3

I need to check a group of servers to see whether the anti virus is up-to-date and running. Tricky thing is that they are spread over Windows 2003 and 2008 servers and I need to be able to check them all.

Is there any way of doing this with C# or VB.NET?

I have briefly looked around using WMI, but it appears on 2008/win7 computers Microsoft has changed what information they give back to you.

In summary, I need the following:

  • AV name
  • AV version
  • AV Up-to-Date
  • AV Enabled/Running

Can anyone help?

Michael Petrotta
  • 59,888
  • 27
  • 145
  • 179
Stuart Blackler
  • 3,732
  • 5
  • 35
  • 60

2 Answers2

4

Sample can be found here using WMI as you mentioned. The poster states this is being done on a Win 7 machine; so the code below should get you started...

ConnectionOptions _connectionOptions = new ConnectionOptions();
//Not required while checking it in local machine.
//For remote machines you need to provide the credentials
//options.Username = "";
//options.Password = "";
_connectionOptions.EnablePrivileges = true;
_connectionOptions.Impersonation = ImpersonationLevel.Impersonate;
//Connecting to SecurityCenter2 node for querying security details
ManagementScope _managementScope = new ManagementScope(string.Format("\\\\{0}\\root\\SecurityCenter2", ipAddress), _connectionOptions);
_managementScope.Connect();
//Querying
ObjectQuery _objectQuery = new ObjectQuery("SELECT * FROM AntivirusProduct");
ManagementObjectSearcher _managementObjectSearcher =
    new ManagementObjectSearcher(_managementScope, _objectQuery);
ManagementObjectCollection _managementObjectCollection = _managementObjectSearcher.Get();
if (_managementObjectCollection.Count > 0)
{
    foreach (ManagementObject item in _managementObjectCollection)
    {
        Console.WriteLine(item["displayName"]);
        //For Kaspersky AntiVirus, I am getting a null reference here.
        //Console.WriteLine(item["productUptoDate"]);

        //If the value of ProductState is 266240 or 262144, its an updated one.
        Console.WriteLine(item["productState"]);
    }
}
Aaron McIver
  • 24,527
  • 5
  • 59
  • 88
  • Thanks for this. It was the productState I was originally confused by. This answer led me to: http://www.neophob.com/2010/03/wmi-query-windows-securitycenter2/ which helps with more info about the product state. Also found that securityCenter2 is Vista SP1+ apprently. – Stuart Blackler Jan 21 '11 at 11:09
  • A query ,can we get teh antivirus upto date feature in Windows 7?? @Aaron McIver – TechBrkTru Jun 05 '15 at 13:53
3

Depending on how your environment is setup you may need to specify your security and permissions. You should also note that some antivirus products (like McAfee) do not make data available through WMI.

You can query the Antivirus information from WMI using this snippet:

string computer = Environment.MachineName;  
string wmipath = @"\\" + computer + @"\root\SecurityCenter";  
string query = @"SELECT * FROM AntivirusProduct";

ManagementObjectSearcher searcher = new ManagementObjectSearcher(wmipath, query);  
ManagementObjectCollection results = searcher.Get();

foreach (ManagementObject result in results)  
{  
    // do something with `result[value]`);
}
Greg Buehler
  • 3,897
  • 3
  • 32
  • 39
  • I wonder how WHS gets information on the client machine to know whether you have AV installed or not...as McAfee is one of those options; could be vendor specific I gather. – Aaron McIver Jan 20 '11 at 17:52
  • @Arron I am really fuzzy on how the detection works, but I remember it has to do with the McAfee eOrchestrator crud. – Greg Buehler Jan 20 '11 at 17:56
  • Thanks for the answer greg. Appears to work on xp/vista (pre-sp1) and nt 2003. Going through more testing now. – Stuart Blackler Jan 21 '11 at 11:12
  • 1
    Sorry forgot to add not on Server platforms (2003-2008) as they do not have the namespace to check – Stuart Blackler Jan 21 '11 at 12:09