Retreving Antivirus Product

[drummernath]

hello i was wondering if it was possible in .vbs script or somthing else to find out what your active antivirus product is and return the value to AMS (like what windows security centre does)

e.g BitDefender

if this is possible somehow could you please assist me on how to go about doing it


thanks so much for your time

[mystica]

You can obtain a Table of all software installed on the user's system via the following registry-key:

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Then you can do a search of this Table for the term "antivirus", which will return a value back to AMS.
Here's an example:

Get installed programs via Reg.GetValue & Search for Antivirus.apz

But ... I can't figure out how to get AMS to return the actual name for the antivirus-product when it's an unknown value. I've tried getting it to return a value using a wildcard-search (eg. *antivirus*) but it doesn't work ... it just returns a -1 value. Perhaps someone else has an idea on how to tweak this example?

[mystica]

I've spent some time looking into this topic ... and it seems there's no easy solution. But I've developed a couple of better working examples that should help or at least be a good start.

They're not perfect by any means. The problem is that not even Windows really monitors installed antivirus-products properly. The Alert that the Windows Security Center gives when you don't have an anti-virus program installed is a bit of an illusion and will often return false warnings. This is because the alerts are controlled by a registry-key, located at:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

... in which Windows lists 14 'popular' antivirus products. Monitoring from the Windows Security Center originates from this key. If your antivirus program isn't one of these 14, you'll get false alerts unless you disable the associated reg-key.

Anyway, of the 2 solutions I developed today, one is based on this Windows Security Center monitoring key ... and as such, it will only detect the 14 antivirus-products listed there.

The second solution is a little better and will detect a wider range, as it's based on the regkey that regulates the Uninstall-Utility in the Windows Control Panel. It's located at:

Code:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

Most antivirus-products show up in the Uninstall List, so they will also be listed in this regkey. The weakness with this method is that it looks for the name of the antivirus product based on a non-specific search-term ("antivirus"), and so if the product doesn't use the term 'antivirus' in it's title, it won't get identified. Still, it will return the names of a wide range of antivirus installtions ... it works by using delimited-strings to get a match on the product-name and then it returns this as a string-value to the application.

There's no doubt some of the more experienced members will be able to improve upon these 2 examples ... but perhaps these'll least get you started, yeh? Anyway, the 2 examples are attached below.

[mystica]

Minor update to Identify Installed Antvirus Software (Example-1).

I've justed modded some of the code, so it returns n/a (not-applicable) values when no antivirus software is detected.

Use this new upload for Example-1
:

[ShadowUK]

[Imagine Programming]

Same here, it didn't detect NOD32.

[mystica]

Check the registry-key I mentioned above, guys. It may not actually have the word "antivirus" in the title there. As I said, if it doesn't, it won't be detected ... because that's the search-term I used in the code. It's entirely dependant on this reg-key title that Windows allocates to it, not the actual product-title or program-files title. As I mentioned, it's not perfect but there's no easy solution that I can think of.
Feel free to come up with a workaround, yeh?

[ShadowUK]

I don't have a Security Center, meaning I have no key to look at. Also, don't ask why I don't have a Security Center.

[mystica]

I don't have a Security Center, meaning I have no key to look at. Also, don't ask why I don't have a Security Center.

The Security Center applies to Example-2 only. Example-1 is based on the regkey that regulates the Windows Uninstall Utility in the Control Panel, so look there instead (not at the control-panel, but the regkey allocated to it ... as listed above).

[Imagine Programming]

I don't have a Security Center, meaning I have no key to look at. Also, don't ask why I don't have a Security Center.

Why do you have such a long trial period... ?

[reteset]

you can also use WMI with LuaCom plugin

Code:

obj = luacom.GetObject ( "winmgmts:{impersonationLevel=Impersonate}!\\\\.\\root\\SecurityCenter");

 if (obj ~= nil) then
  

   objEnum = obj:ExecQuery("Select * From antivirusProduct");
   if (objEnum ~= nil) then
    
     enum = luacom.GetEnumerator(objEnum)
     item = enum:Next ()
 
       while item do
       
              str_product =  "companyName : "..item:companyName().."\r\n"..
                          "displayName : "..item:displayName().."\r\n"..
                          "instanceGuid : "..item:instanceGuid().."\r\n"..
                         -- "onAccessScanningEnabled : "..item:onAccessScanningEnabled().."\r\n".. -- boolean
                         -- "productUptoDate : "..item:productUptoDate().."\r\n".. -- boolean
                          "versionNumber : "..item:versionNumber()


           Dialog.Message("Notice", str_product, MB_OK, MB_ICONINFORMATION, MB_DEFBUTTON1);
           
           item = enum:Next() 	
      end
      
     
   end
   
   obj = nil;
   objEnum = nil;
   collectgarbage();
   
end

Result :
antinfo.jpg

[mystica]

simply great stuff, reteset! many thanks.

[Imagine Programming]

Very nice indeed reteset, never really knew how much WMI actually can do.

[mystica]

New example attached ... using Reteset's code. Much better!