12 Comments

  1. Sam Bryan
    Sam Bryan October 27, 2010 at 18:09 . Reply

    Ah, I’ve been curious about this for a long time! I think that your theory holds up very well, the only real deviation I saw while testing was Symantec Endpoint Protection, which reported a WSC_SECURITY_PROVIDER of 7 while also claiming to not have a firewall. I’m more than happy to believe that’s an error on Symantec’s part :)

    McAfee VirusScan Enterprise 8.7
    266240 (0×041000) – Enabled, definitions are current
    262144 (0×040000) – On Access Scan disabled, definitions are current
    266256 (0×041010) – Enabled, definitions out of date

    Microsoft Security Essentials
    397328 (0×061010) – Enabled, definitions out of date
    397312 (0×061000) – Enabled, definitions are current

    Symantec Endpoint Protection 11.0 (Doesn’t have a firewall, but does have email scanning etc. Does have anti-spyware.)
    462864 (0×071010) – Enabled, definitions out of date
    462848 (0×071000) – Enabled, definitions are current

    AVG Internet Security 2011
    266240 (0×041000) – Enabled, definitions are current

    Sophos 9.0 (has client firewall)
    331776 (0×051000) – Enabled, definitions are current

    Sunbelt VIPRE
    266240 (0×041000) – Enabled, definitions are current

    Kaspersky 8.0
    266240 (0×041000) – Enabled, definitions are current

  2. Gil Mier
    Gil Mier December 19, 2010 at 12:03 . Reply

    Hi,

    Did someone reach a formal answer for this?

    Gil

  3. Gil Mier
    Gil Mier December 19, 2010 at 14:54 . Reply

    Thanks.

    Isn’t NDA required only for registration of a FW/AV/anti-spyware?

    Why is NDA required for asking about (an already) registered security components?

  4. adam
    adam March 15, 2011 at 18:52 . Reply

    This theory is holding up pretty well. I’ll be integrating this into a script and running it against a few hundred machines with a myriad configurations. Looking forward to seeing how it works out. solid work dude

  5. [...] in regards to definition updates and real-time protection. More information on this is available here. I haven`t found a complete reference to all possible values, the best I could find is available [...]

  6. William Mimart
    William Mimart March 2, 2012 at 11:19 . Reply

    I’ve made some C# code looking for AntiVirus and AntiSpyware state of an Windows Station. If somebody is interested…. I’ll share it.
    mailto:william.mimart@gmail.com

  7. […] bit more research turned up some helpful posts, notably http://neophob.com/2010/03/wmi-query-windows-securitycenter2/, which lead to the creation of a `decodeProductState` macro. The macro converts the productState to […]

  8. jgstew
    jgstew May 13, 2014 at 21:52 . Reply

    Here are the productState values I have found from 34 different AV products across over 10000 endpoints:

    ( Decimal, Hex, Bit Set )

    262144, 40000, 1000000000000000000

    262160, 40010, 1000000000000010000

    266240, 41000, 1000001000000000000

    270336, 42000, 1000010000000000000

    327680, 50000, 1010000000000000000

    327696, 50010, 1010000000000010000

    331776, 51000, 1010001000000000000

    344064, 54000, 1010100000000000000

    393216, 60000, 1100000000000000000

    393232, 60010, 1100000000000010000

    393472, 60100, 1100000000100000000

    393488, 60110, 1100000000100010000

    397312, 61000, 1100001000000000000

    397328, 61010, 1100001000000010000

    397568, 61100, 1100001000100000000

    397584, 61110, 1100001000100010000

    458752, 70000, 1110000000000000000

    458768, 70010, 1110000000000010000

    462848, 71000, 1110001000000000000

    462864, 71010, 1110001000000010000

Leave a Reply

%d bloggers like this: