Hi,

 

I would like to create a custom field in the inventory and fill that field with WMI data. I would like to query the security center WMI name space to retrieve AV status.

In the namespace \root\SecurityCenter2 it's possible to query productState for;

productState=262144 = Up to Date Defs, On Access Scanning OFF

productState=266240 = Up to Date Defs, ON Access Scanning ON

I've used my google-fu but it didn't point me to anything usefull.

Maybe this would be a nice add-on to the kace in a next update ? 

1 Comment   [ + ] Show Comment

Comments

  • Some extra info.

    How to read the productState:
    Convert productState to hex: 266240 -> 0×041000
    Split the hex value up in 3 byte blocks, we get now 3 bytes: 0×04, 0×10, 0×00.
    The first byte is a WSC_SECURITY_PROVIDER Enumeration:

    typedef enum _WSC_SECURITY_PROVIDER {
    WSC_SECURITY_PROVIDER_FIREWALL = 1,
    WSC_SECURITY_PROVIDER_AUTOUPDATE_SETTINGS = 2,
    WSC_SECURITY_PROVIDER_ANTIVIRUS = 4,
    WSC_SECURITY_PROVIDER_ANTISPYWARE = 8,
    WSC_SECURITY_PROVIDER_INTERNET_SETTINGS = 16,
    WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL = 32,
    WSC_SECURITY_PROVIDER_SERVICE = 64,
    WSC_SECURITY_PROVIDER_NONE = 0,
    }


    --

    266240 -> 0x041000:
    ANTIVIRUS + active + dat_files_up_todate

    266256 -> 0x041010:
    ANTIVIRUS + active + dat_files_NOT_up_todate

    397312 -> 0x061000:
    ANTIVIRUS + AUTOUPDATE + active + dat_files_up_todate

    397584 -> 0x061110 (Windows Defender started on Win7):
    ANTIVIRUS + AUTOUPDATE + ???? + dat_files_NOT_up_todate

    393488 -> 0x060110 (Windows Defender stopped on Win7):
    ANTIVIRUS + AUTOUPDATE + ???? + dat_files_NOT_up_todate


    As this option isn't well documented on msdn (understatement....) this might not be the best solution to query AV status. But currently this is the best option at hand for me.
Please log in to comment

Answers

2

Submit a feature request here to have this functionality added to the K1000:  http://kace.uservoice.com/forums/82699-k1000

This might work:

ShellCommandTextReturn(wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List)

It returns this:

 

Taken from: http://davewentzel.com/content/programmatically-determining-if-antivirus-running

Answered 07/03/2013 by: jknox
Red Belt

  • Right, i've tried that, but i haven't figured out how to get the output to a custom field.

    Nevermind. I got it working. I was looking in the wrong place! Thanks for waking me up LOL
  • Would it be possible to parse the output the some variables. The default output isn't servicedesk employee friendly.
    • I didn't look into the WMIC command further than what I posted, so it's possible, but I figure you would have to use a VB script to parse the hex to text and then create a custom inventory rule from the output. Take a look at the link I posted: http://davewentzel.com/content/programmatically-determining-if-antivirus-running
      • you can create a report that uses the hex code to sort the custom inventory entry and format it in a form they can understand, then all they need to do is view the report.
        I have a couple of custom wmic inventory items that the raw data is useless to untrained staff, but the report gives them the output they need to understand what they are looking at.
  • Made a small vbs parser to do the translation and it's working great now. Thanks again :)
    • If you wouldn't mind, please share your solution. Perhaps write a blog about it?
      • Sure i'll try to find some time to write it all up
Please log in to comment
Answer this question or Comment on this question for clarity

Share