This might be the wrong forum for this, but does anyone know the regestry entry or flag bits that tell Microsoft Security that an AV is off or out-of-date? I'm trying to do an out-of-date AV procedure, and checking the flag seemed to be the most straightforward way of doing it. I know that not all AV are supported for this check, but the ones I'm checking for are.
Sean, were you able to get anywhere with this? I'm curious too.
I have used this on some computers but as sean has said it only works for machines running security center.
wmic /NAMESPACE:\\root\SecurityCenter PATH AntiVirusProduct GET * /value
wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET * /value
If the problem state's are these then
productState=262144 = Up to Date Defs, On Access Scanning OFF
productState=266240 = Up to Date Defs, ON Access Scanning ON
That is what I ended up doing, but slightly modified for pre-Vista machines. Pre-Vista has 3 separate values that are later combined into the product state. These are:
This may sound odd, but I think the "true" value is -1. I got this value using multiple up to date AVs.
Also, those aren't the only product states I've run into for Vista and later. This is because some AV's don't have built in automatic updates and some other features. I found a pretty descriptive article about how these values are obtained, and it has a list for some common product states.
Hope this helps.
Months ago now, you guys should try and use the search function before posting
FYI there are more productState codes then just "0 & -1" and "262144 & 266240" it actually depends on the AV product that you are using...