dcoggie

Detecting AntiVirus

10 posts in this topic

I have a script that detects what antivirus is on a computer. It works fine except --- I only want the second part to print out only if the first part is empty. Now it prints the info out twice.

Local $aResult0, $aResult1
$oWMI = ObjGet("winmgmts:" & "{impersonationLevel=impersonate}!\\localhost\root\SecurityCenter2")
$colItems = $oWMI.ExecQuery("Select * from AntiVirusProduct")
For $objAntiVirusProduct In $colItems
    $aResult0 = $objAntiVirusProduct.DisplayName
    $aResult1 = $objAntiVirusProduct.ProductState
If @error Then
msgbox(0, "", "Warning! *No AntiVirus Installed*" & @CRLF)
ElseIf $aResult1 = "266240" Then
       msgbox(0, "", $aResult0 & " " & "(Enabled - Up to Date)" & @CRLF) ; this is from avast enabled
ElseIf $aResult1 = "262144" Then
       msgbox(0, "", $aResult0 & " " & "(Disabled - Up to Date)" & @CRLF) ; this is from avast disabled
ElseIf $aResult1 = "397312" Then
       msgbox(0, "", $aResult0 & " " & "(Enabled - Up to Date)" & @CRLF) ; this is from MSE enabled
ElseIf $aResult1 = "393216" Then
       msgbox(0, "", $aResult0 & " " & "(Disabled - Up to Date)" & @CRLF) ; this is from MSE disabled
ElseIf $aResult1 = "397568" Then
       msgbox(0, "", $aResult0 & " " & "(Enabled - Up to Date)" & @CRLF) ; this is from Windows Defender enabled
ElseIf $aResult1 = "393472" Then
       msgbox(0, "", $aResult0 & " " & "(Disabled - Up to Date)" & @CRLF) ; this is from Windows Defender disabled
EndIf
Next
$colItems = $oWMI.ExecQuery("Select * from AntispywareProduct")
For $objAntiSpywareProduct In $colItems
    $aResult0 = $objAntiSpywareProduct.DisplayName
    $aResult1 = $objAntispywareProduct.ProductState
If @error Then
msgbox(0, "", "Warning! *No AntiVirus Installed*" & @CRLF)
ElseIf $aResult1 = "266240" Then
       msgbox(0, "", $aResult0 & " " & "(*Enabled - Up to Date)" & @CRLF) ; this is from avast enabled
ElseIf $aResult1 = "262144" Then
       msgbox(0, "", $aResult0 & " " & "(*Disabled - Up to Date)" & @CRLF) ; this is from avast disabled
ElseIf $aResult1 = "397312" Then
       msgbox(0, "", $aResult0 & " " & "(*Enabled - Up to Date)" & @CRLF) ; this is from MSE enabled
ElseIf $aResult1 = "393216" Then
       msgbox(0, "", $aResult0 & " " & "(*Disabled - Up to Date)" & @CRLF) ; this is from MSE disabled
ElseIf $aResult1 = "397568" Then
       msgbox(0, "", $aResult0 & " " & "(*Enabled - Up to Date)" & @CRLF) ; this is from Windows Defender enabled
ElseIf $aResult1 = "393472" Then
       msgbox(0, "", $aResult0 & " " & "(*Disabled - Up to Date)" & @CRLF) ; this is from Windows Defender disabled
EndIf
Next

 

Share this post


Link to post
Share on other sites



#3 ·  Posted (edited)

Here's one way to make sure that if the first check works that the second one won't run.

Local $aResult0, $aResult1
$oWMI = ObjGet("winmgmts:" & "{impersonationLevel=impersonate}!\\localhost\root\SecurityCenter2")
$colItems = $oWMI.ExecQuery("Select * from AntiVirusProduct")
For $objAntiVirusProduct In $colItems
    $aResult0 = $objAntiVirusProduct.DisplayName
    $aResult1 = $objAntiVirusProduct.ProductState
If @error Then
msgbox(0, "", "Warning! *No AntiVirus Installed*" & @CRLF)
ElseIf $aResult1 = "266240" Then
       msgbox(0, "", $aResult0 & " " & "(Enabled - Up to Date)" & @CRLF) ; this is from avast enabled
ElseIf $aResult1 = "262144" Then
       msgbox(0, "", $aResult0 & " " & "(Disabled - Up to Date)" & @CRLF) ; this is from avast disabled
ElseIf $aResult1 = "397312" Then
       msgbox(0, "", $aResult0 & " " & "(Enabled - Up to Date)" & @CRLF) ; this is from MSE enabled
ElseIf $aResult1 = "393216" Then
       msgbox(0, "", $aResult0 & " " & "(Disabled - Up to Date)" & @CRLF) ; this is from MSE disabled
ElseIf $aResult1 = "397568" Then
       msgbox(0, "", $aResult0 & " " & "(Enabled - Up to Date)" & @CRLF) ; this is from Windows Defender enabled
ElseIf $aResult1 = "393472" Then
       msgbox(0, "", $aResult0 & " " & "(Disabled - Up to Date)" & @CRLF) ; this is from Windows Defender disabled
EndIf
Next
If $aResult0 Then Exit ; <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
$colItems = $oWMI.ExecQuery("Select * from AntispywareProduct")
For $objAntiSpywareProduct In $colItems
    $aResult0 = $objAntiSpywareProduct.DisplayName
    $aResult1 = $objAntispywareProduct.ProductState
If @error Then
msgbox(0, "", "Warning! *No AntiVirus Installed*" & @CRLF)
ElseIf $aResult1 = "266240" Then
       msgbox(0, "", $aResult0 & " " & "(*Enabled - Up to Date)" & @CRLF) ; this is from avast enabled
ElseIf $aResult1 = "262144" Then
       msgbox(0, "", $aResult0 & " " & "(*Disabled - Up to Date)" & @CRLF) ; this is from avast disabled
ElseIf $aResult1 = "397312" Then
       msgbox(0, "", $aResult0 & " " & "(*Enabled - Up to Date)" & @CRLF) ; this is from MSE enabled
ElseIf $aResult1 = "393216" Then
       msgbox(0, "", $aResult0 & " " & "(*Disabled - Up to Date)" & @CRLF) ; this is from MSE disabled
ElseIf $aResult1 = "397568" Then
       msgbox(0, "", $aResult0 & " " & "(*Enabled - Up to Date)" & @CRLF) ; this is from Windows Defender enabled
ElseIf $aResult1 = "393472" Then
       msgbox(0, "", $aResult0 & " " & "(*Disabled - Up to Date)" & @CRLF) ; this is from Windows Defender disabled
EndIf
Next

 

Edited by BrewManNH

If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

BTW, here's another way of rewriting your script to make it MUCH shorter and more accurate.

Local $aResult0, $aResult1, $ProductIsInOrOutOfDate, $ProductDisabledOrNot
$oWMI = ObjGet("winmgmts:" & "{impersonationLevel=impersonate}!\\localhost\root\SecurityCenter2")
$colItems = $oWMI.ExecQuery("Select * from AntiVirusProduct")
For $objAntiVirusProduct In $colItems
    $aResult0 = $objAntiVirusProduct.DisplayName
    $aResult1 = $objAntiVirusProduct.ProductState
    $ProductIsInOrOutOfDate = StringMid(Hex($aResult1), 7, 2)
    $ProductDisabledOrNot = StringMid(Hex($aResult1), 5, 2)
    If @error Then
        MsgBox(0, "", "Warning! *No AntiVirus Installed*" & @CRLF)
    Else
        Switch $ProductDisabledOrNot
            Case "10", "11"
                MsgBox(0, "", $aResult0 & " " & "(Enabled & " & (($ProductIsInOrOutOfDate = "10") ? "Not " : "") & "up-to-date)")
            Case "00", "01"
                MsgBox(0, "", $aResult0 & " " & "(Disabled & " & (($ProductIsInOrOutOfDate = "10") ? "Not " : "") & "up-to-date)")
            Case Else
                MsgBox(0, "", $aResult0 & "'s product state is indeterminate")
        EndSwitch
    EndIf
Next
If $aResult0 Then Exit
$colItems = $oWMI.ExecQuery("Select * from AntispywareProduct")
For $objAntiSpywareProduct In $colItems
    $aResult0 = $objAntiSpywareProduct.DisplayName
    $aResult1 = $objAntispywareProduct.ProductState
    $ProductIsInOrOutOfDate = StringMid(Hex($aResult1), 7, 2)
    $ProductDisabledOrNot = StringMid(Hex($aResult1), 5, 2)
    If @error Then
        MsgBox(0, "", "Warning! *No AntiVirus Installed*" & @CRLF)
    Else
        Switch $ProductDisabledOrNot
            Case "10", "11"
                MsgBox(0, "", $aResult0 & " " & "(Enabled & " & (($ProductIsInOrOutOfDate = "10") ? "Not " : "") & "up-to-date)")
            Case "00", "01"
                MsgBox(0, "", $aResult0 & " " & "(Disabled & " & (($ProductIsInOrOutOfDate = "10") ? "Not " : "") & "up-to-date)")
            Case Else
                MsgBox(0, "", $aResult0 & "'s product state is indeterminate")
        EndSwitch
    EndIf
Next

The original script didn't detect my AV software's ProductState, because it returned a different number than you were looking for. This one doesn't care which AV or AS is installed, it's just looking at the correct bits in the returned numbers to determine if it's enabled/disabled, and up to date/out of date.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#5 ·  Posted (edited)

Thank you BrewManNH.

You have no idea what a life saver you are. I've been struggling with this for months.

I only included a small sample of ProductState values in my post. In my program  the list is much more extensive.

Each time I have tried to use hex values it didn't pick up Windows Defender in Win 10.  And when I selected antivirus on win 7 or XP. it didn't pick up Windows Defender. That's why I added antiSpyware.

Once again thank you for your help. :lol:

P.S. So far I have found that antiSpyware picks up all antivirus programs.

Edited by dcoggie

Share this post


Link to post
Share on other sites

The script I posted works on Windows 10 and detects Windows Defender and the product state correctly.


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites
26 minutes ago, BrewManNH said:

The script I posted works on Windows 10 and detects Windows Defender and the product state correctly.

Yes but on Win 7 it doesn't pick up Windows Defender unless it's set to "antiSpyware" and the product code is different. It's a pain in the %$^^ but I'm determined to get it right.

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

I have a problem. When I added the script to my program the printout stops now at the end of the script.

I think I have to change this line to get the program to keep going. Am I correct?

If $aResult0 Then Exit

Will this work and is it the best solution?

If $aResult0 Then
    #comments-start
    
    $colItems = $oWMI.ExecQuery("Select * from AntispywareProduct")
For $objAntiSpywareProduct In $colItems
    $aResult0 = $objAntiSpywareProduct.DisplayName
    $aResult1 = $objAntispywareProduct.ProductState
    $ProductIsInOrOutOfDate = StringMid(Hex($aResult1), 7, 2)
    $ProductDisabledOrNot = StringMid(Hex($aResult1), 5, 2)
    If @error Then
        FileWrite($hLogFile, "Warning! *No AntiVirus Installed*" & @CRLF)
    Else
        Switch $ProductDisabledOrNot
            Case "10", "11"
                FileWrite($hLogFile, $aResult0 & " " & "(Enabled - " & (($ProductIsInOrOutOfDate = "10") ? "Not " : "") & "Up to Date)" & @CRLF)
            Case "00", "01"
                FileWrite($hLogFile, $aResult0 & " " & "(Disabled - " & (($ProductIsInOrOutOfDate = "10") ? "Not " : "") & "Up to Date)" & @CRLF)
            Case Else
                FileWrite($hLogFile, $aResult0 & "'s ProductState is indeterminate" & @CRLF)
        EndSwitch
    EndIf
Next
#comments-end

 

Edited by dcoggie

Share this post


Link to post
Share on other sites
8 hours ago, dcoggie said:

Yes but on Win 7 it doesn't pick up Windows Defender unless it's set to "antiSpyware" and the product code is different.

What product code does it return on Win7, for the AV and the AS?


If I posted any code, assume that code was written using the latest release version unless stated otherwise. Also, if it doesn't work on XP I can't help with that because I don't have access to XP, and I'm not going to.
Give a programmer the correct code and he can do his work for a day. Teach a programmer to debug and he can do his work for a lifetime - by Chirag Gude
How to ask questions the smart way!

I hereby grant any person the right to use any code I post, that I am the original author of, on the autoitscript.com forums, unless I've specifically stated otherwise in the code or the thread post. If you do use my code all I ask, as a courtesy, is to make note of where you got it from.

Back up and restore Windows user files _Array.au3 - Modified array functions that include support for 2D arrays.  -  ColorChooser - An add-on for SciTE that pops up a color dialog so you can select and paste a color code into a script.  -  Customizable Splashscreen GUI w/Progress Bar - Create a custom "splash screen" GUI with a progress bar and custom label.  -  _FileGetProperty - Retrieve the properties of a file  -  SciTE Toolbar - A toolbar demo for use with the SciTE editor  -  GUIRegisterMsg demo - Demo script to show how to use the Windows messages to interact with controls and your GUI.  -   Latin Square password generator

Share this post


Link to post
Share on other sites

#10 ·  Posted

I'm sorry I didn't explain myself very well. I hope this is clearer.

WD is Windows Defender

On 7 this code generates 2 numbers only that are for Microsoft Security Essentials - 397312 & 393216. Nothing for Windows Defender.

But if I change the code to AntiSpywareProduct I get  code for both programs.

(with MSE enabled + WD enabled):
397312 and 397568

(with MSE disabled + WD disabled):
393216 and 393472

 

Local $aResult0, $aResult1, $sstate
$oWMI = ObjGet("winmgmts:" & "{impersonationLevel=impersonate}!\\localhost\root\SecurityCenter2")
$colItems = $oWMI.ExecQuery("Select * from AntiVirusProduct")
For $objAntiVirusProduct In $colItems
    $aResult0 = $objAntiVirusProduct.DisplayName
    $aResult1 = $objAntiVirusProduct.ProductState
If $aResult0 = False Then
msgbox(0, "", "Warning! *No AntiVirus Installed*" & @CRLF)
Else
    msgbox(0, "", $aResult1 & @CRLF)
EndIf
Next

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now