#MSPScripts AntiVirus Stufffunction Get-LHSAntiVirusProduct {<#.SYNOPSIS

1. #MSPScripts AntiVirus Stuff
2. function Get-LHSAntiVirusProduct
3. {
4. <#
5. .SYNOPSIS
6. Get the status of Antivirus Product on local and Remote Computers.
7.  
8. .DESCRIPTION
9. It works with MS Security Center and detects the status for most AV products.
10.  
11. Note that this script will only work on Windows XP SP2, Vista, 7, 8.x, 10
12. operating systems as Windows Servers does not have
13. the required WMI SecurityCenter\SecurityCenter(2) name spaces.
14.  
15. .PARAMETER ComputerName
16. The computer name(s) to retrieve the info from.
17.  
18. .EXAMPLE
19. Get-LHSAntiVirusProduct
20.  
21. ComputerName : Localhost
22. Name : Kaspersky Endpoint Security 10 für Windows
23. ProductExecutable : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint
24. Security 10 for Windows SP1\wmiav.exe
25. DefinitionStatus : UP_TO_DATE
26. RealTimeProtectionStatus : ON
27. ProductState : 266240
28.  
29. .EXAMPLE
30. Get-LHSAntiVirusProduct –ComputerName PC1,PC2,PC3
31.  
32. ComputerName : PC1
33. Name : Kaspersky Endpoint Security 10 für Windows
34. ProductExecutable : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint
35. Security 10 for Windows SP1\wmiav.exe
36. DefinitionStatus : UP_TO_DATE
37. RealTimeProtectionStatus : ON
38. ProductState : 266240
39. (..)
40.  
41. .EXAMPLE
42. (get-content PClist.txt) | Get-LHSAntiVirusProduct
43.  
44. .INPUTS
45. System.String, you can pipe ComputerNames to this Function
46.  
47. .OUTPUTS
48. Custom PSObjects
49.  
50. .NOTE
51. WMI query to get anti-virus infor­ma­tion has been changed.
52. Pre-Vista clients used the root/SecurityCenter name­space,
53. while Post-Vista clients use the root/SecurityCenter2 name­space.
54. But not only the name­space has been changed, The properties too.
55.  
56.  
57. More info at http://neophob.com/2010/03/wmi-query-windows-securitycenter2/
58. and from this MSDN Blog
59. http://blogs.msdn.com/b/alejacma/archive/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript.aspx
60.  
61.  
62. AUTHOR: Pasquale Lantella
63. LASTEDIT: 23.06.2016
64. KEYWORDS: Antivirus
65. Version :1.1
66. History :1.1 support for Win 10, changed the use of WMI productState
67.  
68. .LINK
69. WSC_SECURITY_PRODUCT_STATE enumeration
70. https://msdn.microsoft.com/en-us/library/jj155490%28v=vs.85%29
71.  
72. .LINK
73. Windows Security Center
74. https://msdn.microsoft.com/en-us/library/gg537273%28v=vs.85%29
75.  
76. .LINK
77. http://neophob.com/2010/03/wmi-query-windows-securitycenter2/
78.  
79. #Requires -Version 2.0
80. #>
81.  
82.  
83. [CmdletBinding()]
84.  
85. param (
86. [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
87. [Alias('CN')]
88. [String[]]$ComputerName=$env:computername
89. )
90.  
91. BEGIN {
92.  
93. Set-StrictMode -Version Latest
94. ${CmdletName} = $Pscmdlet.MyInvocation.MyCommand.Name
95.  
96. } # end BEGIN
97.  
98. PROCESS {
99.  
100. ForEach ($Computer in $computerName)
101. {
102. IF (Test-Connection -ComputerName $Computer -count 2 -quiet)
103. {
104. Try
105. {
106. [system.Version]$OSVersion = (Get-WmiObject win32_operatingsystem -computername $Computer).version
107.  
108. IF ($OSVersion -ge [system.version]'6.0.0.0')
109. {
110. Write-Verbose "OS Windows Vista/Server 2008 or newer detected."
111. $AntiVirusProduct = Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct -ComputerName $Computer -ErrorAction Stop
112. }
113. Else
114. {
115. Write-Verbose "Windows 2000, 2003, XP detected"
116. $AntiVirusProduct = Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct -ComputerName $Computer -ErrorAction Stop
117. } # end IF ($OSVersion -ge 6.0)
118.  
119. <#
120. it appears that if you convert the productstate to HEX then you can read the 1st 2nd or 3rd block
121. to get whether product is enabled/disabled and whether definitons are up-to-date or outdated
122. #>
123.  
124. $productState = $AntiVirusProduct.productState
125.  
126. # convert to hex, add an additional '0' left if necesarry
127. #$hex = [Convert]::ToString($productState, 16).PadLeft(6,'0')
128. $hex = [convert]::ToString($productState[0], 16).PadLeft(6,'0')
129.  
130.  
131. # Substring(int startIndex, int length)
132. $WSC_SECURITY_PROVIDER = $hex.Substring(0,2)
133. $WSC_SECURITY_PRODUCT_STATE = $hex.Substring(2,2)
134. $WSC_SECURITY_SIGNATURE_STATUS = $hex.Substring(4,2)
135.  
136. #n ot used yet
137. $SECURITY_PROVIDER = switch ($WSC_SECURITY_PROVIDER)
138. {
139. 0 {"NONE"}
140. 1 {"FIREWALL"}
141. 2 {"AUTOUPDATE_SETTINGS"}
142. 4 {"ANTIVIRUS"}
143. 8 {"ANTISPYWARE"}
144. 16 {"INTERNET_SETTINGS"}
145. 32 {"USER_ACCOUNT_CONTROL"}
146. 64 {"SERVICE"}
147. default {"UNKNOWN"}
148. }
149.  
150.  
151. $RealTimeProtectionStatus = switch ($WSC_SECURITY_PRODUCT_STATE)
152. {
153. "00" {"OFF"}
154. "01" {"EXPIRED"}
155. "10" {"ON"}
156. "11" {"SNOOZED"}
157. default {"UNKNOWN"}
158. }
159.  
160. $DefinitionStatus = switch ($WSC_SECURITY_SIGNATURE_STATUS)
161. {
162. "00" {"UP_TO_DATE"}
163. "10" {"OUT_OF_DATE"}
164. default {"UNKNOWN"}
165. }
166.  
167. <#
168. # Switch to determine the status of antivirus definitions and real-time protection.
169. # The values in this switch-statement are retrieved from the following website: http://community.kaseya.com/resources/m/knowexch/1020.aspx
170. switch ($AntiVirusProduct.productState) {
171. #AVG Internet Security 2012 (from antivirusproduct WMI)
172. "262144" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
173. "266240" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
174.  
175. "262160" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
176. "266256" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
177. "393216" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
178. "393232" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
179. "393488" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
180. "397312" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
181. "397328" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
182. #Windows Defender
183. "393472" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
184. "397584" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
185. "397568" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
186.  
187. default {$defstatus = "Unknown" ;$rtstatus = "Unknown"}
188. }
189. #>
190.  
191.  
192. # Output PSCustom Object
193. $AV = $Null
194. $AV = New-Object -TypeName PSObject -ErrorAction Stop -Property @{
195.  
196. ComputerName = $AntiVirusProduct.__Server;
197. Name = $AntiVirusProduct.displayName;
198. ProductExecutable = $AntiVirusProduct.pathToSignedProductExe;
199. DefinitionStatus = $DefinitionStatus;
200. RealTimeProtectionStatus = $RealTimeProtectionStatus;
201. ProductState = $productState;
202.  
203. } | Select-Object ComputerName,Name,ProductExecutable,DefinitionStatus,RealTimeProtectionStatus,ProductState
204.  
205. Write-Output $AV
206. }
207. Catch
208. {
209. Write-Error "\\$Computer : WMI Error"
210. Write-Error $_
211. }
212. }
213. Else
214. {
215. Write-Warning "\\$computer DO NOT reply to ping"
216. } # end IF (Test-Connection -ComputerName $Computer -count 2 -quiet)
217.  
218. } # end ForEach ($Computer in $computerName)
219.  
220. } # end PROCESS
221.  
222. END { Write-Verbose "Function Get-LHSAntiVirusProduct finished." }
223. } # end function Get-LHSAntiVirusProduct
224.  
225. Get-LHSAntiVirusProduct