I'm working on a script to detect whether or not there is an antivirus solution running on a Windows machine. When running on Windows 8 I'm getting false positives that antivirus is disabled when running a third-party antivirus solution due to Windows Defender always being around, although disabled.
I can see the productState for the third-party antivirus software as valid and reporting correctly, however my script is only pulling Windows Defender entries.
I need to keep the entries for Windows Defender, however I'm only interested in Windows Defender if there isn't any other antivirus software installed. I ran the following command from a command prompt to retrieve the data, which shows two separate entries.
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get /Format:List
I would like to only grab the third-party antivirus software if it's installed, otherwise keep the Windows Defender information.
How I'm trying to do this is by calling the instanceGUID and compare it against the Windows Defender GUID, however I'm getting a few false positives. Is there a way for me to parse this data correctly and ideally only look at the third-party information?
I'm including the full script to show exactly what I'm looking at, and I can cut it down if needed:
Set objWMIServiceSC = GetObject("winmgmts:\\.\root\SecurityCenter2")
Set colAVItems = objWMIServiceSC.ExecQuery("Select * from AntiVirusProduct")
For Each objAntiVirusProduct In colAVItems
strinstanceGuid = (objAntiVirusProduct.instanceGuid)
strWinDefGUID = "{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}"
If strinstanceGuid <> strWinDefGUID Then
AvStatus = Hex(objAntiVirusProduct.ProductState)
If (objAntiVirusProduct.ProductState = "393472" _
OR Mid(AvStatus, 2, 2) = "10" Or Mid(AvStatus, 2, 2) = "11" _
OR Mid(AvStatus, 5, 2) = "10" Or Mid(AvStatus, 5, 2) = "11") Then
strproductState = "ENABLED"
Else
strproductState = "DISABLED"
End If
Else
If Mid(AvStatus, 2, 2) = "10" Or Mid(AvStatus, 2, 2) = "11" _
OR Mid(AvStatus, 5, 2) = "10" Or Mid(AvStatus, 5, 2) = "11" Then
strproductState = "ENABLED"
Else
strproductState = "DISABLED"
End If
End If
If Mid(AvStatus, 4, 2) = "00" Then
strdefinitionState = "CURRENT"
ElseIf Mid(AvStatus, 4, 2) = "10" Then
strdefinitionState = "OUTDATED"
End If
Next
Just to reiterate, this is a Windows 8 issue.
I found a solution to my issue. Basically I ended up putting an If statement before my For statement looking at how many entries where in the Security Center WMI for AntiVirus. If there are 0 then it reports back none, If there is 1 installed then it reads the info, and if there are more than 1 it ignores Windows Defender and reads the rest. I'm including full code for future users.
Dim objWMIServiceSC,objAntiVirusProduct,colAVItems,AvStatus
Set objWMIServiceSC = GetObject("winmgmts:\\.\root\SecurityCenter2")
Set colAVItems = objWMIServiceSC.ExecQuery("Select * from AntiVirusProduct")
If colAVItems.count = 0 Then
strdisplayName = "No"
errors("Acceptable AntiVirus software found ") = "NO"
ElseIf colAVItems.count = 1 Then
For Each objAntiVirusProduct In colAVItems
strdisplayName = (objAntiVirusProduct.displayName)
AvStatus = Hex(objAntiVirusProduct.ProductState)
If (objAntiVirusProduct.ProductState = "266240" _
OR objAntiVirusProduct.ProductState = "331776" _
OR objAntiVirusProduct.ProductState = "397568" _
OR Mid(AvStatus, 2, 2) = "10" Or Mid(AvStatus, 2, 2) = "11" _
OR Mid(AvStatus, 5, 2) = "10" Or Mid(AvStatus, 5, 2) = "11") Then
strproductState = "ENABLED"
Else
strproductState = "DISABLED"
errors("Antivirus scanning is ") = "DISABLED"
End If
If Mid(AvStatus, 4, 2) = "00" Then
strdefinitionState = "CURRENT"
ElseIf Mid(AvStatus, 4, 2) = "10" Then
strdefinitionState = "OUTDATED"
errors("AntiVirus Definitions are ") = "OUTDATED"
End If
Next
ElseIf colAVItems.count > 1 Then
For Each objAntiVirusProduct In colAVItems
If (objAntiVirusProduct.displayName) <> "Windows Defender" Then
strdisplayName = (objAntiVirusProduct.displayName)
AvStatus = Hex(objAntiVirusProduct.ProductState)
If (objAntiVirusProduct.ProductState = "393472" _
OR objAntiVirusProduct.ProductState = "266240" _
OR objAntiVirusProduct.ProductState = "331776" _
OR objAntiVirusProduct.ProductState = "397568" _
OR Mid(AvStatus, 2, 2) = "10" Or Mid(AvStatus, 2, 2) = "11" _
OR Mid(AvStatus, 5, 2) = "10" Or Mid(AvStatus, 5, 2) = "11") Then
strproductState = "ENABLED"
Else
strproductState = "DISABLED"
errors("Antivirus scanning is ") = "DISABLED"
End If
If Mid(AvStatus, 4, 2) = "00" Then
strdefinitionState = "CURRENT"
ElseIf Mid(AvStatus, 4, 2) = "10" Then
strdefinitionState = "OUTDATED"
errors("AntiVirus Definitions are ") = "OUTDATED"
End If
End If
Next
End If