How to detect antivirus installed on windows 2003 server and 2008 server 2003 server R2and 2008 server R2 using WMI or other then WMI in C++
Asked Answered
P

1

4

i have used WMI to detect that antivirus is present on OS, itz woking fine and display me information of antivirus like name and instance id on win xp and window7 by using Namespace:\root\SecurityCenter and \root\SecurityCenter, \root\Security.

if(isHLOSVersion( ))

 hres = pLoc->ConnectServer( _bstr_t(L"root\\SecurityCenter2"),
 // Object path of SecurityCenter 

 NULL,                    // User name. NULL = current user 

         NULL,                    // User password. NULL = current 

         0,                       // Locale. NULL indicates current 

         NULL,                    // Security flags. 

         0,                       // Authority (e.g. Kerberos) 

         0,                       // Context object  

         &pSvc                    // pointer to IWbemServices proxy 

         ); 
 else
  hres = pLoc->ConnectServer( _bstr_t(L"root\\SecurityCenter"),
 // Object path of SecurityCenter 

   NULL,                    // User name. NULL = current user 

         NULL,                    // User password. NULL = current 

         0,                       // Locale. NULL indicates current 

         NULL,                    // Security flags. 

         0,                       // Authority (e.g. Kerberos) 

         0,                       // Context object  

         &pSvc                    // pointer to IWbemServices proxy 

         ); 

But in case of windows 2003 server and 2008 server 2003 server R2and 2008 server R2 these above namespace are not present so this is not working there.

Please let me know how can we detect that antivirus present or not windows 2003 server and 2008 server 2003 server R2and 2008 server R2 operating system.

Pentahedron answered 9/12, 2010 at 9:41 Comment(1)
Please use the code tag when entering code samples, no one will try to read that in it's current state.Locris
J
3

That namespace is not available on Windows Server platforms an I think it might be deprecated for Workstation (i.e. going away).

You can probably use WscGetSecurityProviderHealth() to get the same result.

See http://msdn.microsoft.com/en-us/library/bb432506.aspx

Here's my trivial sample that seems to work:

#define _WIN32_WINNT _WIN32_WINNT_WIN7
#include <Windows.h>
#include <Wscapi.h>
#include <iostream>

#pragma comment(lib, "Wscapi")


int main(int argc, char* argv[])
{
   WSC_SECURITY_PROVIDER_HEALTH health;
   const DWORD dwAntivirus(WSC_SECURITY_PROVIDER_ANTIVIRUS);

   HRESULT hr = WscGetSecurityProviderHealth(dwAntivirus, &health);
   if (FAILED(hr))
   {
      std::cerr << "Error " << std::hex 
                << std::showbase << hr << "\n";
      return -1;
   }
   switch (health)
   {
      case WSC_SECURITY_PROVIDER_HEALTH_GOOD:
         std::cout << "Antivirus health is good\n";
         return 0;
      case WSC_SECURITY_PROVIDER_HEALTH_NOTMONITORED:
         std::cout << "Antivirus health is not monitored\n";
         return 1;
      case WSC_SECURITY_PROVIDER_HEALTH_POOR:
         std::cout << "Antivirus health is poor\n";
         return 2;
      case WSC_SECURITY_PROVIDER_HEALTH_SNOOZE:
         std::cout << "Antivirus health is snooze\n";
         return 3;
      default:
         std::cout << "Unexpected antivirus health value: "
                   << std::hex << std::showbase 
                   << health << "\n";
         return 4;
   }
}

Update 9 Dec 2012

Alex points out (below) that this does not work on Windows Server, only on Workstation versions of Windows. On reflection, it occurs to me that it is probably deliberate and, in fact, probably for the best.

Do application programs really need to know the status of a server? Most security programs for servers have mechanisms to set alarms when they fail. An admin will monitor those alarms and fix what is broken. Application programs should simply behave as if security is fully operational.

If you really must know about a particular program, you can look for its exe name amongst the processes and see if the process is running and is consuming cpu (not hung). Beyond that you might need to work with the security program's vendor: they may have an API to query the program.

Janeejaneen answered 2/3, 2011 at 17:30 Comment(2)
Per the article you posted, it looks that function is for desktop apps only and is not supported on servers.Jetpropelled
@Alex - You are correct -- my mistake. Actually, that makes sense. Server security is really a different beast from workstation security. I doubt if too many servers run consumer-grade security programs.Janeejaneen

© 2022 - 2024 — McMap. All rights reserved.