1. Sam Bryan
    Sam Bryan October 27, 2010 at 18:09 . Reply

    Ah, I’ve been curious about this for a long time! I think that your theory holds up very well, the only real deviation I saw while testing was Symantec Endpoint Protection, which reported a WSC_SECURITY_PROVIDER of 7 while also claiming to not have a firewall. I’m more than happy to believe that’s an error on Symantec’s part :)

    McAfee VirusScan Enterprise 8.7
    266240 (0×041000) – Enabled, definitions are current
    262144 (0×040000) – On Access Scan disabled, definitions are current
    266256 (0×041010) – Enabled, definitions out of date

    Microsoft Security Essentials
    397328 (0×061010) – Enabled, definitions out of date
    397312 (0×061000) – Enabled, definitions are current

    Symantec Endpoint Protection 11.0 (Doesn’t have a firewall, but does have email scanning etc. Does have anti-spyware.)
    462864 (0×071010) – Enabled, definitions out of date
    462848 (0×071000) – Enabled, definitions are current

    AVG Internet Security 2011
    266240 (0×041000) – Enabled, definitions are current

    Sophos 9.0 (has client firewall)
    331776 (0×051000) – Enabled, definitions are current

    Sunbelt VIPRE
    266240 (0×041000) – Enabled, definitions are current

    Kaspersky 8.0
    266240 (0×041000) – Enabled, definitions are current

  2. Gil Mier
    Gil Mier December 19, 2010 at 12:03 . Reply


    Did someone reach a formal answer for this?


  3. Gil Mier
    Gil Mier December 19, 2010 at 14:54 . Reply


    Isn’t NDA required only for registration of a FW/AV/anti-spyware?

    Why is NDA required for asking about (an already) registered security components?

  4. adam
    adam March 15, 2011 at 18:52 . Reply

    This theory is holding up pretty well. I’ll be integrating this into a script and running it against a few hundred machines with a myriad configurations. Looking forward to seeing how it works out. solid work dude

  5. [...] in regards to definition updates and real-time protection. More information on this is available here. I haven`t found a complete reference to all possible values, the best I could find is available [...]

  6. William Mimart
    William Mimart March 2, 2012 at 11:19 . Reply

    I’ve made some C# code looking for AntiVirus and AntiSpyware state of an Windows Station. If somebody is interested…. I’ll share it.

  7. […] bit more research turned up some helpful posts, notably http://neophob.com/2010/03/wmi-query-windows-securitycenter2/, which lead to the creation of a `decodeProductState` macro. The macro converts the productState to […]

Leave a Reply

%d bloggers like this: