Custom field k1000 inventory for antivirus
Hi,
I would like to create a custom field in the inventory and fill that field with WMI data. I would like to query the security center WMI name space to retrieve AV status.
In the namespace \root\SecurityCenter2 it's possible to query productState for;
productState=262144 = Up to Date Defs, On Access Scanning OFF
productState=266240 = Up to Date Defs, ON Access Scanning ON
I've used my google-fu but it didn't point me to anything usefull.
Maybe this would be a nice add-on to the kace in a next update ?
Answers (1)
Submit a feature request here to have this functionality added to the K1000: http://kace.uservoice.com/forums/82699-k1000
This might work:
ShellCommandTextReturn(wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState /Format:List)
It returns this:
Taken from: http://davewentzel.com/content/programmatically-determining-if-antivirus-running
Comments:
-
Right, i've tried that, but i haven't figured out how to get the output to a custom field.
Nevermind. I got it working. I was looking in the wrong place! Thanks for waking me up LOL - KevinF 10 years ago -
Would it be possible to parse the output the some variables. The default output isn't servicedesk employee friendly. - KevinF 10 years ago
-
I didn't look into the WMIC command further than what I posted, so it's possible, but I figure you would have to use a VB script to parse the hex to text and then create a custom inventory rule from the output. Take a look at the link I posted: http://davewentzel.com/content/programmatically-determining-if-antivirus-running - jknox 10 years ago
-
you can create a report that uses the hex code to sort the custom inventory entry and format it in a form they can understand, then all they need to do is view the report.
I have a couple of custom wmic inventory items that the raw data is useless to untrained staff, but the report gives them the output they need to understand what they are looking at. - SMal.tmcc 10 years ago
-
Made a small vbs parser to do the translation and it's working great now. Thanks again :) - KevinF 10 years ago
How to read the productState:
Convert productState to hex: 266240 -> 0×041000
Split the hex value up in 3 byte blocks, we get now 3 bytes: 0×04, 0×10, 0×00.
The first byte is a WSC_SECURITY_PROVIDER Enumeration:
typedef enum _WSC_SECURITY_PROVIDER {
WSC_SECURITY_PROVIDER_FIREWALL = 1,
WSC_SECURITY_PROVIDER_AUTOUPDATE_SETTINGS = 2,
WSC_SECURITY_PROVIDER_ANTIVIRUS = 4,
WSC_SECURITY_PROVIDER_ANTISPYWARE = 8,
WSC_SECURITY_PROVIDER_INTERNET_SETTINGS = 16,
WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL = 32,
WSC_SECURITY_PROVIDER_SERVICE = 64,
WSC_SECURITY_PROVIDER_NONE = 0,
}
--
266240 -> 0x041000:
ANTIVIRUS + active + dat_files_up_todate
266256 -> 0x041010:
ANTIVIRUS + active + dat_files_NOT_up_todate
397312 -> 0x061000:
ANTIVIRUS + AUTOUPDATE + active + dat_files_up_todate
397584 -> 0x061110 (Windows Defender started on Win7):
ANTIVIRUS + AUTOUPDATE + ???? + dat_files_NOT_up_todate
393488 -> 0x060110 (Windows Defender stopped on Win7):
ANTIVIRUS + AUTOUPDATE + ???? + dat_files_NOT_up_todate
As this option isn't well documented on msdn (understatement....) this might not be the best solution to query AV status. But currently this is the best option at hand for me. - KevinF 10 years ago