How To Tell What AntiVirus Software Installed on a Remote Windows Computer


Windows 10 has a decent AntiVirus built right in the system, namely Windows Defender. To get the details about the status of it, simply use this cmdlet to find out.


However, if you have a 3rd party AntiVirus installed, Get-MpPreference isn’t good enough anymore as it only works and reveals information about Windows Defender. Use the following instead:

Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntiVirusProduct

To use it on a remote computer, add -ComputerName switch along with the command.

Get-CimInstance -Namespace root/SecurityCenter2 -Classname AntiVirusProduct -ComputerName $computer

Digging it a bit deeper, how to find out the status of the installed AntiVirus software?

Encoded in ProductState property are a number of additional pieces of information, such as whether the AV engine is operational, and is using the up-to-date data signatures. To decipher the meaning of this information, refer to this post that demonstrates how to use PowerShell’s new support for enumerations.

To put all together,

# define bit flags
[Flags()] enum ProductState 
      Off         = 0x0000
      On          = 0x1000
      Snoozed     = 0x2000
      Expired     = 0x3000
[Flags()] enum SignatureStatus
      UpToDate     = 0x00
      OutOfDate    = 0x10
[Flags()] enum ProductOwner
      NonMs        = 0x000
      Windows      = 0x100
# define bit masks
[Flags()] enum ProductFlags
      SignatureStatus = 0x00F0
      ProductOwner    = 0x0F00
      ProductState    = 0xF000
# get bits
$infos = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct -ComputerName $computer
ForEach ($info in $infos){
    [UInt32]$state = $info.productState
    # decode bit flags by masking the relevant bits, then converting
          ProductName = $info.DisplayName
          ProductState = [ProductState]($state -band [ProductFlags]::ProductState)
          SignatureStatus = [SignatureStatus]($state -band [ProductFlags]::SignatureStatus)
          Owner = [ProductOwner]($state -band [ProductFlags]::ProductOwner)

The result is pretty nice.

What would be more useful is to run the script through a whole network to assess how AntiVirus software is deployed and maintained in your network.

The post How To Tell What AntiVirus Software Installed on a Remote Windows Computer appeared first on Next of Windows.