In Windows Vista, the WMI query to get anti-virus information has been changed. Pre-Vista clients used the root/SecurityCenter namespace, while Post-Vista clients use the root/SecurityCenter2 namespace. But not only the namespace has been changed, an example using the query “select * from AntiVirusProduct”:
Pre-Vista Clients (namespace root/SecurityCenter):
1 2 3 4 5 | companyName A Company displayName Company Product X productUpToDate true/false onAccessScanningEnabled true/false versionNumber 1.2.3 |
Post-Vista Clients (namespace root/SecurityCenter2):
1 2 | displayName Company Product X productState 266240 |
The productState is not very well documented (or not at all) in the MSDN. I found some information at this msdn blog.
How to read the productState:
Convert productState to hex: 266240 -> 0×041000
Split the hex value up in 3 byte blocks, we get now 3 bytes: 0×04, 0×10, 0×00.
The first byte is a WSC_SECURITY_PROVIDER Enumeration:
1 2 3 4 5 6 7 8 9 10 | typedef enum _WSC_SECURITY_PROVIDER { WSC_SECURITY_PROVIDER_FIREWALL = 1, WSC_SECURITY_PROVIDER_AUTOUPDATE_SETTINGS = 2, WSC_SECURITY_PROVIDER_ANTIVIRUS = 4, WSC_SECURITY_PROVIDER_ANTISPYWARE = 8, WSC_SECURITY_PROVIDER_INTERNET_SETTINGS = 16, WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL = 32, WSC_SECURITY_PROVIDER_SERVICE = 64, WSC_SECURITY_PROVIDER_NONE = 0, } |
Minimum supported client: Windows Vista, Source.
I assume the second byte defines if the scanner is active or not:
1 2 3 4 | typedef enum _WSC_SCANNER_SETTINGS { SCANNER_UNKNOWN = 1, SCANNER_RUNNING = 16, } |
The third byte is also an assumption, it defines if the .dat file is up-to-date:
1 2 | 0x00: up-to-date 0x10: too old! (or last update check was made ages ago) |
Here are some productState examples I found:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | 266240 -> 0x041000: ANTIVIRUS + active + dat_files_up_todate 266256 -> 0x041010: ANTIVIRUS + active + dat_files_NOT_up_todate 397312 -> 0x061000: ANTIVIRUS + AUTOUPDATE + active + dat_files_up_todate 397584 -> 0x061110 (Windows Defender started on Win7): ANTIVIRUS + AUTOUPDATE + ???? + dat_files_NOT_up_todate 393488 -> 0x060110 (Windows Defender stopped on Win7): ANTIVIRUS + AUTOUPDATE + ???? + dat_files_NOT_up_todate |
Any idea if my theory is right?
Ah, I’ve been curious about this for a long time! I think that your theory holds up very well, the only real deviation I saw while testing was Symantec Endpoint Protection, which reported a WSC_SECURITY_PROVIDER of 7 while also claiming to not have a firewall. I’m more than happy to believe that’s an error on Symantec’s part :)
McAfee VirusScan Enterprise 8.7
266240 (0×041000) – Enabled, definitions are current
262144 (0×040000) – On Access Scan disabled, definitions are current
266256 (0×041010) – Enabled, definitions out of date
Microsoft Security Essentials
397328 (0×061010) – Enabled, definitions out of date
397312 (0×061000) – Enabled, definitions are current
Symantec Endpoint Protection 11.0 (Doesn’t have a firewall, but does have email scanning etc. Does have anti-spyware.)
462864 (0×071010) – Enabled, definitions out of date
462848 (0×071000) – Enabled, definitions are current
AVG Internet Security 2011
266240 (0×041000) – Enabled, definitions are current
Sophos 9.0 (has client firewall)
331776 (0×051000) – Enabled, definitions are current
Sunbelt VIPRE
266240 (0×041000) – Enabled, definitions are current
Kaspersky 8.0
266240 (0×041000) – Enabled, definitions are current
Thanks for your reply, Sam! About your issue:
>the only real deviation I saw while testing was Symantec Endpoint Protection, which reported a WSC_SECURITY_PROVIDER of 7 while also claiming to not have a firewall…
this means that the product provide WSC_SECURITY_PROVIDER_FIREWALL (1), WSC_SECURITY_PROVIDER_AUTOUPDATE_SETTINGS (2) and WSC_SECURITY_PROVIDER_ANTIVIRUS (4). I guess this is right.
Hi,
Did someone reach a formal answer for this?
Gil
You wont get an official response to that question, you need to sign a NDA if you want to use those information.
Thanks.
Isn’t NDA required only for registration of a FW/AV/anti-spyware?
Why is NDA required for asking about (an already) registered security components?
Here is the response of MS:
Reading directly from rootsecuritycenter and rootsecuritycenter2 are not documented or supported interfaces. As such, anyone who takes a dependency on them does so at their own risk. We do not share the productState details outside of Windows, even under NDA. Unfortunately, other than the WscGetSecurityProviderHealth interface, we don’t have a public interface to do what you are requesting at this time.
This theory is holding up pretty well. I’ll be integrating this into a script and running it against a few hundred machines with a myriad configurations. Looking forward to seeing how it works out. solid work dude
[...] in regards to definition updates and real-time protection. More information on this is available here. I haven`t found a complete reference to all possible values, the best I could find is available [...]
I’ve made some C# code looking for AntiVirus and AntiSpyware state of an Windows Station. If somebody is interested…. I’ll share it.
mailto:william.mimart@gmail.com
[...] http://neophob.com/2010/03/wmi-query-windows-securitycenter2/ [...]