/
AVStatus.vbs
4119 lines (3055 loc) · 183 KB
/
AVStatus.vbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
' *************************************************************************************************************************************************
' Script: AVStatus.vbs
' Version: 2.37
' Maintained by : Chris Reid @SolarWinds MSP
' Description: This script checks the status of the A/V software installed on
' the machine, and writes data about the A/V software to the
' AntiVirusProduct WMI Class in the root\SecurityCenter WMI namespace.
' Date: Nov 6th, 2020
' Compatibility : It is tested on the current versions of Windows but it also should work on all desktop and server versions, from Windows XP to Windows Server 2019.
' Usage in N-Central : avstatus.vbs WRITE OR avstatus.vbs DONOTWRITE (the second option will write no data into WMI if an A/V product cannot be found)
' Usage in Windows Command Prompt : CSCRIPT avstatus.vbs WRITE OR CSCRIPT avstatus.vbs DONOTWRITE (the second option will write no data into WMI if an A/V product cannot be found)
' *************************************************************************************************************************************************
' Define the variables used in the script
Option Explicit
dim HKEY_LOCAL_MACHINE, strComputer, objReg, strTrendKeyPath, InputRegistryKey1, InputRegistryKey2
dim oReg,arrSubKeys,SubKey
dim InputRegistryKey3, InstalledAV, NamespacePresense, objClassCreator, objGetClass, objWMIObject
dim RegstrValue, ReturneddwValue1, objWMIService, objItem, objItem2, objNameSpace, ReturneddwValue2
dim wbemCimtypeString, wbemCimtypeUint32, colNamespaces, objNewNamespace
dim RawAVVersion, FormattedAVVersion, objNewInstance, strWMINamespace, ParentWMINamespace
dim ReturnedstrValue1, strValue, FormattedPatternAge, CalculatedPatternAge, CurrentDate
dim WMINamespace, strWMIClassWithQuotes, strWMIClassNoQuotes, colClasses, objClass
dim strTestKeyPath, Registry, Registry32, Registry64, arrValueNames, strSymantecESKeyPath, WshShell
dim ReturnedBinaryArray1(7), bytevalue, i, f, SymantecAvPatternDate
dim SymantecAVMonth, SymantecAVYear, SymantecAVDate, ProductUpToDate, wbemCimtypeBoolean, OnAccessScanningEnabled, ReturneddwValue3, strTrendRealTimeKeyPath, InputRegistryKey4, InputRegistryKey7, strTrendRealTimeKeyPathNew
dim AddressWidth, colItems, colItems2, RawOnAccessScanningEnabled, Revision, strSymantecAVKeyPath, strSophosAVKeyPath, strSophosAVVersionPath, strSophosUpdateStatusPath
dim RawAVDate, strSymantecAVRealTimePath, strTrendPatternAgeKeyPath, strTrend7KeyPath, objComponentMgr, objConfigMgr
Dim strTrendVersionKeyPath, VIPREAvPatternDate, VIPREAVMonth, VIPREAVYear, VIPREAVDate, strVIPREAVRealTimePath, strVIPREESFolderPath
Dim McAfeeDatVersion, strMcAfeeVersionPath, McAfeeDatOAS, strMcAfeePath, InputRegistryKey5, strMcAfeeOASPath, OASEnabled, RAWOASEnabled, mcAfeeEndPointSecurityVersion, mcAfeeEndpointSecurityDefDatePath, mcAfeeEndpointSecurityBuildNum, mcAfeeEndpointSecurityVerNum, mcAfeeEndpointSecurity, mcAfeeEndpointSecurityDefDate
Dim strVIPREAVKeyPath, objFSO, ProgramFiles, Path, objFile, strLine, objNode, output, ProductVersion, AVDatDate, AVDatVersion, OutOfDateDays
Dim strVIPREEnterpriseKeyPath, InstallLocation, strTrendProductVersionKeyPath, strTrendAVVersionKeyPath, ReturneddwValue4, strKasperskyAV2012KeyPath, ReturneddwValue5
Dim strKaspersky2012AVDatePath, strKasperskyAV2012Path, strKasperskyAV60KeyPath, strKasperskyAV60DatePath, strKasperskyAV60Path, strKasperskyKES8KeyPath, strKasperskyKES8AVDatePath
Dim strSecurityEssentialsKeyPath, RawAVDefDate, strEndpointSecurityKeyPath
Dim InputRegistryKey6, ProductName, strVIPREBusiness5KeyPath, strVIPREAV2012KeyPath, strESETKeyPath, DateStart
Dim strKasperskyKESServerKeyPath, strKasperskyKESServerAVDatePath, InstalledApp, ProductVersionKey, strForefrontKeyPath, strKasperskyKES8ServerKeyPath, strKasperskyKES6ServerKeyPath
Dim Version, WSHStdOut, filename, cscriptExec, strKasperskySOS2KeyPath, strKasperskySOS3KeyPath, Return, strTotalDefenseKeyPath, strWMIQuery
Dim strAviraKeyPath, NoAVBehavior, strWMINamespace2, HexProductState, HexScannerState, HexAVDefState, strAviraServerKeyPath, DeleteWMINamespace
Dim strFSecureRegPath0, strFSecureRegPath00, strFSecureRegPath000, strFSecureRegPath1, strFSecureRegPath2, strFSecureRegPath3, strFSecureRegPath4, strFSecureRegPath5, strFSecureRegPath6, strFSecureRegPathLoc,strFSecureInstallPath
Dim strSEPCloudRegPath0, strSEPCloudRegpath2,strSEPCloudRegpath3,strSEPCloudRegpath4,strSEPCloudDefPath, strSEPCloudDefPath2, OSName, strKES10KeyPath, strKES10KeyPathSP1, strKES10KeyPathSP2
Dim strPandaCloudEPPath64, strPandaCloudEPPath32, strPandaAVDefinitionPath
Dim strWindowsDefenderPath, DisableRealtimeMonitoring, strTrendProductVersion
Dim stravg2014regpath32, stravg2014regpath64, stravg2014defpath
Dim stravg2013regpath32, stravg2013regpath64, stravg2013defpath
dim lngBias, dtmDate,lngHigh,lngLow
Dim strWebRootStatusPath, strWebRootStatusPath32
Dim strTrendVerLen, InstalledAV1, serviceactive
Dim strAvastRegPath32, strAvastInstallPath, strAvastRegPath64
Dim strViprebusinessAgt, strViprebusiness64Agt , strVipreBusinessAgtLoc, strViprebusinessAgt1, strVIPREBusinessOnlineKeyPath
Dim strMalwareBytesRegPath64, SCEPInstalled, FoundGUID, StatusCode, StatusText
Dim sMonth, sDay, sYear, sHour, sMinutes, sSeconds, strTMMSARegPath, recentFile, NamespacetoCheck, strTMDSARegPath, fileSystem, folder, file, newestfile, ProgramFiles64, stravg2016defpath, stravg2016regpath, colServices, objService
Dim strNormanregpath32, strNormanregpath64, strNormanrootpath, boolNormanversion9, strNormandefpath, strKasperskyStandAlonePath, LastUpdateDate, AVGBusSecDataFolder, arrIniFileLines, ProviderRealTimeScanningEnabled, UserRealTimeScanningDisabled
Dim objFileToRead, objFileToWrite, node, UpToDateState, strFortiClientPath, FortiClientInstallPath, objApp, strKasperskyKESServerAVVersionPath, strSophosVirtualAVKeyPath, RawProtectionStatus, strPandaAdaptiveDefencePath64, strPandaAdaptiveDefencePath32
Dim ProgramData, objFolder, objSubFolders, objSubFolder, oShell, oExec, sLine, sExecPath, sNewestFolder, dPrevDate, SCEPUninstallString, objXMLHTTP, objADOStream, S1HelperObj, S1AgentStatus, IndexOfAgentVersion, LenOfVersion
' Specify values for some of the variables
Version = "2.37"
HKEY_LOCAL_MACHINE = &H80000002
strComputer = "."
wbemCimtypeString = 8
wbemCimtypeUint32 = 19
wbemCimtypeBoolean = 11
Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strWMIClassWithQuotes = chr(34) & "AntiVirusProduct" & chr(34)
strWMIClassNoQuotes = "AntiVirusProduct"
strWMINamespace = "SecurityCenter"
strWMINamespace2 = "SecurityCenter2"
Set ParentWMINamespace = GetObject("winmgmts:\\" & strComputer & "\root")
Set WshShell = WScript.CreateObject("WScript.Shell")
Set output = Wscript.stdout
OutOfDateDays = 5
InstallLocation = WshShell.ExpandEnvironmentStrings("%AllUsersProfile%")
CurrentDate=Now
Set objXMLHTTP = CreateObject("WinHttp.WinHttpRequest.5.1")
'Lets see if the user specified whether or not the script should enter data into WMI if no A/V is found.
If WScript.Arguments.Count = 1 Then
NoAVBehavior = WScript.Arguments.Item(0)
If NoAVBehavior = "WRITE" Then
output.writeline "- The " & NoAVBehavior & " flag has been specified as a command-line parameter."
ElseIf NoAVBehavior = "DONOTWRITE" Then
output.writeline "- The " & NoAVBehavior & " flag has been specified as a command-line parameter."
Else
output.writeline "- An invalid command-line parameter has been specified. Please specify either WRITE or DONOTWRITE, or do not specify a command-line parameter at all."
Wscript.Quit(0)
End If
Else
' output.writeline "- The command-line parameter (either WRITE or DONOTWRITE) for choosing whether or not to write data to WMI if an A/V product isn't found was not specified. This script will write data to WMI regardless of whether or not an A/V product is discovered."
End If
'This is a meat of the script - where all of the functions are called.
output.writeline "- This is version " & Version & " of the script."
OSType 'This function determines whether this is a 32-bit or 64-bit OS
OSVersion 'This function figures out what OS the machine is running
DetectInstalledAV 'This function will detect what AV software is installed
output.writeline "- " & InstalledAV & " has been detected."
If (InstalledAV="Trend Micro Apex One" OR InstalledAV="Trend Micro Worry-Free Business Security 6" OR InstalledAV="WFBSS" OR InstalledAV="Trend Micro WFBSS" OR InstalledAV="Trend Micro Worry-Free Business Security" OR InstalledAV="Trend Micro OfficeScan" OR InstalledAV="Trend Micro Worry-Free Business Security Services" OR InstalledAV="Trend Micro WFBSH_Agent") Then
ObtainTrendMicroData 'Call the function we created to grab info about Trend Micro from the registry
ElseIf InstalledAV="Trend Micro Worry-Free Business Security 7" Then
ObtainTrend7AVData 'Call the function we created to grab info about Trend WFBS 7 from the registry
ElseIf InstalledAV="Symantec Endpoint Protection" Then
ObtainSymantecESData 'Call the function we created to grab info about Symantec Endpoint Security from the registry
ElseIf InstalledAV="Symantec AntiVirus" Then
ObtainSymantecAVData 'Call the function we created to grab info about Symantec AntiVirus from the registry
ElseIf InstalledAV="Sophos Anti-Virus" Then
ObtainSophos10AVData 'Call the function we created to grab info about Sophos Anti-Virus from the registry
ElseIf InstalledAV="Sophos Endpoint Protection" Then
ObtainSophos10AVData 'Call the function we created to grab info about Sophos Endpoint Protection from the registry
ElseIf InstalledAV="Sophos Anti-Virus 10" Then
' If the script is launched on a 64-bit machine, let's re-launch it in the 32-bit command prompt. This will allow the script to properly detect Sophos.
' Thanks to Jason Berg for this code snippet!
Set WSHShell=CreateObject("Wscript.Shell")
Set WSHStdOut=WScript.StdOut
If WshShell.ExpandEnvironmentStrings("%processor_architecture%")="AMD64" then
filename=Wscript.ScriptFullName
output.writeline "- This script is being run on a 64-bit machine, so it'll be re-launched using the 32-bit version of cscript. This will ensure the proper discovery of Sophos."
Set cscriptExec=WSHShell.Exec(WshShell.ExpandEnvironmentStrings("%windir%") & "\Syswow64\cscript.exe /nologo " & Chr(34) & filename & Chr(34))
Do While cscriptExec.Status=0
WScript.Sleep 100
WSHStdout.WriteLine(cscriptExec.StdOut.ReadAll())
WScript.StdErr.Write(cscriptExec.StdErr.ReadAll())
Loop
Wscript.Quit(cscriptExec.ExitCode)
End If
ObtainSophos10AVData 'Call the function we created to grab info about Sophos Anti-Virus from the registry
Elseif InstalledAV="McAfee AntiVirus" Then
ObtainMcafeeAVData
ElseIf InstalledAV="VIPRE AntiVirus" Then
ObtainVIPREAVData 'Call the function we created to grab info about VIPRE AntiVirus from the registry
ElseIf InstalledAV="Sunbelt Enterprise Agent" Then
ObtainVIPREEnterpriseData 'Call the function we created to grab info about VIPRE Enterprise from the registry
ElseIf InstalledAV="Kaspersky Anti-Virus 2012" Then
ObtainKaspersky2012AVData 'Call the function we created to grab info about Kaspersky from the registry
ElseIf InstalledAV="Kaspersky Anti-Virus 6.0" Then
ObtainKaspersky60AVData 'Call the function we created to grab info about Kaspersky from the registry
ElseIf InstalledAV="Microsoft System Center Endpoint Protection" OR InstalledAV="Microsoft Security Essentials" OR InstalledAV="Microsoft Forefront" OR InstalledAV="Microsoft System Center Endpoint Protection (Managed Defender)" Then
ObtainSecurityEssentialsAVData 'Call the function we created to grab info about MS Essentials from the registry
ElseIf InstalledAV="Kaspersky Endpoint Security 8" Then
ObtainKES8Data 'Call the function we created to grab info about Kaspersky Endpoint Security 8 from the registry
ElseIf InstalledAV="VIPRE Business Antivirus" Then
ObtainVIPREEnterpriseData 'Call the function we created to grab info about Vipre Business from the registry
ElseIf InstalledAV="VIPRE Antivirus 2012" Then
ObtainVIPREAVData 'Call the function we created to grab info about Vipre Antivirus 2012 from the registry
ElseIf InstalledAV="ESET NOD32 Antivirus" OR InstalledAV="ESET Endpoint Antivirus" Then
ObtainESETAVData 'Call the function we created to grab info about ESET from the registry
ElseIf (InstalledAV="ESET File Security" OR InstalledAV="ESET Mail Security" OR InstalledAV="ESET Endpoint Security") Then
ObtainESETFSData 'Call the function we created to grab info about ESET File Security from the registry
ElseIf InstalledAV="Kaspersky Anti-Virus 8.0 For Windows Servers Enterprise Edition" Then
strKasperskyKESServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KAVFSEE\8.0.0.0\"
If InStr(OSName,2003) Then
Path = InstallLocation & "\Application Data\Kaspersky Lab\KAV for Windows Servers Enterprise Edition\8.0\Update\u0607g.xml"
output.writeline "- Windows 2003 has been detected. Using the following path to the Kaspersky XML file: " & Path
Else
Path = InstallLocation & "\Kaspersky Lab\KAV for Windows Servers Enterprise Edition\8.0\Update\u0607g.xml"
output.writeline "- Using the following path to the Kaspersky XML file: " & Path
End If
ObtainKESServerData 'Call the function we created to grab info about Kaspersky Endpoint Security 8 from the registry
ElseIf InstalledAV="Kaspersky Anti-Virus 6.0 For Windows Servers Enterprise Edition" Then
strKasperskyKESServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KAVFSEE\6.0.0.0\"
Path = InstallLocation & "\Kaspersky Lab\KAV for Windows Servers Enterprise Edition\6.0\Update\u0607g.xml"
ObtainKESServerData 'Call the function we created to grab info about Kaspersky Endpoint Security 6 from the registry
ElseIf InstalledAV="Kaspersky Small Office Security" Then
ObtainKasperskySOSata 'Call the function we created to grab info about Kaspersky Endpoint Security 6 from the registry
ElseIf InstalledAV="Kaspersky Small Office Security 3" Then
ObtainKasperskySO3Sata 'Call the function we created to grab info about Kaspersky Endpoint Security 6 from the registry
ElseIf InstalledAV="Total Defense R12 Client" Then
ObtainTotalDefenseAVData 'Call the function we created to grab info about Total Defense from the registry
ElseIf InstalledAV="Avira AntiVirus" Then
ObtainAviraAVData 'Call the function we created to grab info about Avira from the registry
ElseIf InStr(1,InstalledAV,"F-Secure")>0 Then
ObtainFSecureAVData 'Call the function we created to grab info about F-Secure from registry and folder
ElseIf InstalledAV="Symantec Endpoint Protection Cloud" then
ObtainSEPCloudData
ElseIf InstalledAV="Avast!" Then
ObtainAvastData
ElseIf InstalledAV="VIPRE Business Agent" Then
ObtainVIPREBusinessAgentData
ElseIf InstalledAV="VIPRE Business Online" Then
ObtainVIPREBusinessAgentData
ElseIf InstalledAV="Kaspersky Endpoint Security 10" Then
strKasperskyKESServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KES\10.1.0.0\"
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
oReg.EnumKey HKEY_LOCAL_MACHINE, Registry & "KasperskyLab\Components\34\Connectors\KES", arrSubKeys
For Each subkey In arrSubKeys
strKasperskyKESServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KES\" & subkey & "\"
Next
Path = InstallLocation & "\Kaspersky Lab\KES10\Data\u0607g.xml"
ObtainKESServerData 'Call the function we created to grab info about Kaspersky from the registry
ElseIf InstalledAV="Kaspersky Endpoint Security 10 for Windows" Then
strKasperskyKESServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\WSEE\10.0.0.0\"
Path = InstallLocation & "\Kaspersky Lab\KES10\Data\u0607g.xml"
ObtainKESServerData 'Call the function we created to grab info about Kaspersky from the registry
ElseIf InstalledAV="Kaspersky Endpoint Security 11 for Windows" Then
strKasperskyKESServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KES\11.0.0.0\"
Path = InstallLocation & "\Kaspersky Lab\KES10\Data\u0607g.xml"
ObtainKESServerData 'Call the function we created to grab info about Kaspersky from the registry
ElseIf InstalledAV="Kaspersky Endpoint Security 10 SP1" Then
strKasperskyKESServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KES\10.2.2.0\"
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
oReg.EnumKey HKEY_LOCAL_MACHINE, Registry & "KasperskyLab\Components\34\Connectors\KES", arrSubKeys
For Each subkey In arrSubKeys
strKasperskyKESServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KES\" & subkey & "\"
Next
Path = InstallLocation & "\Kaspersky Lab\KES10SP1\Data\u0607g.xml"
ObtainKESServerData 'Call the function we created to grab info about Kaspersky from the registry
ElseIf InstalledAV="Kaspersky Endpoint Security 10 SP2" Then
strKasperskyKESServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KES\10.3.0.0\"
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
oReg.EnumKey HKEY_LOCAL_MACHINE, Registry & "KasperskyLab\Components\34\Connectors\KES", arrSubKeys
For Each subkey In arrSubKeys
strKasperskyKESServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KES\" & subkey & "\"
'output.writeline strKasperskyKESServerKeyPath 'This is a debug line, added in to troubleshoot NCI-8949
Next
Path = InstallLocation & "\Kaspersky Lab\KES10SP2\Data\u1313g.xml"
ObtainKESServerData 'Call the function we created to grab info about Kaspersky from the registry
ElseIf InstalledAV="Panda Adaptive Defense 360 32 Bit" OR InstalledAV="Panda Adaptive Defense 360 64 Bit" Then
ObtainPandaAdaptiveDefenceData 'Call the function we created to grab info about Panda Adaptive Defense from the registry
ElseIf InstalledAV="Panda Endpoint Protection 10 32 Bit" Then
strPandaAVDefinitionPath = "C:\Program Files\Panda Security\WaAgent\WalUpd\Data\Catalog"
ObtainPandaCloudOfficeData 'Call the function we created to grab info about Kaspersky Endpoint Security 6 from the registry
ElseIf InstalledAV="Panda Endpoint Protection 10 64 Bit" Then
strPandaAVDefinitionPath = "C:\Program Files (x86)\Panda Security\WaAgent\WalUpd\Data\Catalog"
ObtainPandaCloudOfficeData 'Call the function we created to grab info about Kaspersky Endpoint Security 6 from the registry
ElseIf InstalledAV="Windows Defender" then
ObtainWindowsDefenderData
ElseIf InstalledAV="AVG 2013" Then
ObtainAVG2013Data
ElseIf (InstalledAV="AVG 2014" OR InstalledAV="AVG Protection") Then
ObtainAVG2014Data
ElseIf InstalledAV="Webroot SecureAnywhere" Then
ObtainWebrootAnywhereAVData 'Call the function to grab info about webroot from the registry
ElseIf InstalledAV="Malwarebytes' Corporate Edition" Then
ObtainMalwarebytesCorporate 'Call the function to grab info about webroot from the registry
ElseIf InstalledAV="McAfee Endpoint Security" Then
ObtainMcAfeeEndpointSecurity 'Call the function to grab info about McAfee endpoint security from the registry
ElseIf InstalledAV="McAfee Endpoint Security 10.1" Then
ObtainMcAfeeEndpointSecurity101 'Call the function to grab info about McAfee endpoint security from the registry
ElseIf InstalledAV="Trend Micro Deep Security Agent" Then
ObtainTrendMicroDeepSecurity 'Call the function to grab info about Deep Security from the registry
ElseIf InstalledAV="McAfee Move AV Client" Then
ObtainMcAfeeMove 'Call the function to grab info about Deep Security from the registry
ElseIf InstalledAV="Trend Micro Messaging Security Agent" Then
ObtainTMMSA 'Call the function to grab info about TMMSA from the registry
ElseIf InstalledAV="Norman Endpoint Protection" Then
ObtainNormanEndpointProtection 'Call the function to grab info about Norman Endpoint Protection from the registry
ElseIf InstalledAV="AVG Business Security" Then
ObtainAVGBusinessSecurity 'Call the function to grab info about Norman Endpoint Protection from the registry
ElseIf InstalledAV="FortiClient" Then
ObtainFortiClient 'Call the function to grab info about FortiClient from the registry
ElseIf InstalledAV="Cisco Advanced Malware Protection (AMP)" Then
ObtainCiscoAMPData 'Call the function to grab info about Cisco AMP
ElseIf InstalledAV="Sophos for Virtual Environments" Then
ObtainSophosVirtualAVData 'Call the function to grab info about Sophos for Virtual Environments
ElseIf InstalledAV="Palo Alto Networks Traps" Then
ObtainPaloAltoTrapsAVData 'Call the function to grab info about Palo Alto Networks Traps
ElseIf InstalledAV="SentinelOne" Then
ObtainSentinelOneData 'Call the function to grab info about SentinelOne
ElseIf InstalledAV="Bitdefender Endpoint Security Tools" Then
ObtainBESTData 'Call the function to grab info about Bitdefender Endpoint Security Tools
ElseIf InstalledAV="Cb Defense Sensor" Then
ObtainCarbonBlackData 'Call the function to grab info about Carbon Black
End If
'Check to see if an instance of the WMI namespace exists; if it does,
'check to see if the WMI class exists. If the class exists, delete it, recreate it, and populate it
If WMINamespaceExistanceCheck(strWMINamespace)="1" Then
' output.writeline "- The Namespace already exists."
If WMIClassExists(strWMINamespace, strComputer,strWMIClassWithQuotes) Then
' output.writeline "- The WMI Class exists; let's delete it so that we don't have any duplicate data laying around in WMI."
WMINamespace.Delete strWMIClassNoQuotes
CreateWMIClass
PopulateWMIClass
Else
' output.writeline "- The Namespace exists, but the WMI class does not. Curious."
CreateWMIClass
PopulateWMIClass
End If
Else
'Create the WMI Namespace (if it doesn't already exist), the WMI Class, and populate the class with data.
' output.writeline "- The WMI Namespace and Class do not exist"
CreateWMINamespace
CreateWMIClass
PopulateWMIClass
End If
' *****************************
' Sub: OSType
' *****************************
Sub OSType
' 1. Determine if this is a 32-bit machine or a 64-bit machine (as this will determine what registry values we modify)
Set objWMIService = GetObject("winmgmts:\\" & "." & "\root\CIMV2")
Set colItems = objWMIService.ExecQuery("SELECT AddressWidth FROM Win32_Processor where DeviceID='CPU0'", "WQL", _
wbemFlagReturnImmediately + wbemFlagForwardOnly)
Registry32 = "SOFTWARE\"
Registry64 = "SOFTWARE\Wow6432Node\"
For each objItem in colItems
AddressWidth = objItem.AddressWidth
Next
If AddressWidth = 64 Then
'This is a 64-bit machine
Registry = Registry64
ProgramFiles = WshShell.ExpandEnvironmentStrings("%PROGRAMFILES(x86)%") 'It's useful to know if we need to access C:\Program Files or C:\Program Files(x86) - especially for Vipre A/V
ProgramFiles64 = WshShell.ExpandEnvironmentStrings("%PROGRAMW6432%")
output.writeline "- This is a 64-bit machine."
ElseIf AddressWidth = 32 Then
'This is a 32-bit machine
Registry = Registry32
ProgramFiles = WshShell.ExpandEnvironmentStrings("%PROGRAMFILES%")
output.writeline "- This is a 32-bit machine."
Else
'Windows doesn't know what OS Type it's running
output.writeline "- The type of OS is unknown - the script can't detect if it's 32-bit or 64-bit."
End If
' Let's grab the %ProgramData% value, as it'll be used in detecting the installed AV product
ProgramData = WshShell.ExpandEnvironmentStrings("%PROGRAMDATA%")
' Let's figure out the locale of this device, so that we can correctly grab/parse dates in the correct format.
' output.writeline "- This device is in the following locale: " & GetLocale() 'Re-enable this line for debug purposes, if needed
End Sub
' *****************************
' Sub: DetectInstalledAV
' *****************************
Sub DetectInstalledAV
output.writeline InstalledAV
strMcAfeePath = Registry & "McAfee\AVEngine\DAT"
strTrendKeyPath = Registry & "TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.\"
strTrend7KeyPath = "SOFTWARE\TrendMicro\UniClient\1600\Update\PatternOutOfDateDays"
strSymantecESKeyPath = Registry & "Symantec\Symantec Endpoint Protection\AV\"
strSymantecAVKeyPath = Registry & "Symantec\Symantec AntiVirus\"
strSophosAVKeyPath = Registry & "Sophos\"
strSophosVirtualAVKeyPath = Registry32 & "Sophos\Sophos for Virtual Environments\"
strVIPREAVKeyPath = Registry & "Sunbelt Software\VIPRE Antivirus\"
strVIPREEnterpriseKeyPath = Registry & "Sunbelt Software\Sunbelt Enterprise Agent\"
strKasperskyAV2012KeyPath = Registry & "KasperskyLab\protected\AVP12\settings\"
strKasperskyAV60KeyPath = Registry & "KasperskyLab\protected\AVP80\settings\"
strSecurityEssentialsKeyPath = "SOFTWARE\Microsoft\Microsoft Security Client\"
strEndpointSecurityKeyPath = Registry & "Microsoft\Windows\CurrentVersion\Uninstall\"
strKasperskyKES8KeyPath = Registry & "KasperskyLab\protected\KES8\settings\"
strVIPREBusiness5KeyPath = Registry & "GFI Software\GFI Business Agent\"
strVIPREBusinessOnlineKeyPath = Registry & "GFI Software\VIPRE Business Online\"
strVIPREAV2012KeyPath = Registry & "GFI Software\VIPRE Antivirus\"
strESETKeyPath = "SOFTWARE\ESET\ESET Security\CurrentVersion\"
strKasperskyKES8ServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KAVFSEE\8.0.0.0\"
strKasperskyKES6ServerKeyPath = Registry & "KasperskyLab\Components\34\Connectors\KAVFSEE\6.0.0.0\"
strForefrontKeyPath = "SOFTWARE\Microsoft\Microsoft Forefront\Client Security\1.0\AM\"
strKasperskySOS2KeyPath = Registry & "KasperskyLab\protected\AVP9\settings\"
strKasperskySOS3KeyPath = Registry & "KasperskyLab\protected\ksos13\settings\"
strTotalDefenseKeyPath = "SOFTWARE\CA\TDClient\"
strAviraKeyPath = Registry & "Avira\AntiVir Desktop\"
strAviraServerKeyPath = Registry & "Avira\AntiVir Server\"
strFSecureRegPath0= "SOFTWARE\Wow6432Node\Data Fellows\F-Secure\F-Secure GUI\PUB\"
strFSecureRegPath00= "SOFTWARE\Data Fellows\F-Secure\F-Secure GUI\PUB\"
strFSecureRegPath000= "SOFTWARE\Wow6432Node\F-Secure\OneClient\"
strFSecureRegPath1= "SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Anti-Virus\"
strFSecureRegPath2= "SOFTWARE\Data Fellows\F-Secure\Anti-Virus\"
strFSecureRegPath4= "SOFTWARE\Wow6432Node\F-Secure\Anti-Virus\"
strFSecureRegPath3= "SOFTWARE\F-Secure\Anti-Virus\"
strFSecureRegPath5= "SOFTWARE\Wow6432Node\Data Fellows\F-Secure\Anti-Virus Definition Databases\"
strFSecureRegPath6= "SOFTWARE\F-Secure\Anti-Virus Definition Databases\"
strFSecureRegPath000= "SOFTWARE\Wow6432Node\F-Secure\OneClient\"
strKES10KeyPath = Registry & "KasperskyLab\protected\KES10\settings\"
strKES10KeyPathSP1 = Registry & "KasperskyLab\protected\KES10SP1\settings\"
strKES10KeyPathSP2 = Registry & "KasperskyLab\protected\KES10SP2\settings\"
strWindowsDefenderPath = "SOFTWARE\Microsoft\Windows Defender\"
strPandaCloudEPPath64 = "Software\wow6432node\panda software\setup"
strPandaCloudEPPath32 = "Software\panda software\setup"
stravg2014regpath32 = "Software\Avg\Avg2014"
stravg2014regpath64 = "Software\Wow6432Node\Avg\Avg2014"
stravg2014defpath = ProgramData & "\AVG2014\avi"
stravg2013regpath32 = "Software\Avg\Avg2013"
stravg2013regpath64 = "Software\Wow6432Node\Avg\Avg2013"
stravg2013defpath = ProgramData & "\AVG2013\avi"
strAvastRegPath32 = "SOFTWARE\AVAST SOFTWARE\Avast"
strAvastRegPath64 = "SOFTWARE\Wow6432Node\AVAST SOFTWARE\Avast"
strViprebusinessAgt = "SOFTWARE\VIPRE Business Agent"
strViprebusiness64Agt = "SOFTWARE\Wow6432Node\VIPRE Business Agent"
strVipreBusinessAgtLoc= ""
strWebRootStatusPath = Registry & "WRData\Status\"
strWebRootStatusPath32 = "SOFTWARE\WRData\Status\"
mcAfeeEndPointSecurityVersion = "SOFTWARE\McAfee\Endpoint\AV"
mcAfeeEndpointSecurityDefDatePath = "SOFTWARE\McAfee\Endpoint\Common\TPSConnector\Subsystems\Update\Configuration"
strSophosAVVersionPath = Registry & "Sophos\SAVService\Application"
strSophosUpdateStatusPath = Registry & "Sophos\SAVService\Status\"
strMalwareBytesRegPath64 = Registry & "Malwarebytes' Anti-Malware"
strTMMSARegPath = "SOFTWARE\TrendMicro\ScanMail for Exchange\CurrentVersion\"
strTMDSARegPath = "SOFTWARE\TrendMicro\Deep Security Agent\"
stravg2016defpath = ProgramData & "\AVG\AV\avi"
stravg2016regpath = "Software\Wow6432Node\Avg\AV"
strNormanregpath32 = "SOFTWARE\Norman Data Defense Systems"
strNormanregpath64 = "SOFTWARE\Wow6432Node\Norman Data Defense Systems"
strFortiClientPath = "SOFTWARE\Fortinet\FortiClient\FA_FMON"
strPandaAdaptiveDefencePath64 = "Software\wow6432node\Panda Security\Nano Av\Setup"
strPandaAdaptiveDefencePath32 = "Software\Panda Security\Nano Av\Setup"
'Check if N-able's Endpoint Security is installed - if it is, we should exit the script immediately (dumping data into WMI negatively affects ES' ability to run scans)
'We need to check two different registry values, as it changes depending on what OS is installed.
objReg.GetStringValue HKEY_LOCAL_MACHINE,strEndpointSecurityKeyPath & "AVTC64","DisplayName",ReturnedstrValue1
If ReturnedstrValue1 = "Endpoint Security Manager" Then
output.writeline "- N-able's Endpoint Security product has been detected on this machine. This script will now exit."
wscript.quit(0)
End If
objReg.GetStringValue HKEY_LOCAL_MACHINE,strEndpointSecurityKeyPath & "AVNT64","DisplayName",ReturnedstrValue1
If ReturnedstrValue1 = "Endpoint Security Manager" Then
output.writeline "- N-able's Endpoint Security product has been detected on this machine. This script will now exit."
wscript.quit(0)
End If
objReg.GetStringValue HKEY_LOCAL_MACHINE,strEndpointSecurityKeyPath & "AVTC","DisplayName",ReturnedstrValue1
If ReturnedstrValue1 = "Endpoint Security Manager" Then
output.writeline "- N-able's Endpoint Security product has been detected on this machine. This script will now exit."
wscript.quit(0)
End If
objReg.GetStringValue HKEY_LOCAL_MACHINE,strEndpointSecurityKeyPath & "AVNT","DisplayName",ReturnedstrValue1
If ReturnedstrValue1 = "Endpoint Security Manager" Then
output.writeline "- N-able's Endpoint Security product has been detected on this machine. This script will now exit."
wscript.quit(0)
End If
Set objFSO = CreateObject("Scripting.FileSystemObject")
' Check for AV Defender on 64-bit, modern operating systems
If (objFSO.FolderExists(ProgramData & "\N-able Technologies\AVDefender\Configuration") AND isProcessRunning(".","NableAVDBridge.exe")) Then
output.writeline "- AV Defender has been detected on this machine. This should be monitored via the dedicated AV Defender Status Service. This script will now exit."
wscript.quit(0)
End If
' Check for AV Defender on XP and 2K3
If (objFSO.FolderExists("C:\Documents and Settings\All Users\Application Data\N-able Technologies\AVDefender\Configuration") AND isProcessRunning(".","NableAVDBridge.exe")) Then
output.writeline "- AV Defender has been detected on this machine. This should be monitored via the dedicated AV Defender Status Service. This script will now exit."
wscript.quit(0)
End If
'Check to see what A/V product is installed
If RegKeyExists("HKLM\" & strTrendKeyPath & "ProductName") Then
strValue = "ProductName"
objReg.GetStringValue HKEY_LOCAL_MACHINE,strTrendKeyPath,strValue,RegstrValue
InstalledAV = RegstrValue
ElseIf (objFSO.FolderExists(ProgramData & "\Bitdefender\Endpoint Security") AND isProcessRunning(".","epag.exe")) Then
InstalledAV = "Bitdefender Endpoint Security Tools"
ElseIf objFSO.FolderExists(ProgramFiles64 & "\SentinelOne") Then
'ElseIf (objFSO.FolderExists(ProgramFiles64 & "\SentinelOne") AND isProcessRunning(".","SentinelAgent.exe")) Then
InstalledAV = "SentinelOne"
ElseIf RegKeyExists("HKLM\" & strTrendKeyPath & "ProgramVer") Then
InstalledAV = "Trend Micro OfficeScan"
Elseif RegKeyExists("HKLM\" & strSymantecESKeyPath & "ScanEngineVendor") Then
InstalledAV = "Symantec Endpoint Protection"
ElseIf RegKeyExists ("HKLM\" & strSymantecAVKeyPath & "CorporateFeatures") Then
InstalledAV = "Symantec AntiVirus"
ElseIf RegKeyExists ("HKLM\" & strTrend7KeyPath) Then
InstalledAV = "Trend Micro Worry-Free Business Security 7"
ElseIf RegKeyExists ("HKEY_LOCAL_MACHINE\" & strMcAfeePath) Then
InstalledAV = "McAfee AntiVirus"
ElseIf RegKeyExists ("HKLM\" & strVIPREAVKeyPath & "ProductCode") Then
InstalledAV = "VIPRE AntiVirus"
ElseIf RegKeyExists ("HKLM\" & strVIPREEnterpriseKeyPath & "ProductCode") Then
InstalledAV = "Sunbelt Enterprise Agent"
ElseIf RegKeyExists ("HKLM\" & strKasperskyAV2012KeyPath & "SettingsVersion") Then
InstalledAV = "Kaspersky Anti-Virus 2012"
ElseIf RegKeyExists ("HKLM\" & strKasperskyAV60KeyPath & "SettingsVersion") Then
InstalledAV = "Kaspersky Anti-Virus 6.0"
ElseIf RegKeyExists ("HKLM\" & strKasperskyKES8KeyPath & "SettingsVersion") Then
InstalledAV = "Kaspersky Endpoint Security 8"
'--- Check for VIPRE Business Agent ---
ElseIf RegKeyExists ("HKLM\" & strViprebusinessAgt & "\Version") Then
InstalledAV = "VIPRE Business Agent"
objReg.GetExpandedStringValue HKEY_LOCAL_MACHINE,strViprebusinessAgt ,"InstallPath",strVipreBusinessAgtLoc
strViprebusinessAgt1 = strViprebusinessAgt
ElseIf RegKeyExists ("HKLM\" & strViprebusiness64Agt & "\Version") Then
InstalledAV = "VIPRE Business Agent"
objReg.GetExpandedStringValue HKEY_LOCAL_MACHINE,strViprebusiness64Agt ,"InstallPath",strVipreBusinessAgtLoc
strViprebusinessAgt1 = strViprebusiness64Agt
'--- Check for VIPRE Business Antivirus ---
ElseIf RegKeyExists ("HKLM\" & strVIPREBusiness5KeyPath & "ProductCode") Then
InstalledAV = "VIPRE Business Antivirus"
strVIPREEnterpriseKeyPath = Registry & "GFI Software\GFI Business Agent\"
ElseIf RegKeyExists ("HKLM\" & strVIPREBusinessOnlineKeyPath) Then
InstalledAV = "VIPRE Business Online"
strVIPREEnterpriseKeyPath = Registry & "GFI Software\VIPRE Business Online\"
strViprebusinessAgt1 = strVIPREBusinessOnlineKeyPath
ElseIf RegKeyExists ("HKLM\" & strVIPREAV2012KeyPath & "ProductCode") Then
InstalledAV = "VIPRE Antivirus 2012"
strVIPREAVKeyPath = Registry & "GFI Software\VIPRE Antivirus\"
ElseIf RegKeyExists ("HKLM\" & strESETKeyPath & "\info\ProductName") Then
objReg.GetStringValue HKEY_LOCAL_MACHINE,"SOFTWARE\ESET\ESET Security\CurrentVersion\info\","ProductName",InstalledAV
ElseIf RegKeyExists ("HKLM\" & strKasperskyKES8ServerKeyPath & "ProdDisplayName") Then
InstalledAV = "Kaspersky Anti-Virus 8.0 For Windows Servers Enterprise Edition"
ElseIf RegKeyExists ("HKLM\" & strKasperskyKES6ServerKeyPath & "ProdDisplayName") Then
InstalledAV = "Kaspersky Anti-Virus 6.0 For Windows Servers Enterprise Edition"
ElseIf RegKeyExists ("HKLM\" & strForefrontKeyPath & "InstallLocation") Then
InstalledAV = "Microsoft Forefront"
ElseIf RegKeyExists ("HKLM\" & strKasperskySOS2KeyPath & "Ins_DisplayName") Then
InstalledAV = "Kaspersky Small Office Security"
ElseIf RegKeyExists ("HKLM\" & strKasperskySOS3KeyPath ) Then
InstalledAV = "Kaspersky Small Office Security 3"
ElseIf RegKeyExists ("HKLM\" & strTotalDefenseKeyPath & "ProductName") Then
objReg.GetStringValue HKEY_LOCAL_MACHINE,strTotalDefenseKeyPath,ProductName,InstalledAV
InstalledAV = "Total Defense R12 Client"
ElseIf RegKeyExists ("HKLM\" & strAviraKeyPath & "EngineVersion") Then
InstalledAV = "Avira AntiVirus"
ElseIf RegKeyExists ("HKLM\" & strAviraServerKeyPath & "EngineVersion") Then
InstalledAV = "Avira AntiVirus"
ElseIf WMINamespaceExistanceCheck("FSECURE") Then 'If the F-Secure WMI namespace exists, let's use that. If not, we'll fall back to the alternate method.
Set objWMIService = GetObject("winmgmts:\\" & "." & "\root\FSECURE")
' Let's determine what version of F-Secure has been installed
Set colItems = objWMIService.ExecQuery("SELECT Version,Name FROM Product", "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem in colItems
FormattedAVVersion = objItem.Version
InstalledAV = objItem.Name
Next
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath0 & "ProductName") Then
output.writeline "- Found it!"
objReg.GetStringValue HKEY_LOCAL_MACHINE,strFSecureRegPath0,"ProductName",InstalledAV
If RegKeyExists ("HKLM\" & strFSecureRegPath1 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath1
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath2 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath2
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath3 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath3
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath4 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath4
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath5 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath5
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath6 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath6
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath1 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath1
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath2 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath2
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath3 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath3
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath4 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath4
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath5 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath5
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath6 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath6
End If
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath00 & "ProductName") Then
objReg.GetStringValue HKEY_LOCAL_MACHINE,strFSecureRegPath00,"ProductName",InstalledAV
If RegKeyExists ("HKLM\" & strFSecureRegPath1 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath1
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath2 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath2
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath3 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath3
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath4 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath4
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath5 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath5
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath6 & "InstallationDirectory") Then
strFSecureRegPathLoc=strFSecureRegPath6
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath1 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath1
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath2 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath2
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath3 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath3
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath4 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath4
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath5 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath5
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath6 & "Path") Then
strFSecureRegPathLoc=strFSecureRegPath6
End If
ElseIf RegKeyExists ("HKLM\" & strFSecureRegPath000 & "ProductName") Then
objReg.GetStringValue HKEY_LOCAL_MACHINE,strFSecureRegPath000,"ProductName",InstalledAV
ElseIf RegKeyExists ("HKLM\" & strKES10KeyPath & "SettingsVersion") Then
InstalledAV = "Kaspersky Endpoint Security 10"
ElseIf RegKeyExists ("HKLM\" & strKES10KeyPathSP1 & "SettingsVersion") Then
InstalledAV = "Kaspersky Endpoint Security 10 SP1"
ElseIf RegKeyExists ("HKLM\" & strKES10KeyPathSP2 & "SettingsVersion") Then
InstalledAV = "Kaspersky Endpoint Security 10 SP2"
ElseIf RegKeyExists ("HKLM\" & Registry & "KasperskyLab\Components\34\Connectors\KES\11.0.0.0\" & "ConnectorVersion") Then
InstalledAV = "Kaspersky Endpoint Security 11 for Windows"
ElseIf RegKeyExists ("HKLM\" & Registry & "KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState\" & "Protection_NagentVersion") Then
InstalledAV = "Kaspersky Endpoint Security 10 for Windows"
ElseIf RegKeyExists ( "HKLM\" & strPandaAdaptiveDefencePath32 & "\Path") Then
InstalledAV = "Panda Adaptive Defense 360 32 Bit"
ElseIf RegKeyExists ( "HKLM\" & strPandaAdaptiveDefencePath64 & "\Path") Then
InstalledAV = "Panda Adaptive Defense 360 64 Bit"
ElseIf RegKeyExists ( "HKLM\" & strPandaCloudEPPath32 & "\InitialProductName") Then
InstalledAV = "Panda Endpoint Protection 10 32 Bit"
ElseIf RegKeyExists ( "HKLM\" & strPandaCloudEPPath64 & "\InitialProductName") Then
InstalledAV = "Panda Endpoint Protection 10 64 Bit"
ElseIf RegKeyExists ( "HKLM\" & stravg2013regpath32 & "\ProdType") Then
InstalledAV = "AVG 2013"
ElseIf RegKeyExists ( "HKLM\" & stravg2013regpath64 & "\ProdType") Then
InstalledAV = "AVG 2013"
ElseIf RegKeyExists ( "HKLM\" & stravg2014regpath32 & "\ProdType") Then
InstalledAV = "AVG 2014"
ElseIf RegKeyExists ( "HKLM\" & stravg2014regpath64 & "\ProdType") Then
InstalledAV = "AVG 2014"
ElseIf RegKeyExists ( "HKLM\" & stravg2016regpath & "\ProdType") Then
InstalledAV = "AVG Protection"
'--- Check for Webroot Anywhere ---
ElseIf RegKeyExists ("HKLM\" & strWebRootStatusPath & "Version") Then
InstalledAV = "Webroot SecureAnywhere"
'--- Check for Webroot Anywhere 32 bit on 64 bit computer ---
ElseIf RegKeyExists ("HKLM\" & strWebRootStatusPath32 & "Version") Then
InstalledAV = "Webroot SecureAnywhere"
strWebRootStatusPath = strWebRootStatusPath32
'--- Check for AVAST! ---
ElseIf RegKeyExists ("HKLM\" & strAvastRegPath32 & "\Version") Then
InstalledAV = "Avast!"
objReg.GetExpandedStringValue HKEY_LOCAL_MACHINE,strAvastRegPath32,"ProgramFolder",strAvastInstallPath
'--- Check for AVAST! ---
ElseIf RegKeyExists ("HKLM\" & strAvastRegPath64 & "\Version") Then
InstalledAV = "Avast!"
objReg.GetExpandedStringValue HKEY_LOCAL_MACHINE,strAvastRegPath64,"ProgramFolder",strAvastInstallPath
'--- Check for McAfee Endpoint Security V10 ---
ElseIf RegKeyExists ("HKLM\" & mcAfeeEndpointSecurityDefDatePath ) Then
InstalledAV = "McAfee Endpoint Security"
'--- Check for McAfee Endpoint Security V10.1 ---
ElseIf RegKeyExists ("HKLM\" & mcAfeeEndPointSecurityVersion & "\ProductVersion" ) Then
InstalledAV = "McAfee Endpoint Security 10.1"
'--- Check for Symantec Endpoint Protection Cloud ---
ElseIf RegKeyExists ("HKLM\SOFTWARE\Norton\SecurityStatusSDK\SDKProduct") Then
strSEPCloudRegPath0 = "SOFTWARE\Norton\"
InstalledAV="Symantec Endpoint Protection Cloud"
FoundGUID = FALSE
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
Set arrSubKeys = Nothing
oReg.EnumKey HKEY_LOCAL_MACHINE, strSEPCloudRegPath0, arrSubKeys
If Not IsNull (arrSubKeys) Then
For Each subkey In arrSubKeys
' Endpoint Cloud stores the information we're after in a GUID-titled sub-key. Let's figure out that GUID.
If RegKeyExists("HKLM\" & strSEPCloudRegPath0 & subkey & "\PRODUCTVERSION") Then
strSEPCloudRegPath2 = strSEPCloudRegPath0 & subkey
FoundGUID = TRUE
Exit For
End If
Next
' It looks like newer versions of Endpoint Cloud no longer log to the Wow6432Node on 64-bit machines. This next bit of code will handle that scenario
If FoundGUID = FALSE Then
Set arrSubKeys = Nothing
oReg.EnumKey HKEY_LOCAL_MACHINE, "SOFTWARE\NORTON\", arrSubKeys
For Each subkey In arrSubKeys
' Endpoint Cloud stores the information we're after in a GUID-titled sub-key. Let's figure out that GUID.
If RegKeyExists("HKLM\SOFTWARE\NORTON\" & subkey & "\PRODUCTVERSION") Then
strSEPCloudRegPath2 = strSEPCloudRegPath0 & subkey
Exit For
End If
Next
End If
Else
output.writeline "- Unable to find more details about Symantec Endpoint Protection Cloud from the registry. Is it perhaps uninstalled?"
Wscript.Quit
End If
'--- Check for Trend Micro Messaging Security Agent ---
ElseIf RegKeyExists("HKLM\" & strTMMSARegPath & "DebugLevel") Then
InstalledAV = "Trend Micro Messaging Security Agent"
'--- Check for Trend Micro Deep Security Agent ---
ElseIf objFSO.FileExists(ProgramFiles64 & "\Trend Micro\Deep Security Agent\dsa.exe") Then
InstalledAV = "Trend Micro Deep Security Agent"
'--- Check for McAfee Move ---
ElseIf objFSO.FileExists(ProgramFiles & "\McAfee\MOVE AV Client\mvadm.exe") Then
InstalledAV = "McAfee Move AV Client"
'--- Check for Norman Endpoint Protection 32-bit ---
ElseIf RegKeyExists("HKLM\" & strNormanregpath32 & "\RootPath") Then
InstalledAV = "Norman Endpoint Protection"
objReg.GetExpandedStringValue HKEY_LOCAL_MACHINE,strNormanregpath32,"RootPath",strNormanrootpath
'--- Check for Norman Endpoint Protection 64-bit ---
ElseIf RegKeyExists("HKLM\" & strNormanregpath64 & "\RootPath") Then
InstalledAV = "Norman Endpoint Protection"
objReg.GetExpandedStringValue HKEY_LOCAL_MACHINE,strNormanregpath64,"RootPath",strNormanrootpath
'--- Check for Cylance PROTECT ---
ElseIf RegKeyExists("HKLM\SOFTWARE\Cylance\Desktop\Path") Then
InstalledAV = "Cylance PROTECT"
'Cylance is a different type of AV product - it doesn't have the traditional concept of AV definition updates.
' As a result, all we're looking for here is if the Cylance process is running; all other values will be hard-coded.
ServiceActive = isProcessRunning(strComputer,"cylancesvc.exe")
If (ServiceActive) Then
OnAccessScanningEnabled = TRUE
Else
OnAccessScanningEnabled = FALSE
End If
output.writeline "- Is Real Time Scanning Enabled? " & OnAccessScanningEnabled
ProductUpToDate = "TRUE"
FormattedAVVersion = "Unknown"
'--- Check for AVG Business Security ---
ElseIf objFSO.FileExists(ProgramData & "\AVG\Persistent Data\Antivirus\Logs\update.log") Then
InstalledAV = "AVG Business Security"
'--- Check for FortiClient ---
ElseIf RegKeyExists ("HKLM\" & strFortiClientPath & "\enabled") Then
InstalledAV = "FortiClient"
'--- Check for Sophos AV ---
ElseIf RegKeyExists ("HKLM\" & strSophosAVVersionPath & "\MarketingVersion") Then
objReg.GetStringValue HKEY_LOCAL_MACHINE,strSophosAVVersionPath,"MarketingVersion",RegstrValue
If inStr(RegstrValue, "9.") Then
InstalledAV = "Sophos Anti-Virus"
ElseIf inStr(RegstrValue, "10.1") OR inStr(RegstrValue, "10.2") OR inStr(RegstrValue, "10.3") Then
InstalledAV = "Sophos Anti-Virus"
ElseIf inStr(RegstrValue, "2.2.") Then
InstalledAV = "Sophos Endpoint Protection"
Else
InstalledAV = "Sophos Anti-Virus 10"
End If
'--- Check for Sophos for Virtual Environments ---
ElseIf RegKeyExists ("HKLM\" & strSophosVirtualAVKeyPath & "SGVM Deployment Service\InstalledPath") Then
InstalledAV = "Sophos for Virtual Environments"
'--- Check for Carbon Black a.k.a. "Cb Defense Sensor 64-bit" ---
ElseIf isServiceRunning("CbDefense") Then
InstalledAV = "Cb Defense Sensor"
'--- Check for the ATP-managed version of SCEP, and Microsoft Security Essentials ---
ElseIf RegKeyExists ("HKLM\SOFTWARE\Microsoft\Microsoft Antimalware\InstallLocation") Then
' We know that either Microsoft SCEP is installed, or Microsoft Security Essentials. Now let's figure out which one.
objReg.GetStringValue HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client\","DisplayName",SCEPInstalled
objReg.GetStringValue HKEY_LOCAL_MACHINE,"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client\","UninstallString",SCEPUninstallString
If InStr(SCEPInstalled,"System Center Endpoint Protection") AND InStr(SCEPUninstallString,"Managed Defender") Then
InstalledAV = "Microsoft System Center Endpoint Protection (Managed Defender)"
ElseIf InStr(SCEPInstalled,"System Center Endpoint Protection") AND InStr(SCEPUninstallString,"Microsoft Security Client") Then
InstalledAV = "Microsoft System Center Endpoint Protection"
ElseIf InStr(SCEPInstalled,"System Center 2012 Endpoint Protection") Then
InstalledAV = "Microsoft System Center 2012 Endpoint Protection"
Else
InstalledAV = "Microsoft Security Essentials"
End If
'--- Check for Microsoft System Center Endpoint Protection ---
ElseIf RegKeyExists ("HKLM\" & strSecurityEssentialsKeyPath & "LastSuccessfullyAppliedPolicy") Then
InstalledAV = "Microsoft System Center Endpoint Protection"
'--- Check for Cisco AMP ---
ElseIf objFSO.FileExists(ProgramFiles64 & "\Cisco\AMP\local.xml") Then
InstalledAV = "Cisco Advanced Malware Protection (AMP)"
'--- Check for Malwarebytes' Corporate Edition ---
ElseIf RegKeyExists ("HKLM\" & strMalwareBytesRegPath64 & "\InstallPath" ) Then
InstalledAV = "Malwarebytes' Corporate Edition"
'--- Check for Palo Alto Traps ---
ElseIf RegKeyExists ("HKLM\SOFTWARE\Palo Alto Networks\Traps\ProtectionStatus") Then
InstalledAV = "Palo Alto Networks Traps"
Else
If WMINamespaceExistanceCheck(strWMINameSpace2) = "1" Then 'Check to make sure that the SecurityCenter2 namespace exists before we do this check, lest the script error out when checking for the presence of the AntiVirusProduct WMI class
If WMIClassExists (strWMINameSpace2, strComputer, "AntiVirusProduct") Then
output.writeline "- Looking in the root\SecurityCenter2 WMI Namespace."
' This next line calls the 'ObtainSecurityCenter2Data sub-routine, which queries the root\SecurityCenter2 WMI Namespace for info.
ObtainSecurityCenter2Data
ElseIf RegKeyExists ("HKLM\" & strWindowsDefenderPath & "ProductStatus") Then
output.writeline "- The root\securityCenter2 namespace exists, but the AntiVirusProduct WMI class does not - that's really weird."
output.writeline "- Windows Defender has been detected, by querying the registry."
InstalledAV = "Windows Defender"
End If
' If the root\SecurityCenter2 WMI namespace doesn't exist (and it doesn't if you're looking at a Server-class OS, then let's see if Windows Defender is installed)
ElseIf RegKeyExists ("HKLM\" & strWindowsDefenderPath & "ProductStatus") Then
output.writeline "- Windows Defender has been detected, by querying the registry."
InstalledAV = "Windows Defender"
Else
If NoAVBehavior = "WRITE" Then
output.writeline "- Unable to determine installed AV."
InstalledAV = "An Unknown A/V product, or no A/V product at all"
onAccessScanningEnabled = "FALSE"
ProductUpToDate = "FALSE"
FormattedAVVersion = "Unknown"
ElseIf NoAVBehavior = "DONOTWRITE" Then
output.writeline "- The script could not detect an A/V product on this device. As the DONOTWRITE command-line parameter was specified, no data will be written to WMI, and this script will now exit."
' We need to clear out the existing data from the AntiVirusProduct WMI Class
If WMIClassExists(strWMINamespace, strComputer,strWMIClassWithQuotes) Then