Sign in to follow this  
Followers 0
Guest Nuno Rodrigues

Detect antivirus present

17 posts in this topic

Hi there...

Is there any way to know if there is any antivirus installed in the system?? And to know if the automatic updates are enabled or not??

I'm writing a script to install several apps, but first I have t know if there is any other antivirus installed in the system, for not having two of them installed in the same system.

Regarding to automatic updates, I wanna know, if it or not enabled, because if not, I will activate it using the script.

Thanks in advance...

Share this post


Link to post
Share on other sites



*Cough* *Cough*

Trying to install multiple coppies of malware?

*cough* *Cough*

Share this post


Link to post
Share on other sites

*Cough* *Cough*

Trying to install multiple coppies of malware?

*cough* *Cough*

No, I'm really writing an automated install system, for several apps, like JRE, Adobe, certain updates, automatic desktop walpaper, windows optimisations - cache and themes - that's why I need that script... nothink else...

any way, if there is a antivirus installed, I'll not uninstall it...

Share this post


Link to post
Share on other sites

Well, you can check if the process exists (with the function "ProcessExists")

Here could be an example:

If ProcessExists("SomeAntiVirusProcess.exe") Then
   MsgBox(0, "AntiVirus Detected", "We have detected you are using an anti-virus. Please disable this program for the installation to work")
EndIf

Don't end the processes yourself because many anti-virus programs have ties with System processes, thus shutting down your system.

Share this post


Link to post
Share on other sites

Well, you can check if the process exists (with the function "ProcessExists")

Here could be an example:

If ProcessExists("SomeAntiVirusProcess.exe") Then
   MsgBox(0, "AntiVirus Detected", "We have detected you are using an anti-virus. Please disable this program for the installation to work")
EndIf

Don't end the processes yourself because many anti-virus programs have ties with System processes, thus shutting down your system.

Ok, It would work if I know exactly what antivirus program is installed, to exactly know it's process... ;)

Share this post


Link to post
Share on other sites

Is there any way to grab that data from the registry?? To know what antivirus program is installed, and if the automatic updates are enabled?? ;)

Not sure if this is what you are looking for but this might help with detecting if autoupdates are enabled.

KeyName:HKEY_LOCAL_MACHINE\Software\Policies \Microsoft\Windows\WindowsUpdate\AU

ValueName:NoAutoUpdate

here are the possible values:

0 - False (Do not disable AutoUpdate)

1 - True (Disable AutoUpdate)

That information was found here.


HKTunes:Softpedia | GoogleCodeLyricToy:Softpedia | GoogleCodeRCTunes:Softpedia | GoogleCodeMichtaToolsProgrammer n. - An ingenious device that turns caffeine into code.

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

Thanks SolidSnake...

It was'nt quite that that I needed, but I've found it on the link page you provided ;)

Found what I needed in this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Security Center

that is, if there is a antivirus present the reg values will "saay" that, and als the automatic updates...

Anyway, thanks alot...

Edited by Nuno Rodrigues

Share this post


Link to post
Share on other sites

Thanks SolidSnake...

It was'nt quite that that I needed, but I've found it on the link page you provided :lmao:

Found what I needed in this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Security Center

that is, if there is a antivirus present the reg values will "saay" that, and als the automatic updates...

Anyway, thanks alot...

No Problem. Glad you got your script working. ;)


HKTunes:Softpedia | GoogleCodeLyricToy:Softpedia | GoogleCodeRCTunes:Softpedia | GoogleCodeMichtaToolsProgrammer n. - An ingenious device that turns caffeine into code.

Share this post


Link to post
Share on other sites

I think I talked too much soon... ;)

All that the reg keys tell me is if the alerts are or nor active...

So... I'm back at the place I started...

I still need some way to figure that out, if it has a antivirus and firewall active or not...

Any help?? :">

Share this post


Link to post
Share on other sites

I think I talked too much soon... :)

All that the reg keys tell me is if the alerts are or nor active...

So... I'm back at the place I started...

I still need some way to figure that out, if it has a antivirus and firewall active or not...

Any help?? :">

I'm actually interested in how to detect an Antivirus program with Windows Security Center. Is there some sort of script that can get info from Security Center? Can anyone shed some light on this subject? I have been looking for info all over the net and have not found an answer. :)

i notice that when I look in the registry here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring

It lists many folders dealing with AntiVirus and Firewall Programs:

AhnlabAntiVirus

ComputerAssociatesAntiVirus

KasperskyAntiVirus

McAfeeAntiVirus

McAfeeFirewall

PandaAntiVirus

PandaFirewall

SophosAntiVirus

SymantecAntiVirus

SymantecFirewall

TinyFirewall

TrendAntiVirus

TrendFirewall

ZoneLabsFirewall

All of the folders are blank except "SymantecAntiVirus" which has "DisableMonitoring"=dword:00000001

Which seems right. All I have is Symantec Antivirus and Windows Firewall. But what exactly does this mean? It says DisableMonitoring. So does this mean that if the DisableMonitoring is found and set to 1 in one of the directories then an AV is present?

Share this post


Link to post
Share on other sites

I have tried to find a solution as well. This is what I have found...

$strComputer = "."
$oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\SecurityCenter")
$colItems = $oWMI.ExecQuery("Select * from AntiVirusProduct"); "from FirewallProduct" works as well

  For $objAntiVirusProduct In $colItems
      MsgBox(0, "AntiVirusProduct", $objAntiVirusProduct.displayName)
  Next

But for example in my Vista SP1 it does not return anything, but if I put "\root\SecurityCenter2" then it finds the product. On XP "\root\SecurityCenter" works.

If somebody has a better way to check Antivirus proudut please share your info. Thanks!

Share this post


Link to post
Share on other sites

I have tried to find a solution as well. This is what I have found...

$strComputer = "."
$oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\SecurityCenter")
$colItems = $oWMI.ExecQuery("Select * from AntiVirusProduct"); "from FirewallProduct" works as well

  For $objAntiVirusProduct In $colItems
      MsgBox(0, "AntiVirusProduct", $objAntiVirusProduct.displayName)
  Next

But for example in my Vista SP1 it does not return anything, but if I put "\root\SecurityCenter2" then it finds the product. On XP "\root\SecurityCenter" works.

If somebody has a better way to check Antivirus proudut please share your info. Thanks!

I'm almost afraid to bring this old thread back up, but I am wanting to add this ability to my tool as well.

My experience with the above is that I had to use 'SecurityCenter2' to get the AV, but neither 'SecurityCenter' or 'SecurityCenter2' returned anything for firewall on Win7.

I would like to be able to determine both of these for all Win OS' as I'll use my tool on any machine I start working on.

If anyone has discovered an updated method of detecting the active Antivirus and/or Firewall, please share.

Thanks!

Share this post


Link to post
Share on other sites

Hi

Ive got some code that hopefully detects this. ill be adding it in the next day or 2 in my comp analysis tool. keep your eye out


Drunken Frat-Boy Monkey Garbage

Share this post


Link to post
Share on other sites

Hi

Ive got some code that hopefully detects this. ill be adding it in the next day or 2 in my comp analysis tool. keep your eye out

Its been a pretty long time and I still haven't seen your code anywhere...


Things that I've done..

Icon Resource Editor: icon resource editor 

AutoIt Piano: a piano

AutoIt Unlocker: unlocks files when you want to delete them

Colorful tooltips: a wrapper for the tool tips UDF

Rouge GoogleBot: a full screen animation

ASciTE text editor: a text editor written in autoit

Warning: Posts by this user are subject to change or may disappear without notice.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0