Login/Register
How to detect antivirus on Windows Server 2008 in C#?
Asked Answered
Solved c#windows-server-2008windows-server-2008-r2antivirus
P

5

19

I have seen code samples similar to the following numerous times in my search for an answer:

using System;
using System.Text;
using System.Management;

namespace ConsoleApplication1
{
  class Program
  {
    public static bool AntivirusInstalled()
    {

      string wmipathstr = @"\\" + Environment.MachineName + @"\root\SecurityCenter";
      try
      {
        ManagementObjectSearcher searcher = new ManagementObjectSearcher(wmipathstr, "SELECT * FROM AntivirusProduct");
        ManagementObjectCollection instances = searcher.Get();
        return instances.Count > 0;
      }

      catch (Exception e)
      {
        Console.WriteLine(e.Message);
      }

      return false;
    } 

    public static void Main(string[] args)
    {
      bool returnCode = AntivirusInstalled();
      Console.WriteLine("Antivirus Installed " + returnCode.ToString());
      Console.WriteLine();
      Console.Read();
    }

  }
}

Unfortunately, it appears that Windows Server 2008 does not have the SecurityCenter or SecurityCenter2 namespace, so I get an Invalid namespace exception when trying this approach.

Does anyone know of a way to determine if there is antivirus software running on Windows Server 2008? Any help is appreciated!

Pirogue answered 5/12, 2012 at 21:0 Comment(13)
I did see that post, but I am really looking for a C# specific answer.Pirogue
Not related, but make a habit of using return instances.Any(); instead of Count > 0 - if instances is a very long list, counting all the members just to see if they are more than zero is a bad idea :)Mammillate
Thanks for the tip! I simply copied the code example from here, but I'll keep this in mind if I ever get mine working!Pirogue
can you try this command on your server "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List" .. does it show anything?Unpleasantness
I get: ERROR Description = Invalid NamespacePirogue
@Amitd, that only works with Client-side/Desktop Operating systems. The SecurityCenter namespaces do not exist on Server 2003/2008Sailmaker
Just noticed this on msdn msdn.microsoft.com/en-us/library/bb432506.aspx but dont know how to use it in C#Unpleasantness
@Unpleasantness Per the article, it looks that function is for desktop apps only and is not supported on servers.Pirogue
@Mammillate this is only the case when you use Count() an IEnumerable who isn't a Collection. Count in a Collection is only accessing a member variable and is a o(1) operation.Shelleyshellfire
There is no good option to achieve what you - see technet...Proportion
DO you have access to the server as you can turn on SecurityCenter. It is included in 2008 but is not enabled by default. See this post social.msdn.microsoft.com/Forums/en/…Smuggle
serverfault.com/questions/12343/…Unrounded
You could get a list of running processes with Process.GetProcesses() and loop through the list and create filters for each AV product that you want to find.Unrounded
D
2

I faced this problem some time ago for a client and I ended up performing a dictonary search on the local system drivers and processes looking for a pattern of know anti-virus signatures (such as folder names, processes names, etc...) it's not 100% sure because somewhere someone will donwload a brand new anti-virus that you're unware of, but that apart, it was very effective...

Defiant answered 10/12, 2012 at 17:12 Comment(5)
I was really hoping for an easier answer, but it's starting to sound like this may be the only way to accomplish what I want to do...Pirogue
i know that this sounds tedious and "idiotic" but i really spend some time thinking this out (ok, maybe im idiotic)...Defiant
And I don't even necessarily mean your specific way of doing it, but the general idea of compiling a list of antivirus products to check for. Especially because my reason for checking for an antivirus seems kind of trivial in comparison to the amount of effort it will take to come up with a list of antiviruses to check for hahaPirogue
It is the kind of job, which a number of viruses, trojans and worms perform - so they can circumvent specific anti-virus-scanners. It may appear a bit odd, but looking the other way round for sources on how to write such nasty crap could be of help. Look into the "dark corners" of the internet, where "virus authors" meet ...Cleromancy
@Defiant I'll probably try a few different methods, but currently I'm looking at doing this approach in C#.Pirogue
T
6

Use the EICAR test virus.

  1. Have your application try to write one of these files on disk: http://www.eicar.org/85-0-Download.html
  2. Catch the exception

It will not only work on every anti-virus on earth, but it will also tell you if the anti-virus is active!

You may find it hard to download the test file if you have anti-virus active, so you may want to use this string instead:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Keep in mind, you probably want to keep the string encoded on your app and decode it just before you write it to disk. Otherwise you may risk your app being detected as a virus :)

On the EICAR site, they say:

Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long

However, I wouldn't count AV developers have read the spec, so better just keep the string encoded. In fact, I just tried to save the string on a .txt file on my desktop with some additional characters in it and Windows Defender started screaming.

Thermometry answered 13/12, 2012 at 22:48 Comment(5)
How exactly will I be able to tell if the anti-virus is active after running the test file?Pirogue
You don't run the test file. You won't be able to save the file. Anti-virus will prevent you from doing it. So if you try to write a text file onto disk with the aforementioned string in it, you should get an exception. To double-check, you can try reading the file. It shouldn't be there because the anti-virus detected and removed it. If it didn't, better check if the AV is working alright.Lave
I copied the string above into a text file and saved it just fine. So either Symantec Endpoint Protection does not deal with that string, or it is not all encompassing.Sailmaker
SEP should deal with that string. See here: symantec.com/business/support/…Lave
I don't think this approach is really the way to go for my specific scenario. My purpose to check for anti-virus is because our software sometimes doesn't play well with firewall/anti-virus, so possibly having our application labeled as an anti-virus probably isn't the way to go. Upvote for the helpful information though!Pirogue
T
3

Hmmm, I ended up playing around with PowerShell:

$avSoftware = get-wmiobject -class "Win32_Product" -namespace "root\cimv2" -computername "." -filter "Name like '%antivirus%'"
if ($avSoftware.Count -gt 0) {
    foreach ($av in $avSoftware) {
        write-host $p.Name
    }
} else {
    write-host "No AV software found"
}

It seems to be working both on our Windows Server 2008 and 2008 R2 instances...

More info here: https://serverfault.com/questions/12343/how-can-i-determine-whether-an-antivirus-product-is-installed

Thermometry answered 14/12, 2012 at 20:19 Comment(1)
The current version of McAfee on my machine shows up as 'McAfee VirusScan Enterprise', so -filter "Name like '%virus%'" might match more cases.Syllabogram
D
2

I faced this problem some time ago for a client and I ended up performing a dictonary search on the local system drivers and processes looking for a pattern of know anti-virus signatures (such as folder names, processes names, etc...) it's not 100% sure because somewhere someone will donwload a brand new anti-virus that you're unware of, but that apart, it was very effective...

Defiant answered 10/12, 2012 at 17:12 Comment(5)
I was really hoping for an easier answer, but it's starting to sound like this may be the only way to accomplish what I want to do...Pirogue
i know that this sounds tedious and "idiotic" but i really spend some time thinking this out (ok, maybe im idiotic)...Defiant
And I don't even necessarily mean your specific way of doing it, but the general idea of compiling a list of antivirus products to check for. Especially because my reason for checking for an antivirus seems kind of trivial in comparison to the amount of effort it will take to come up with a list of antiviruses to check for hahaPirogue
It is the kind of job, which a number of viruses, trojans and worms perform - so they can circumvent specific anti-virus-scanners. It may appear a bit odd, but looking the other way round for sources on how to write such nasty crap could be of help. Look into the "dark corners" of the internet, where "virus authors" meet ...Cleromancy
@Defiant I'll probably try a few different methods, but currently I'm looking at doing this approach in C#.Pirogue
C
1

This is more of an idea than a perfect solution. With respect to the answer by Leonardo, how about using an actual piece of anti-virus software (link against it) in order to perform a search for other anti-virus software? ClamAV is opensource and a nice point to start. You "only" need to define a new and rather specific signature database.

Cleromancy answered 13/12, 2012 at 19:18 Comment(0)
A
0

According to most of the web, SecurityCenter and SecurityCenter2 are not available on Windows Server 2008 (as you have already worked out for yourself).

I found this SO article, which contains a workaround. How to detect antivirus installed on windows 2003 server and 2008 server 2003 server R2and 2008 server R2 using WMI or other then WMI in C++

Admittedly, this is a C++ implementation, but I see no reason that it cannot be ported to C#

Also found this page which suggests using the OESIS framework. http://social.msdn.microsoft.com/Forums/en/windowsgeneraldevelopmentissues/thread/b0806608-fee0-413c-a34d-674aeb11be3c

Allina answered 10/12, 2012 at 14:54 Comment(2)
As pointed out on Technet the C++ implementation you link to is NOT available on Windows Server 2008... the used API is according to MSDN for "desktop apps only" !Proportion
The answers/comments in the link also point out that it does not work on Server OS environments.Sailmaker

© 2022 - 2024 — McMap. All rights reserved.