Advertisement
savsanta

Untitled

Oct 2nd, 2021
257
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.51 KB | None | 0 0
  1. #MSPScripts AntiVirus Stuff
  2. function Get-LHSAntiVirusProduct
  3. {
  4. <#
  5. .SYNOPSIS
  6. Get the status of Antivirus Product on local and Remote Computers.
  7.  
  8. .DESCRIPTION
  9. It works with MS Security Center and detects the status for most AV products.
  10.  
  11. Note that this script will only work on Windows XP SP2, Vista, 7, 8.x, 10
  12. operating systems as Windows Servers does not have
  13. the required WMI SecurityCenter\SecurityCenter(2) name spaces.
  14.  
  15. .PARAMETER ComputerName
  16. The computer name(s) to retrieve the info from.
  17.  
  18. .EXAMPLE
  19. Get-LHSAntiVirusProduct
  20.  
  21. ComputerName : Localhost
  22. Name : Kaspersky Endpoint Security 10 für Windows
  23. ProductExecutable : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint
  24. Security 10 for Windows SP1\wmiav.exe
  25. DefinitionStatus : UP_TO_DATE
  26. RealTimeProtectionStatus : ON
  27. ProductState : 266240
  28.  
  29. .EXAMPLE
  30. Get-LHSAntiVirusProduct –ComputerName PC1,PC2,PC3
  31.  
  32. ComputerName : PC1
  33. Name : Kaspersky Endpoint Security 10 für Windows
  34. ProductExecutable : C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint
  35. Security 10 for Windows SP1\wmiav.exe
  36. DefinitionStatus : UP_TO_DATE
  37. RealTimeProtectionStatus : ON
  38. ProductState : 266240
  39. (..)
  40.  
  41. .EXAMPLE
  42. (get-content PClist.txt) | Get-LHSAntiVirusProduct
  43.  
  44. .INPUTS
  45. System.String, you can pipe ComputerNames to this Function
  46.  
  47. .OUTPUTS
  48. Custom PSObjects
  49.  
  50. .NOTE
  51. WMI query to get anti-virus infor­ma­tion has been changed.
  52. Pre-Vista clients used the root/SecurityCenter name­space,
  53. while Post-Vista clients use the root/SecurityCenter2 name­space.
  54. But not only the name­space has been changed, The properties too.
  55.  
  56.  
  57. More info at http://neophob.com/2010/03/wmi-query-windows-securitycenter2/
  58. and from this MSDN Blog
  59. http://blogs.msdn.com/b/alejacma/archive/2008/05/12/how-to-get-antivirus-information-with-wmi-vbscript.aspx
  60.  
  61.  
  62. AUTHOR: Pasquale Lantella
  63. LASTEDIT: 23.06.2016
  64. KEYWORDS: Antivirus
  65. Version :1.1
  66. History :1.1 support for Win 10, changed the use of WMI productState
  67.  
  68. .LINK
  69. WSC_SECURITY_PRODUCT_STATE enumeration
  70. https://msdn.microsoft.com/en-us/library/jj155490%28v=vs.85%29
  71.  
  72. .LINK
  73. Windows Security Center
  74. https://msdn.microsoft.com/en-us/library/gg537273%28v=vs.85%29
  75.  
  76. .LINK
  77. http://neophob.com/2010/03/wmi-query-windows-securitycenter2/
  78.  
  79. #Requires -Version 2.0
  80. #>
  81.  
  82.  
  83. [CmdletBinding()]
  84.  
  85. param (
  86. [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)]
  87. [Alias('CN')]
  88. [String[]]$ComputerName=$env:computername
  89. )
  90.  
  91. BEGIN {
  92.  
  93. Set-StrictMode -Version Latest
  94. ${CmdletName} = $Pscmdlet.MyInvocation.MyCommand.Name
  95.  
  96. } # end BEGIN
  97.  
  98. PROCESS {
  99.  
  100. ForEach ($Computer in $computerName)
  101. {
  102. IF (Test-Connection -ComputerName $Computer -count 2 -quiet)
  103. {
  104. Try
  105. {
  106. [system.Version]$OSVersion = (Get-WmiObject win32_operatingsystem -computername $Computer).version
  107.  
  108. IF ($OSVersion -ge [system.version]'6.0.0.0')
  109. {
  110. Write-Verbose "OS Windows Vista/Server 2008 or newer detected."
  111. $AntiVirusProduct = Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct -ComputerName $Computer -ErrorAction Stop
  112. }
  113. Else
  114. {
  115. Write-Verbose "Windows 2000, 2003, XP detected"
  116. $AntiVirusProduct = Get-WmiObject -Namespace root\SecurityCenter -Class AntiVirusProduct -ComputerName $Computer -ErrorAction Stop
  117. } # end IF ($OSVersion -ge 6.0)
  118.  
  119. <#
  120. it appears that if you convert the productstate to HEX then you can read the 1st 2nd or 3rd block
  121. to get whether product is enabled/disabled and whether definitons are up-to-date or outdated
  122. #>
  123.  
  124. $productState = $AntiVirusProduct.productState
  125.  
  126. # convert to hex, add an additional '0' left if necesarry
  127. #$hex = [Convert]::ToString($productState, 16).PadLeft(6,'0')
  128. $hex = [convert]::ToString($productState[0], 16).PadLeft(6,'0')
  129.  
  130.  
  131. # Substring(int startIndex, int length)
  132. $WSC_SECURITY_PROVIDER = $hex.Substring(0,2)
  133. $WSC_SECURITY_PRODUCT_STATE = $hex.Substring(2,2)
  134. $WSC_SECURITY_SIGNATURE_STATUS = $hex.Substring(4,2)
  135.  
  136. #n ot used yet
  137. $SECURITY_PROVIDER = switch ($WSC_SECURITY_PROVIDER)
  138. {
  139. 0 {"NONE"}
  140. 1 {"FIREWALL"}
  141. 2 {"AUTOUPDATE_SETTINGS"}
  142. 4 {"ANTIVIRUS"}
  143. 8 {"ANTISPYWARE"}
  144. 16 {"INTERNET_SETTINGS"}
  145. 32 {"USER_ACCOUNT_CONTROL"}
  146. 64 {"SERVICE"}
  147. default {"UNKNOWN"}
  148. }
  149.  
  150.  
  151. $RealTimeProtectionStatus = switch ($WSC_SECURITY_PRODUCT_STATE)
  152. {
  153. "00" {"OFF"}
  154. "01" {"EXPIRED"}
  155. "10" {"ON"}
  156. "11" {"SNOOZED"}
  157. default {"UNKNOWN"}
  158. }
  159.  
  160. $DefinitionStatus = switch ($WSC_SECURITY_SIGNATURE_STATUS)
  161. {
  162. "00" {"UP_TO_DATE"}
  163. "10" {"OUT_OF_DATE"}
  164. default {"UNKNOWN"}
  165. }
  166.  
  167. <#
  168. # Switch to determine the status of antivirus definitions and real-time protection.
  169. # The values in this switch-statement are retrieved from the following website: http://community.kaseya.com/resources/m/knowexch/1020.aspx
  170. switch ($AntiVirusProduct.productState) {
  171. #AVG Internet Security 2012 (from antivirusproduct WMI)
  172. "262144" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
  173. "266240" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
  174.  
  175. "262160" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
  176. "266256" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
  177. "393216" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
  178. "393232" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
  179. "393488" {$defstatus = "Out of date" ;$rtstatus = "Disabled"}
  180. "397312" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
  181. "397328" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
  182. #Windows Defender
  183. "393472" {$defstatus = "Up to date" ;$rtstatus = "Disabled"}
  184. "397584" {$defstatus = "Out of date" ;$rtstatus = "Enabled"}
  185. "397568" {$defstatus = "Up to date" ;$rtstatus = "Enabled"}
  186.  
  187. default {$defstatus = "Unknown" ;$rtstatus = "Unknown"}
  188. }
  189. #>
  190.  
  191.  
  192. # Output PSCustom Object
  193. $AV = $Null
  194. $AV = New-Object -TypeName PSObject -ErrorAction Stop -Property @{
  195.  
  196. ComputerName = $AntiVirusProduct.__Server;
  197. Name = $AntiVirusProduct.displayName;
  198. ProductExecutable = $AntiVirusProduct.pathToSignedProductExe;
  199. DefinitionStatus = $DefinitionStatus;
  200. RealTimeProtectionStatus = $RealTimeProtectionStatus;
  201. ProductState = $productState;
  202.  
  203. } | Select-Object ComputerName,Name,ProductExecutable,DefinitionStatus,RealTimeProtectionStatus,ProductState
  204.  
  205. Write-Output $AV
  206. }
  207. Catch
  208. {
  209. Write-Error "\\$Computer : WMI Error"
  210. Write-Error $_
  211. }
  212. }
  213. Else
  214. {
  215. Write-Warning "\\$computer DO NOT reply to ping"
  216. } # end IF (Test-Connection -ComputerName $Computer -count 2 -quiet)
  217.  
  218. } # end ForEach ($Computer in $computerName)
  219.  
  220. } # end PROCESS
  221.  
  222. END { Write-Verbose "Function Get-LHSAntiVirusProduct finished." }
  223. } # end function Get-LHSAntiVirusProduct
  224.  
  225. Get-LHSAntiVirusProduct
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement