Detect Antivirus on Windows using C# [closed]
Asked Answered
M

3

21

Is there a way to detect whether there is an antivirus software installed in a machine using C#? I know the Security Center detects antivirus software but how can you detect that in C#?

Mlle answered 26/8, 2009 at 1:22 Comment(2)
You can use WMI; see here.Keenan
is there any way to know whether the antivirus is updated on the system in windows [email protected]Tella
B
36

According to Microsoft, The Windows Security Center uses a two-tiered approach for detection status. One tier is manual, and the other tier is automatic through Windows Management Instrumentation (WMI). In manual detection mode, Windows Security Center searches for registry keys and files that are provided to Microsoft by independent software manufacturers. These registry keys and files let Windows Security Center detect the status of independent software. In WMI mode, software manufacturers determine their own product status and report that status back to Windows Security Center through a WMI provider. In both modes, Windows Security Center tries to determine whether the following is true:

An antivirus program is present.

The antivirus signatures are up-to-date.

Real-time scanning or on-access scanning is turned on for antivirus programs.

For firewalls, Windows Security Center detects whether a third-party firewall is installed and whether the firewall is turned on or not.

So in order to determine the presence of an antivirus software, you can use the WMI making a connection to the root\SecurityCenter namespace (starting with windows Vista you must use the root\SecurityCenter2 namespace), and then query for the AntiVirusProduct WMI class.

Look at this sample code

using System;
using System.Text;
using System.Management;

namespace ConsoleApplication1
{
  class Program
  {
    public static bool AntivirusInstalled()
    {

      string wmipathstr = @"\\" + Environment.MachineName + @"\root\SecurityCenter";
      try
      {
        ManagementObjectSearcher searcher = new ManagementObjectSearcher(wmipathstr, "SELECT * FROM AntivirusProduct");
        ManagementObjectCollection instances = searcher.Get();
        return instances.Count > 0;
      }

      catch (Exception e)
      {
        Console.WriteLine(e.Message);
      }

      return false;
    } 

    public static void Main(string[] args)
    {
      bool returnCode = AntivirusInstalled();
      Console.WriteLine("Antivirus Installed " + returnCode.ToString());
      Console.WriteLine();
      Console.Read();
    }

  }
}
Belda answered 26/8, 2009 at 1:34 Comment(11)
Does anyone how to do this on Windows 7?Naught
In windows 7 you must use the \root\SecurityCenter2 namespaceBelda
I tried it on Windows server 2008. However, I am getting an exception "Invalid Namespace". It works on Windows 7.Alpine
These classes only are available in the Windows Desktop editions.Belda
Okay thanks..is there any way i could find if an antivirus is installed on a server ?Alpine
@RahilMansuri, Try this #13732851Belda
@Belda I have already tried that.. it doesn't work.. its written there.. the securityCenter and securityCenter2 classes are not there for the server editionsAlpine
Check the accepted answer ... I ended up performing a dictonary search on the local system drivers and processes looking for a pattern of know anti-virus signatures (such as folder names, processes names, etc...)Belda
@Belda yes, that is the last resort..i was hoping to find another way to do it..Alpine
Is there any way to get the antivirus version update information in Win 7 @BeldaTella
What If I want to add these details for my own antivirus product is there a way to insert it ???Anuska
S
9

Open C:\Windows\System32\wbem\wscenter.mof by Notepad. It helps you which namespaces and classes exist:


C# Query:

// SELECT * FROM AntiVirusProduct
// SELECT * FROM FirewallProduct
// SELECT * FROM AntiSpywareProduct
ManagementObjectSearcher wmiData = new ManagementObjectSearcher(@"root\SecurityCenter2", "SELECT * FROM AntiVirusProduct");
ManagementObjectCollection data = wmiData.Get();

foreach (ManagementObject virusChecker in data)
{
    var virusCheckerName = virusChecker["displayName"];
}

wscenter.mof:

#pragma autorecover
#pragma classflags(64)
#pragma namespace("\\\\.\\root")

[NamespaceSecuritySDDL("O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:(A;CI;0x1;;;BU)(A;CI;0x1;;;BA)(A;CI;0x1;;;NS)(A;CI;0x1;;;LS)(A;CI;0x1;;;AU)(A;CI;0x6001D;;;S-1-5-80-3232712927-1625117661-2590453128-1738570065-3637376297)")] 
Instance of __namespace
{
  Name = "SecurityCenter";
};

[NamespaceSecuritySDDL("O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:(A;CI;0x1;;;BU)(A;CI;0x1;;;BA)(A;CI;0x1;;;NS)(A;CI;0x1;;;LS)(A;CI;0x1;;;AU)(A;CI;0x6001D;;;S-1-5-80-3232712927-1625117661-2590453128-1738570065-3637376297)")] 
Instance of __namespace
{
  Name = "SecurityCenter2";
};
#pragma namespace("\\\\.\\root\\SecurityCenter")

class AntiVirusProduct
{
  [key,Not_Null] string instanceGuid;
  [Not_Null] string displayName;
  [Not_Null] boolean productUptoDate;
  boolean onAccessScanningEnabled;
  boolean productHasNotifiedUser;
  boolean productWantsWscNotifications;
  uint8 productState;
  string companyName;
  string versionNumber;
  string pathToSignedProductExe;
};

class FirewallProduct
{
  [key,Not_Null] string instanceGuid;
  [Not_Null] string displayName;
  boolean enabled;
  boolean productHasNotifiedUser;
  boolean productWantsWscNotifications;
  uint8 productState;
  string companyName;
  string versionNumber;
  string pathToSignedProductExe;
};

class AntiSpywareProduct
{
  [key,Not_Null] string instanceGuid;
  [Not_Null] string displayName;
  [Not_Null] boolean productUptoDate;
  boolean productEnabled;
  boolean productHasNotifiedUser;
  boolean productWantsWscNotifications;
  uint8 productState;
  string companyName;
  string versionNumber;
  string pathToSignedProductExe;
};
#pragma namespace("\\\\.\\root\\SecurityCenter2")

class AntiVirusProduct
{
  [key,Not_Null] string instanceGuid;
  [Not_Null] string displayName;
  [Not_Null] string pathToSignedProductExe;
  [Not_Null] string pathToSignedReportingExe;
  [Not_Null] uint32 productState;
  string timestamp;
};

class FirewallProduct
{
  [key,Not_Null] string instanceGuid;
  [Not_Null] string displayName;
  [Not_Null] string pathToSignedProductExe;
  [Not_Null] string pathToSignedReportingExe;
  [Not_Null] uint32 productState;
  string timestamp;
};

class AntiSpywareProduct
{
  [key,Not_Null] string instanceGuid;
  [Not_Null] string displayName;
  [Not_Null] string pathToSignedProductExe;
  [Not_Null] string pathToSignedReportingExe;
  [Not_Null] uint32 productState;
  string timestamp;
};
#pragma autorecover
Strongarm answered 9/1, 2017 at 15:6 Comment(0)
C
3

The WMI query changes slightly in Vista SP2 and beyond.

Try this part \root\SecurityCenter2 instead of \root\SecurityCenter

The results are slightly different as well. You can still get the display name, but you'll need to do a bit of bit masking for the ProductState field to determine if the onAccessScanner is enabled / disabled and the upToDate kind of information.

Clustered answered 9/10, 2010 at 22:23 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.