Clear
    WScript.Echo "Unable to connect to SecurityCenter class on " & strComputer & "."
    WScript.Echo " Error Number:" & Err.Number
    WScript.Echo " Source:" & Err.Source
    WScript.Echo " Description:" & Err.Description
    End If

    and

    strComputer = "."
    Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "rootSecurityCenter")


    Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")

    If Err = 0 Then
    For Each objAntiVirusProduct In colItems
    WScript.Echo "companyName: " & objAntiVirusProduct.companyName
    WScript.Echo "displayName: " & objAntiVirusProduct.displayName
    WScript.Echo "enableOnAccessUIMd5Hash: " _
    & objAntiVirusProduct.enableOnAccessUIMd5Hash
    WScript.Echo "enableOnAccessUIParameters: " _
    & objAntiVirusProduct.enableOnAccessUIParameters
    WScript.Echo "instanceGuid: " & objAntiVirusProduct.instanceGuid
    WScript.Echo "onAccessScanningEnabled: " _
    & objAntiVirusProduct.onAccessScanningEnabled
    WScript.Echo "pathToEnableOnAccessUI: " _
    & objAntiVirusProduct.pathToEnableOnAccessUI
    WScript.Echo "pathToUpdateUI: " & objAntiVirusProduct.pathToUpdateUI
    WScript.Echo "productUptoDate: " & objAntiVirusProduct.productUptoDate
    WScript.Echo "updateUIMd5Hash: " & objAntiVirusProduct.updateUIMd5Hash
    WScript.Echo "updateUIParameters: " _
    & objAntiVirusProduct.updateUIParameters
    WScript.Echo "versionNumber: " & objAntiVirusProduct.versionNumber
    Next
    Else
    Err.Clear
    WScript.Echo "Unable to connect to SecurityCenter class on " _
    & strComputer & "."
    WScript.Echo " Error Number:" & Err.Number
    WScript.Echo " Source:" & Err.Source
    WScript.Echo " Description:" & Err.Description
    End If

    copied the wrong ones.


    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: clintdewitt
  • I swear the slashes are thier before I hit send.

    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: clintdewitt
  • The forum software removes various characters, I recommend posting code via attachments.

    Since I've written and am selling my Trend Micro A-V monitoring program. Plus, I'm nowworking on a Symantec version. I have to point out some problems with this method:

    1. Only XP and higher are supported.

    2.It's only checking that the basic scan functionality is working.

    [indent]
    I tested this by stopping the Trend Micro listener service. For those unfamilar with Trend Micro, this is the service that processesthe update notifications from console. I checked the script results before and after stopping the service, no changeoccured. Sosupporting services are not checked!!!! To which I ask what goodis scanning if the pattern or definition file is old? Of course it will notify you eventually, but beingmore then a couple days out of date is bad.
    [/indent]
    3. It doesn't allow for checking multiple products like client anti-virus and mail anti-virus.


    I do have to say it's a nice way to verifythat some anti-virus software is installed and who it is.



    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: connectex
  • I hear what your saying. So is there a better way to do this? The idea is to relieve us from havingtolook for problems with multiple av vendors at dozens of sites. I'm having a hard time drinking the AVG/KES coolaid.

    The end game would be to build a dashboard outside of Kaseya that shows a quick view of the general health of our supported networks. This helps from the aspect of a business owner and can quickly alert staff to problems.

    I started with AV, but there's a lot more to cover...


    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: clintdewitt
  • Basic monitoring like Kaseya providesworks. You run a script and then generate a report. The problem ischecking the report is time consuming and most of the time, assuming you have things configured properly, there are no problems.

    But there's more to monitoring anti-virus:

    1. Detection - You need to find all products to check.

    2. Services - Verify services are setup properly and running, etc.

    3. Updates - Pattern / Definitions are staying up to date.

    The more anti-virus products you have the more complicated itgets.Since I've written a program to do this I can truely tell you it'smore complex then it first appears. I'm selling it as I've spent quite a bit of time in the process and others can benefit from my efforts without reinventing the wheel.


    Legacy Forum Name: Anti-Virus Scripts,
    Legacy Posted By Username: connectex