How to get Antivirus information with WMI (VBScript)
Hi all, welcome back,
As we read in Windows Security Center – Managing the State of Security, the vast majority of antivirus Independent Software Vendors (ISVs) support WMI integration. Windows Security Center uses it to detect antivirus and firewall solutions.
The following script shows how to get some information from those solutions:
strComputer = "."
Set oWMI = GetObject( _
"winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\SecurityCenter")
Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")
For Each objItem in colItems
With objItem
WScript.Echo .companyName
WScript.Echo .displayName
WScript.Echo .instanceGuid
WScript.Echo .onAccessScanningEnabled
WScript.Echo .pathToSignedProductExe
WScript.Echo .productHasNotifiedUser
WScript.Echo .productState
WScript.Echo .productUptoDate
WScript.Echo .productWantsWscNotifications
WScript.Echo .versionNumber
End With
Next
Cheers,
Alex (Alejandro Campos Magencio)
Comments
- Anonymous
August 25, 2008
What about 64-bit systems... XP-64 2003-64 bit doesn't seem to have this namespace. I've verified with the WMICodeCreator or ScriptoMatic... - Anonymous
August 25, 2008
You are right, rootsecuritycenter namespace is not in x64 systems by default.An antivirus WMI provider must be installed for that namespace to exist in x64 systems.You should contact the Antivirus Vendor and ask for the WMI provider.Cheers,Alex - Anonymous
October 02, 2008
Is it possible to get Antivirus information with WMI (VBScript) in case of Windows Vista and Windows 2008. If yes then can you please guide...Basant - Anonymous
February 08, 2009
Hi,This namespace is no longer available on Windows Vista SP1/2008 Server. That namespace is the legacy store for ISV products to register and report the status of their AV/AS/FW products.We no longer support writing directly to the rootsecuritycenter WMI namespace, and instead vendors must use our API. This API is not published and is only made available for those vendors that meet the criteria. Contact info can be found here:Implementing the Teredo Security Modelhttp://msdn.microsoft.com/en-us/library/bb190942(VS.85).aspx"The API utilized to register a firewall with the WSC can be obtained by contacting Microsoft at wscisv@microsoft.com. A Non-Disclosure Agreement (NDA) is required for the disclosure of this API due to security concerns."I've only found this public info on the API:Windows Security Centerhttp://msdn.microsoft.com/en-us/library/bb963845(VS.85).aspxRegards,Alex - Anonymous
April 20, 2009
So I am reading your blog post entitled “How to get Antivirus information with WMI (VBScript)”, you state that this is no longer supported to Writing to the rootSecurityCenter in Vista SP1 and Windows 2008. However I’m unclear if this namespace is support for reading data going forward.Brief Background. I do a lot of work with ConfigMgr and During my reviews of some environments. I find lots of Workstations that are listed within ConfigMgr that are not listed with in AV management software (EPO for example). I want to create an ConfigMgr update that will read and collect all the RootSecurityCenter. This task should be easily done 1-2 days to update and test. Then we would compare the EPO results to the ConfigMgr results, comparing/fixing the differences between both products. However if this class is not being updated by the majority of AV vendors any more then is there another class that is being used now? - Anonymous
June 13, 2009
I would also like to know where to look for WMI antivirus status in Vista SP1+. I've checked rootsecuritycenter2 but all that's listed there is one single entry for "displayName = Trend Micro Client/Server Security Agent Antivirus"Nothing there for AV status or if it's up to date.How can you get antivirus information with wmi for Vista SP1 or SP2 (or windows 7 for that matter)?Thanks - Anonymous
June 13, 2009
I believe the solution to querying antivirus status on Vista SP1/SP2 is with the strange "productState" value. This seems to represent the entire AV status as a number.e.g.C:>WMIC /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:ListdisplayName=Trend Micro Client/Server Security Agent AntivirusproductState=266240If you stop the AV services, the productState changes to 262144.productState=262144 = Up to Date Defs, On Access Scanning OFFproductState=266240 = Up to Date Defs, ON Access Scanning ONIt there any info from Microsoft regarding these productState values? Are they different for each AV version etc. etc..Thanks. - Anonymous
July 02, 2009
Hi John,Did you get any further on the productstates?Thanks - Anonymous
July 03, 2009
To read the product state you have to use the WscGetSecurityProviderHealth in the wscapi.dllMore information here: http://msdn.microsoft.com/en-us/library/bb432506(VS.85).aspxThere is also an example in the Windows Software Development Kit (SDK) for Windows Server 2008 and .NET Framework 3.5 - Anonymous
August 31, 2009
How to check on Windows 2003??is there any way to get the Av information - Anonymous
September 10, 2009
I am also looking for more information about productstates. Victor's post doesn't really explain the values given by WMI. - Anonymous
September 28, 2009
Is it possible to save the scan results into a .txt file? - Anonymous
October 28, 2009
Sorry for the late reply Victor, just seeing this now.Anyway, we are successfully looking for these values:productState=266240: This means AV has up to Date Definitions with ON Access Scanning turned ONproductState=262144 = This means the AV is up to Date Defs but On Access Scanning OFFThere are other values but these are not necessary since in our case all we care about is productState=266240 otherwise we have an AV problem.I wrote a nagios monitoring plug-in to audit all machines on the network looking for productState=266240 (AV okay) and if not 266240 then there is some problem that needs to be investigated so flag an alert.That's sufficient for our needs.Thanks,John. - Anonymous
November 03, 2009
Jhon!Could you please let us know is it possible to fetch the Av information installed on Server Operating System?As I checked and found that this script shows for desktops Only.. - Anonymous
December 02, 2009
Can somebody provide value map forAntiVirusProduct.productState ?Developer "forgot" to put it propery qualifier in class definition.I getting productState = 397312 and like to know what it means. - Anonymous
December 10, 2009
The comment has been removed - Anonymous
December 17, 2009
The comment has been removed - Anonymous
January 06, 2010
I've caught another value which meaning is:productState=266256 = NOT Up to Date Defs, On Access Scanning ONCan anybody confirm about the productState=397312 meaning everything fine (uptodate and scanning on)?John, can you tell us where can we see the other values and the meanings? I think that would be very usefull for everybody.Anynone knows about the Firewall productstate values, cause till now, I couldn't get any value, even with a 3rd party FW installed. For now, I'm just assuming that if FW.productstate=266240 everything is fine..but it's just an assumption, nothing more..Regards,JP - Anonymous
January 14, 2010
Does anybody know which is the closest property I can get for "FW.enabled" on VISTA?How can we list out all the properties supported by the FW object?JP, The productstate is different for me . I ran it to two two differnt computers and it gave me different values. I dont think that can be used with reliability. - Anonymous
January 14, 2010
Sorry , I was wrong there. The FW.productstate does stay static. Every product has two productstate values.One when everything is fine and two, when something changes.I tried toggling between firewall on/off, uninstalled the firewall product and it gave me consistent FW.productstae values - Anonymous
February 03, 2010
If you convert it in HEX you have :Byte 1 : I think it's Type of Antivirus (see : http://msdn.microsoft.com/en-us/library/bb432509%28VS.85%29.aspx)Byte 2 : Active/Unactive status (10 :active, 00 : unactive)Byte 3 : No idea...For exemple :397312 => 0x06100006 : 0x04 & 0x02 : Antivirus with AutoUpdate10 : Active00 : ??That's what I think, but I can't find anything to confirm it... - Anonymous
March 18, 2010
posted about the securitycenter2 and client antivirus states on my blog, based on comments on this site! - Anonymous
May 30, 2010
Can you help me. I want to get AntivirsuProduct (displayName, companyName) on Window 2008 Server, but have not SecurityCenter server. To get these information, I base on which path (Ex:root/securitycenter) on server OS, or an other mothod for this problem, please tell me.My EMail: quangthang2622@yahoo.com.Thanks a lot. - Anonymous
February 07, 2011
The comment has been removed - Anonymous
February 07, 2011
To correct my postthe 19th bit means it's up to date! - Anonymous
February 07, 2011
The comment has been removed - Anonymous
September 16, 2011
Hi there!I think you should check out www.opswat.com there are 2 or 3 products that may be a match. I think that OESIS Framework at www.opswat.com/.../oesis-framework provides a single interface to many antivirus packages. Another option is, I think, Metascan at www.opswat.com/.../metascan which is more for ISV. I also found that many antivirus engines certified by OPSWAT at www.opswat.com/certifiedI hope this helps.Mike - Anonymous
September 22, 2011
when i run this script it says exit code 0..waht does it mean? - Anonymous
October 16, 2011
Will this wmi work for window server 2003 for small business server sp 2. If no is there any other way. - Anonymous
April 29, 2012
If you are looking for additional data related to the pre-installed security application such as the threat the antivirus found or the authenticity of the security application you may want to check out OPSWAT OESIS Framework , please note - it is a commercial application - Anonymous
August 23, 2012
Hey Guys,another alterative to WMI is OPSWAT OESIS framework althogh it ides not come free with Microsoft is supports MAC OS , IOS , Andorid and other featreus in antivirus managability such asget threat logs , the status of the hard disk enctyption and other features WMI does not reportthe API are pure C / C++ or COM - Anonymous
August 30, 2012
What does WMI report for features in antivirus products like back-up or disk encryption? - Anonymous
August 31, 2012
Don’t think WMI supports this. There is an SDK called OPSWAT that uses WMI that includes back-up and encryption data that can be called via VB. - Anonymous
May 12, 2013
Thanks for the Script. A few lines had to be removed as the classes weren't available.:) - Anonymous
May 13, 2014
Here are the productState values I have found from 34 different AV products across over 10000 endpoints:( Decimal, Hex, Bit Set )262144, 40000, 1000000000000000000262160, 40010, 1000000000000010000266240, 41000, 1000001000000000000270336, 42000, 1000010000000000000327680, 50000, 1010000000000000000327696, 50010, 1010000000000010000331776, 51000, 1010001000000000000344064, 54000, 1010100000000000000393216, 60000, 1100000000000000000393232, 60010, 1100000000000010000393472, 60100, 1100000000100000000393488, 60110, 1100000000100010000397312, 61000, 1100001000000000000397328, 61010, 1100001000000010000397568, 61100, 1100001000100000000397584, 61110, 1100001000100010000458752, 70000, 1110000000000000000458768, 70010, 1110000000000010000462848, 71000, 1110001000000000000462864, 71010, 1110001000000010000 - Anonymous
July 16, 2014
Hi ! Is it possible to get the antivirus license info using wmi ??? - Anonymous
June 07, 2015
Is it possible to get the detailed description of the product state values whether they are up to date or not