WMI AV Check Function

[MrRich]

I've been converting various vbscripts to AutoIT, without much trouble. I'm kinda new, to AutoIT, but the language is simple enough. I seem to have run into a roadblock though. Either I'm overlooking something simple, which is likely, or I've run across a bug, and in either case my eyes just don't see it.

I am trying to convert some vb code by Dave Wentzel to AutoIT. The code can be found here.. http://www.davewentzel.com/content/programmatically-determining-if-antivirus-running, and does appear to have undeclared variable,or a bug, that has little to no impact on the codes execution. I used AutoIt Converter to convert the code and then cleaned it up. I've since made a mess of it adding some debug code in there. Basically the code checks two ways for information regarding AV software. The code falls apart,here..

$colFiles = $objWMIService_AV.ExecQuery ("SELECT * from CIM_Datafile Where name = '" & $PathToSignedProductExe & "'", default ,48)
        For $itemFile In $colFiles

The same code seems to work in vbscript, but it's autoit cousin always throws this exception information. I couldn't seem to find a typo, or any obvious glaring mistake, and have started to wonder if it has to do with nested for loops or nested for loops with objects. I apologize for the extra code, but I decided to include it in hopes that you might see the thought process/debugging. The original vbscript is easy enough to follow and aside from the undeclared variable or typo.. "Set colFiles = objWMIService.ExecQuery", even changing this to objWMIService_AV doesn't seem to change the result.

We intercepted a COM Error !

err.description is:

err.windescription:

err.number is: 80041010

err.lastdllerror is: 0

err.scriptline is: 108

err.source is:

err.helpfile is:

err.helpcontext is:

expandcollapse popup

; ----------------------------------------------------------------------------
;
; VBScript to AutoIt Converter v0.4
;
; ----------------------------------------------------------------------------
Const $_divider = "------------------------------------------------------------------"
;#include <bk-logfile.au3>

;AutoItSetOption("MustDeclareVars", 1)
;VA ON ERROR RESUME NEXT
;###############################################################################
;Custom Error Handler
;###############################################################################
Global $g_eventerror = 0  ; to be checked to know if com error occurs. Must be reset after handling.
$oMyError = ObjEvent("AutoIt.Error","MyErrFunc") ; Install a custom error handler

; This is my custom error handler
Func MyErrFunc()
    Local $HexNumber, $err
   $HexNumber=hex($oMyError.number,8)
   ;Msgbox(0,"","We intercepted a COM Error !" & @CRLF & _
   ;             "Number is: " & $HexNumber & @CRLF & _
   ;             "Windescription is: " & $oMyError.windescription )
    WriteLine($_divider)
    ;WriteLog("We intercepted a COM Error !" & @CRLF & _
     ;          "Number is: " & $HexNumber & @CRLF & _
      ;         "Windescription is: " & $oMyError.windescription & @CRLF )
    Writeline("We intercepted a COM Error !"        & @CRLF & _
             "err.description is: "    & @TAB & $oMyError.description    & @CRLF & _
             "err.windescription:"     & @TAB & $oMyError.windescription & @CRLF & _
             "err.number is: "         & @TAB & $HexNumber              & @CRLF & _
             "err.lastdllerror is: "   & @TAB & $oMyError.lastdllerror   & @CRLF & _
             "err.scriptline is: "     & @TAB & $oMyError.scriptline     & @CRLF & _
             "err.source is: "         & @TAB & $oMyError.source         & @CRLF & _
             "err.helpfile is: "       & @TAB & $oMyError.helpfile       & @CRLF & _
             "err.helpcontext is: "    & @TAB & $oMyError.helpcontext _
             )
    WriteLine($_divider)
    Local $err = $oMyError.number
    If $err = 0 Then $err = -1
        $g_eventerror = $err  ; to check for after this function returns
    ;I should just exit the program, safer and easier than handling every potential error.
Endfunc
;*******************************************************************************
;Function WriteLine ()
;*******************************************************************************
Func WriteLine($strMsg)
    ;$LogFile.writeline($strMsg)
    ConsoleWrite($strMsg & @CRLF)
EndFunc
Dim $args, $objWMIService_AV, $objWMIService, $colItems, $objAntiVirusProduct,$strcompanyName,$strdisplayName,$strVersionNumber,$strproductState,$colItems2,$PathToSignedProductExe
Dim $colFiles,$strRunType, $strFinalMessage


    ;double-clicked the .vbs file
    $strRunType = "MsgBox"

#comments-start

Echo ("  $AV - Security Center Settings...if FILESTREAM hangs the machine and there are $AV entries then we should consider")
Echo ("  disabling $AV or setting master.dbo.PCMXOPTIONS NOFILESTREAMSUPPORT to 'TRUE'" & @CRLF)
 $objWMIService_AV = ObjGet("winmgmts:\\.\root\SecurityCenter")
if @error <> 0 Then
    Echo ("      No AV registered to \root\SecurityCenter")
Else
     $colItems = $objWMIService_AV.ExecQuery("Select * from AntiVirusProduct")
    ConsoleWrite("SC1"  & @CRLF)
    For $objAntiVirusProduct In $colItems
        ConsoleWrite("SC1"  & @CRLF)
        Echo ("      WARNING:  $AV products registered to \root\SecurityCenter" & @CRLF)
        $strcompanyName = ($objAntiVirusProduct.companyName)
        $strdisplayName = ($objAntiVirusProduct.displayName)
        $strVersionNumber = ($objAntiVirusProduct.versionNumber)
        $strproductState = ($objAntiVirusProduct.onAccessScanningEnabled)

        Echo ("      companyName:    " & $strcompanyName)
        ConsoleWrite($strcompanyName & @CRLF)
        Echo ("      displayName:    " & $strdisplayName)
        ConsoleWrite($strdisplayName & @CRLF)
        Echo ("      versionNumber:  " & $strVersionNumber)
        ConsoleWrite($strVersionNumber & @CRLF)
        Echo ("      onAccessScanningEnabled:    " & $strproductState)
        ConsoleWrite($strproductState & @CRLF)
    Next

;VA     Set $objWMIService_AV = Nothing

EndIf

;VA Err.Clear
$objWMIService_AV = ""
$colItems = ""
#comments-end

 $objWMIService_AV = ObjGet("winmgmts:\\.\root\SecurityCenter2")
If @error <> 0 Then
    Echo ("     No $AV registered to \root\SecurityCenter2" & @CRLF)
Else
     $colItems2 = $objWMIService_AV.ExecQuery("Select * from AntiVirusProduct")
    ConsoleWrite("SC2" & @CRLF)
    For $objAntiVirusProduct In $colItems2
        ConsoleWrite("SC2"  & @CRLF)
        $PathToSignedProductExe = StringReplace($objAntiVirusProduct.PathToSignedProductExe,"\","\\")
        echo (("      Path " & $PathToSignedProductExe))
         ;$colFiles = $objWMIService.ExecQuery ("Select * from CIM_Datafile Where name = '" & PathToSignedProductExe & "'",Default,48)
          echo ("Select * from CIM_Datafile Where name = '" & $PathToSignedProductExe & "'")
        $colFiles = $objWMIService_AV.ExecQuery ("SELECT * from CIM_Datafile Where name = '" & $PathToSignedProductExe & "'", default ,48)
        For $itemFile In $colFiles
            ConsoleWrite("SC2"  & @CRLF)
            $strcompanyName  = ($itemFile.Manufacturer)
            $strVersionNumber = ($itemFile.Version)
            $strdisplayName = ($objAntiVirusProduct.displayName)
            if ($objAntiVirusProduct.ProductState = "266240" OR $objAntiVirusProduct.ProductState = "266256") then
                $strproductState = "Scanning Enabled"
            Elseif ($objAntiVirusProduct.ProductState = "262144") Then
                $strproductState = "Scanning Not Enabled"
            Else
                $strproductState = "Unknown State"
            EndIf

            Echo ("      WARNING:  $AV products registered to \root\SecurityCenter2"&@CRLF)
            Echo ("      strcompanyName: " & $strcompanyName)
            ConsoleWrite($strcompanyName & @CRLF)
            Echo ("      strdisplayName: " & $strdisplayName)
            ConsoleWrite($strdisplayName & @CRLF)
            Echo ("      strVersionNumber:   " & $strVersionNumber)
            ConsoleWrite($strVersionNumber & @CRLF)
            Echo ("      strproductState:    " & $strproductState)
            ConsoleWrite($strproductState & @CRLF)
        Next
    Next
EndIf


;Final Cleanup
 FinalCleanup()
;VA On Error Goto 0


Func Echo ($msg)
    If $strRunType = "MsgBox" Then
        $strFinalMessage = $strFinalMessage & @CRLF & $msg
        ;ConsoleWrite($msg & @CRLF)
    Elseif StringUpper($strRunType) = "ECHO" Then
        ;_WriteLog ($msg)
    Elseif StringUpper($strRunType) = "INSTALLER" Then
        ;THIS IS NOT YET IMPLEMENTED
;VA         wscript.quit(1)
    EndIf
EndFunc

Func FinalCleanup()
    If $strRunType = "MsgBox" Then
        ;msgbox $strFinalMessage
        ;MsgBox(0, "AntiVirusProduct", $strFinalMessage)
        ConsoleWrite($strFinalMessage & @CRLF)
    EndIf
EndFunc

[ripdad]

Try this ...

$colFiles = $objWMIService_AV.ExecQuery("Select * From CIM_DataFile Where Name = '" & $PathToSignedProductExe & "'", "WQL", 0x30)

[MrRich]

Try this ...

$colFiles = $objWMIService_AV.ExecQuery("Select * From CIM_DataFile Where Name = '" & $PathToSignedProductExe & "'", "WQL", 0x30)

Still never gets inside the second For Loop.

[MrRich]

Still never gets inside the second For Loop.

The vbcode works fine, but I can't seem to make the AutoIT code work. I'm using MS Security Essentials, and Trend at work. Both register under SecurityCenter2, and both give information from the vbcode but only the path, from the AutoIT code. Edited February 19, 2011 by MrRich

[ripdad]

The code line I gave is correct for AutoIt.

My Win7 is not available at the moment for testing - sorry.

[MrRich]

Finally getting somewhere now. I've labored on this for a while. What makes the vbscript unique is

OPTION EXPLICIT
ON ERROR RESUME NEXT

If I take this out it behaves pretty much like AutoIT. Geeze, I guess that should have been obvious but it definitely wasn't. Anyways, now I need to figure out how emulate ON ERROR RESUME, or handle the error that is being thrown.

[d0rkye]

I made this for my project it returns the antivirus name if it's present or "not Installed" if its not.

Func _AV()
Local $avname
If @OSVersion = "WIN_XP" Then
$oWMI = ObjGet("winmgmts:\\localhost\root\SecurityCenter")
Else
$oWMI = ObjGet("winmgmts:\\localhost\root\SecurityCenter2")
EndIf
$colItems = $oWMI.ExecQuery("Select * from AntiVirusProduct")
  For $objAntiVirusProduct In $colItems
   $avname = $objAntiVirusProduct.displayName
  Next
If $avname = False Then
  Return "Not Installed"
Else
  Return $avname
EndIf
EndFunc

Hope it will help if you didn't find the solution already.

[BlackStone]

I made this for my project it returns the antivirus name if it's present or "not Installed" if its not.

 

Func _AV()
Local $avname
If @OSVersion = "WIN_XP" Then
$oWMI = ObjGet("winmgmts:\\localhost\root\SecurityCenter")
Else
$oWMI = ObjGet("winmgmts:\\localhost\root\SecurityCenter2")
EndIf
$colItems = $oWMI.ExecQuery("Select * from AntiVirusProduct")
  For $objAntiVirusProduct In $colItems
   $avname = $objAntiVirusProduct.displayName
  Next
If $avname = False Then
  Return "Not Installed"
Else
  Return $avname
EndIf
EndFunc

Hope it will help if you didn't find the solution already.

 

Thanks you for this useful post, I can't use "Like This" button. But I like this .