Detect antivirus present

November 22, 2006

Hi there...

Is there any way to know if there is any antivirus installed in the system?? And to know if the automatic updates are enabled or not??

I'm writing a script to install several apps, but first I have t know if there is any other antivirus installed in the system, for not having two of them installed in the same system.

Regarding to automatic updates, I wanna know, if it or not enabled, because if not, I will activate it using the script.

Thanks in advance...

NELyon · November 23, 2006

*Cough* *Cough*

Trying to install multiple coppies of malware?

*cough* *Cough*

November 23, 2006

*Cough* *Cough*
Trying to install multiple coppies of malware?
*cough* *Cough*

No, I'm really writing an automated install system, for several apps, like JRE, Adobe, certain updates, automatic desktop walpaper, windows optimisations - cache and themes - that's why I need that script... nothink else...

any way, if there is a antivirus installed, I'll not uninstall it...

NELyon · November 23, 2006

Well, you can check if the process exists (with the function "ProcessExists")

Here could be an example:

If ProcessExists("SomeAntiVirusProcess.exe") Then
   MsgBox(0, "AntiVirus Detected", "We have detected you are using an anti-virus. Please disable this program for the installation to work")
EndIf

Don't end the processes yourself because many anti-virus programs have ties with System processes, thus shutting down your system.

Hasher · November 23, 2006

You could use of the Windows XP Security Center

http://tweakhound.com/xp/securitycenter/index.htm

November 23, 2006

Well, you can check if the process exists (with the function "ProcessExists")

Here could be an example:
If ProcessExists("SomeAntiVirusProcess.exe") Then
   MsgBox(0, "AntiVirus Detected", "We have detected you are using an anti-virus. Please disable this program for the installation to work")
EndIf
Don't end the processes yourself because many anti-virus programs have ties with System processes, thus shutting down your system.

Ok, It would work if I know exactly what antivirus program is installed, to exactly know it's process...

November 23, 2006

You could use of the Windows XP Security Center
http://tweakhound.com/xp/securitycenter/index.htm

Is there any way to grab that data from the registry?? To know what antivirus program is installed, and if the automatic updates are enabled??

FuryCell · November 23, 2006

Is there any way to grab that data from the registry?? To know what antivirus program is installed, and if the automatic updates are enabled??

Not sure if this is what you are looking for but this might help with detecting if autoupdates are enabled.

KeyName:HKEY_LOCAL_MACHINE\Software\Policies \Microsoft\Windows\WindowsUpdate\AU
ValueName:NoAutoUpdate

here are the possible values:

0 - False (Do not disable AutoUpdate)
1 - True (Disable AutoUpdate)

That information was found here.

November 25, 2006

Thanks SolidSnake...

It was'nt quite that that I needed, but I've found it on the link page you provided

Found what I needed in this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Security Center

that is, if there is a antivirus present the reg values will "saay" that, and als the automatic updates...

Anyway, thanks alot...

Edited November 25, 2006 by Nuno Rodrigues

FuryCell · November 25, 2006

Thanks SolidSnake...
It was'nt quite that that I needed, but I've found it on the link page you provided
Found what I needed in this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Security Center
that is, if there is a antivirus present the reg values will "saay" that, and als the automatic updates...
Anyway, thanks alot...

No Problem. Glad you got your script working.

November 25, 2006

I think I talked too much soon...

All that the reg keys tell me is if the alerts are or nor active...

So... I'm back at the place I started...

I still need some way to figure that out, if it has a antivirus and firewall active or not...

Any help?? :">

Proph · June 9, 2008

I think I talked too much soon...
All that the reg keys tell me is if the alerts are or nor active...
So... I'm back at the place I started...
I still need some way to figure that out, if it has a antivirus and firewall active or not...
Any help?? :">

I'm actually interested in how to detect an Antivirus program with Windows Security Center. Is there some sort of script that can get info from Security Center? Can anyone shed some light on this subject? I have been looking for info all over the net and have not found an answer.

i notice that when I look in the registry here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring

It lists many folders dealing with AntiVirus and Firewall Programs:

AhnlabAntiVirus

ComputerAssociatesAntiVirus

KasperskyAntiVirus

McAfeeAntiVirus

McAfeeFirewall

PandaAntiVirus

PandaFirewall

SophosAntiVirus

SymantecAntiVirus

SymantecFirewall

TinyFirewall

TrendAntiVirus

TrendFirewall

ZoneLabsFirewall

All of the folders are blank except "SymantecAntiVirus" which has "DisableMonitoring"=dword:00000001

Which seems right. All I have is Symantec Antivirus and Windows Firewall. But what exactly does this mean? It says DisableMonitoring. So does this mean that if the DisableMonitoring is found and set to 1 in one of the directories then an AV is present?

Bert · June 9, 2008

Sent you a PM. I may have something that can help you.

nhalme · November 4, 2008

I have tried to find a solution as well. This is what I have found...

$strComputer = "."
$oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\SecurityCenter")
$colItems = $oWMI.ExecQuery("Select * from AntiVirusProduct"); "from FirewallProduct" works as well

  For $objAntiVirusProduct In $colItems
      MsgBox(0, "AntiVirusProduct", $objAntiVirusProduct.displayName)
  Next

But for example in my Vista SP1 it does not return anything, but if I put "\root\SecurityCenter2" then it finds the product. On XP "\root\SecurityCenter" works.

If somebody has a better way to check Antivirus proudut please share your info. Thanks!

schuc · December 31, 2010

I have tried to find a solution as well. This is what I have found...
$strComputer = "."
$oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & $strComputer & "\root\SecurityCenter")
$colItems = $oWMI.ExecQuery("Select * from AntiVirusProduct"); "from FirewallProduct" works as well

  For $objAntiVirusProduct In $colItems
      MsgBox(0, "AntiVirusProduct", $objAntiVirusProduct.displayName)
  Next
But for example in my Vista SP1 it does not return anything, but if I put "\root\SecurityCenter2" then it finds the product. On XP "\root\SecurityCenter" works.

If somebody has a better way to check Antivirus proudut please share your info. Thanks!

I'm almost afraid to bring this old thread back up, but I am wanting to add this ability to my tool as well.

My experience with the above is that I had to use 'SecurityCenter2' to get the AV, but neither 'SecurityCenter' or 'SecurityCenter2' returned anything for firewall on Win7.

I would like to be able to determine both of these for all Win OS' as I'll use my tool on any machine I start working on.

If anyone has discovered an updated method of detecting the active Antivirus and/or Firewall, please share.

Thanks!

engjcowi · January 6, 2011

Hi

Ive got some code that hopefully detects this. ill be adding it in the next day or 2 in my comp analysis tool. keep your eye out

Skitty · February 15, 2011

Hi
Ive got some code that hopefully detects this. ill be adding it in the next day or 2 in my comp analysis tool. keep your eye out

Its been a pretty long time and I still haven't seen your code anywhere...

Sign In

Detect antivirus present

Recommended Posts

Guest Nuno Rodrigues

NELyon

Guest Nuno Rodrigues

NELyon

Hasher

Guest Nuno Rodrigues

Guest Nuno Rodrigues

FuryCell

Guest Nuno Rodrigues

FuryCell

Guest Nuno Rodrigues

Proph

Bert

nhalme

schuc

engjcowi

Skitty

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta