One of the initial tasks of a Windows user is to determine whether a computer has Antivirus enabled. For modern Windows 10 machines, Windows Defender has been doing a good job at protecting client machines. Often, enterprises opt to deploy 3rd party malware and ransomware protection in addition to Microsoft’s default safeguard. This paragraph is getting longer than I’m willing to write non-code stuff. Here goes the work-in-progress scripty for your entertainment and/or refactoring considerations.
# detectWindowsAntivirus.ps1
# Version: 0.0.1
# License: GPLv3
# What this does: you know.
# User provided variables:
$expectedAntivirusNames = "antivirus|endpoint|protection|defender|msmpeng|guard" #Edit this line to include additional antivirus names that are being used in your organization
function detectAntivirus{
param(
$computername=$env:computername,
$keywords="antivirus|endpoint|protection|defender|msmpeng|guard"
)
# First: try to obtain antivirus name from Security Center (this only works for Client OS)
$antivirusFromSecurityCenter=.{try{
$wmiQuery = "SELECT * FROM AntiVirusProduct"
$securityCenter=Get-WmiObject -ComputerName $computername -Namespace "root\SecurityCenter2" -Query $wmiQuery @psboundparameters -ErrorVariable myError -ErrorAction Stop
return $securityCenter.displayName
}catch{
return $false;
}
}
if($antivirusFromSecurityCenter){return $antivirusFromSecurityCenter}
# Second: try to obtain product name from Applications List
write-host "Unable to detect antivirus in namespace root\SecurityCenter2. Now querying AppWiz.cpl ..."
$antivirusFromAppwiz=.{try{
$appWiz=Get-CimInstance -ClassName win32_InstalledWin32Program -ComputerName $computername -ErrorAction Stop | ?{$_.Name -match $keywords}|%{"$($_.Name)"}
return $appWiz
}
catch{
return $false
}
}
if ($antivirusFromAppwiz){return $antivirusFromAppwiz}
# Third: look into the registry
write-host "Unable to detect antivirus in AppWiz. Now querying registry ..."
$antivirusFromRegistry=.{$results=@()
try{
#Get-Service -ComputerName $computername -Name RemoteRegistry | Start-Service
$hive = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $computername)
}
catch{
write-host "unable to open remote registry of $computerName"
return $false
}
if ($hive){
$regPathList = "SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall",
"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
foreach($regPath in $regPathList) {
if($key = $hive.OpenSubKey($regPath)) {
if($subkeyNames = $key.GetSubKeyNames()) {
foreach($subkeyName in $subkeyNames) {
$productKey = $key.OpenSubKey($subkeyName)
$productName = $productKey.GetValue("DisplayName")
$productVersion = $productKey.GetValue("DisplayVersion")
$productComments = $productKey.GetValue("Comments")
if (!$productName){$productName="";}
if (!$productComments){$productComments="";}
if(($productName.ToLower() -match $keywords) -OR ($productComments.ToLower() -match $keywords)) {
#$resultObj = [PSCustomObject]@{
# Product = $productName
# Version = $productVersion
#}
$results+=,$productName
}
}
}
}
$key.Close()
}
}
return $results
}
if ($antivirusFromRegistry){return $antivirusFromRegistry}
# Finally: return nothing
write-host "Unable to detect antivirus in registry ..."
return $false
}
detectAntivirus localhost $expectedAntivirusNames