How To Tell What AntiVirus Software Installed on a Remote Windows Computer

By
Kent Chen
-
0

Windows 10 has a decent AntiVirus built right in the system, namely Windows Defender. To get the details about the status of it, simply use this cmdlet to find out.

Get-MpPreference

However, if you have a 3rd party AntiVirus installed, Get-MpPreference isn’t good enough anymore as it only works and reveals information about Windows Defender. Use the following instead:

Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntiVirusProduct
image 8 600x271 - How To Tell What AntiVirus Software Installed on a Remote Windows Computer

To use it on a remote computer, add -ComputerName switch along with the command.

Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntiVirusProduct -ComputerName $computer

Digging it a bit deeper, how to find out the status of the installed AntiVirus software?

Encoded in ProductState property are a number of additional pieces of information, such as whether the AV engine is operational, and is using the up-to-date data signatures. To decipher the meaning of this information, refer to this post that demonstrates how to use PowerShell’s new support for enumerations.

To put all together,

# define bit flags
 
[Flags()] enum ProductState 
{
      Off         = 0x0000
      On          = 0x1000
      Snoozed     = 0x2000
      Expired     = 0x3000
}
 
[Flags()] enum SignatureStatus
{
      UpToDate     = 0x00
      OutOfDate    = 0x10
}
 
[Flags()] enum ProductOwner
{
      NonMs        = 0x000
      Windows      = 0x100
}
 
# define bit masks
 
[Flags()] enum ProductFlags
{
      SignatureStatus = 0x00F0
      ProductOwner    = 0x0F00
      ProductState    = 0xF000
}
 
# get bits
$infos = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct -ComputerName $computer
ForEach ($info in $infos){
    [UInt32]$state = $info.productState
 
    # decode bit flags by masking the relevant bits, then converting
    [PSCustomObject]@{
          ProductName = $info.DisplayName
          ProductState = [ProductState]($state -band [ProductFlags]::ProductState)
          SignatureStatus = [SignatureStatus]($state -band [ProductFlags]::SignatureStatus)
          Owner = [ProductOwner]($state -band [ProductFlags]::ProductOwner)
    }
}

The result is pretty nice.

image 9 600x212 - How To Tell What AntiVirus Software Installed on a Remote Windows Computer

What would be more useful is to run the script through a whole network to assess how AntiVirus software is deployed and maintained in your network.

Related Posts

LEAVE A REPLY

Please enter your comment!
Please enter your name here